From 70d5898fc742f552588865a52f765083be2c7dad Mon Sep 17 00:00:00 2001 From: Haoliang Gao Date: Mon, 5 Mar 2018 17:28:37 +0800 Subject: [PATCH] fix: don't allow x-forwarded-host header (#2162) It's a security issue, x-forwarded-host can be retreived from ctx.host when app.config.proxy is true, and be injected to cookie domain. --- config/config.default.js | 2 +- test/app/extend/request.test.js | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/config/config.default.js b/config/config.default.js index aebff6bc84..40993f4af9 100644 --- a/config/config.default.js +++ b/config/config.default.js @@ -72,7 +72,7 @@ module.exports = appInfo => { * @default * @since 1.0.0 */ - hostHeaders: 'x-forwarded-host', + hostHeaders: '', /** * package.json diff --git a/test/app/extend/request.test.js b/test/app/extend/request.test.js index 0ad60fa03b..a842c6ee62 100644 --- a/test/app/extend/request.test.js +++ b/test/app/extend/request.test.js @@ -32,10 +32,12 @@ describe('test/app/extend/request.test.js', () => { assert(req.host === ''); }); - it('should return host from X-Forwarded-Host header', function* () { + it('should not allow X-Forwarded-Host header', function* () { + mm(app.config, 'proxy', true); mm(req.header, 'x-forwarded-host', 'foo.com'); + mm(req.header, 'host', 'bar.com'); assert(typeof req.host === 'string'); - assert(req.host === 'foo.com'); + assert(req.host === 'bar.com'); }); it('should return host from Host header when proxy=false', function* () { @@ -45,6 +47,15 @@ describe('test/app/extend/request.test.js', () => { assert(typeof req.host === 'string'); assert(req.host === 'bar.com'); }); + + it('should custom hostHeaders', function* () { + mm(app.config, 'proxy', true); + mm(app.config, 'hostHeaders', 'x-forwarded-host'); + mm(req.header, 'x-forwarded-host', 'foo.com'); + mm(req.header, 'host', 'bar.com'); + assert(typeof req.host === 'string'); + assert(req.host === 'foo.com'); + }); }); describe('req.hostname', () => {