Add support for X-Forwarded-For and Forwarded for

Closes gh-23260
spring-projects · Sep 6, 2019 · f166b65 · f166b65
1 parent facdbdb
commit f166b65
Show file tree

Hide file tree

Showing 7 changed files with 299 additions and 8 deletions.
diff --git a/...c/main/java/org/springframework/http/server/reactive/DefaultServerHttpRequestBuilder.java b/...c/main/java/org/springframework/http/server/reactive/DefaultServerHttpRequestBuilder.java
@@ -61,6 +61,9 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
 	@Nullable
 	private SslInfo sslInfo;
 
+	@Nullable
+	private InetSocketAddress remoteAddress;
+
 	private Flux<DataBuffer> body;
 
 	private final ServerHttpRequest originalRequest;
@@ -130,10 +133,17 @@ public ServerHttpRequest.Builder sslInfo(SslInfo sslInfo) {
 		return this;
 	}
 
+	@Override
+	public ServerHttpRequest.Builder remoteAddress(InetSocketAddress remoteAddress) {
+		this.remoteAddress = remoteAddress;
+		return this;
+	}
+
 	@Override
 	public ServerHttpRequest build() {
 		return new MutatedServerHttpRequest(getUriToUse(), this.contextPath, this.httpHeaders,
-				this.httpMethodValue, this.cookies, this.sslInfo, this.body, this.originalRequest);
+				this.httpMethodValue, this.cookies, this.remoteAddress, this.sslInfo, this.body,
+				this.originalRequest);
 	}
 
 	private URI getUriToUse() {
@@ -194,12 +204,13 @@ private static class MutatedServerHttpRequest extends AbstractServerHttpRequest
 
 		public MutatedServerHttpRequest(URI uri, @Nullable String contextPath,
 				HttpHeaders headers, String methodValue, MultiValueMap<String, HttpCookie> cookies,
-				@Nullable SslInfo sslInfo, Flux<DataBuffer> body, ServerHttpRequest originalRequest) {
+				@Nullable InetSocketAddress remoteAddress, @Nullable SslInfo sslInfo, Flux<DataBuffer> body,
+				ServerHttpRequest originalRequest) {
 
 			super(uri, contextPath, headers);
 			this.methodValue = methodValue;
 			this.cookies = cookies;
-			this.remoteAddress = originalRequest.getRemoteAddress();
+			this.remoteAddress = remoteAddress;
 			this.sslInfo = sslInfo != null ? sslInfo : originalRequest.getSslInfo();
 			this.body = body;
 			this.originalRequest = originalRequest;

diff --git a/spring-web/src/main/java/org/springframework/http/server/reactive/ServerHttpRequest.java b/spring-web/src/main/java/org/springframework/http/server/reactive/ServerHttpRequest.java
@@ -166,6 +166,11 @@ interface Builder {
 		 */
 		Builder sslInfo(SslInfo sslInfo);
 
+		/**
+		 * Set the address of the remote client.
+		 */
+		Builder remoteAddress(InetSocketAddress remoteAddress);
+
 		/**
 		 * Build a {@link ServerHttpRequest} decorator with the mutated properties.
 		 */

diff --git a/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java b/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java
@@ -67,7 +67,7 @@
 public class ForwardedHeaderFilter extends OncePerRequestFilter {
 
 	private static final Set<String> FORWARDED_HEADER_NAMES =
-			Collections.newSetFromMap(new LinkedCaseInsensitiveMap<>(6, Locale.ENGLISH));
+			Collections.newSetFromMap(new LinkedCaseInsensitiveMap<>(10, Locale.ENGLISH));
 
 	static {
 		FORWARDED_HEADER_NAMES.add("Forwarded");
@@ -76,6 +76,7 @@ public class ForwardedHeaderFilter extends OncePerRequestFilter {
 		FORWARDED_HEADER_NAMES.add("X-Forwarded-Proto");
 		FORWARDED_HEADER_NAMES.add("X-Forwarded-Prefix");
 		FORWARDED_HEADER_NAMES.add("X-Forwarded-Ssl");
+		FORWARDED_HEADER_NAMES.add("X-Forwarded-For");
 	}
 
 
@@ -227,6 +228,14 @@ private static class ForwardedHeaderExtractingRequest extends ForwardedHeaderRem
 
 		private final int port;
 
+		@Nullable
+		private final String remoteHost;
+
+		@Nullable
+		private final String remoteAddr;
+
+		private final int remotePort;
+
 		private final ForwardedPrefixExtractor forwardedPrefixExtractor;
 
 
@@ -242,6 +251,16 @@ private static class ForwardedHeaderExtractingRequest extends ForwardedHeaderRem
 			this.host = uriComponents.getHost();
 			this.port = (port == -1 ? (this.secure ? 443 : 80) : port);
 
+			UriComponents remoteUriComponents = UriComponentsBuilder.newInstance()
+					.host(request.getRemoteHost())
+					.port(request.getRemotePort())
+					.adaptFromForwardedForHeader(httpRequest.getHeaders())
+					.build();
+			this.remoteHost = remoteUriComponents.getHost();
+			this.remoteAddr = ((this.remoteHost != null && !this.remoteHost.equals(request.getRemoteHost())) ?
+					this.remoteHost : request.getRemoteAddr());
+			this.remotePort = remoteUriComponents.getPort();
+
 			String baseUrl = this.scheme + "://" + this.host + (port == -1 ? "" : ":" + port);
 			Supplier<HttpServletRequest> delegateRequest = () -> (HttpServletRequest) getRequest();
 			this.forwardedPrefixExtractor = new ForwardedPrefixExtractor(delegateRequest, pathHelper, baseUrl);
@@ -284,6 +303,23 @@ public String getRequestURI() {
 		public StringBuffer getRequestURL() {
 			return this.forwardedPrefixExtractor.getRequestUrl();
 		}
+
+		@Override
+		@Nullable
+		public String getRemoteHost() {
+			return this.remoteHost;
+		}
+
+		@Override
+		@Nullable
+		public String getRemoteAddr() {
+			return this.remoteAddr;
+		}
+
+		@Override
+		public int getRemotePort() {
+			return remotePort;
+		}
 	}
 
 

diff --git a/...-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java b/...-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java
@@ -16,9 +16,12 @@
 
 package org.springframework.web.server.adapter;
 
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
 import java.net.URI;
 import java.util.Collections;
 import java.util.Locale;
+import java.util.Optional;
 import java.util.Set;
 import java.util.function.Function;
 
@@ -27,6 +30,7 @@
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.lang.Nullable;
 import org.springframework.util.LinkedCaseInsensitiveMap;
+import org.springframework.web.util.UriComponents;
 import org.springframework.web.util.UriComponentsBuilder;
 
 /**
@@ -50,7 +54,7 @@
 public class ForwardedHeaderTransformer implements Function<ServerHttpRequest, ServerHttpRequest> {
 
 	static final Set<String> FORWARDED_HEADER_NAMES =
-			Collections.newSetFromMap(new LinkedCaseInsensitiveMap<>(8, Locale.ENGLISH));
+			Collections.newSetFromMap(new LinkedCaseInsensitiveMap<>(10, Locale.ENGLISH));
 
 	static {
 		FORWARDED_HEADER_NAMES.add("Forwarded");
@@ -59,6 +63,7 @@ public class ForwardedHeaderTransformer implements Function<ServerHttpRequest, S
 		FORWARDED_HEADER_NAMES.add("X-Forwarded-Proto");
 		FORWARDED_HEADER_NAMES.add("X-Forwarded-Prefix");
 		FORWARDED_HEADER_NAMES.add("X-Forwarded-Ssl");
+		FORWARDED_HEADER_NAMES.add("X-Forwarded-For");
 	}
 
 
@@ -99,6 +104,21 @@ public ServerHttpRequest apply(ServerHttpRequest request) {
 					builder.path(prefix + uri.getRawPath());
 					builder.contextPath(prefix);
 				}
+				Optional<InetSocketAddress> remoteAddressO = Optional.ofNullable(request.getRemoteAddress());
+				String originalRemoteHost = remoteAddressO.map(InetSocketAddress::getHostName).orElse(null);
+				UriComponents remoteUriComponents = UriComponentsBuilder.newInstance()
+						.host(originalRemoteHost)
+						.port(remoteAddressO.map(InetSocketAddress::getPort).orElse(-1))
+						.adaptFromForwardedForHeader(request.getHeaders())
+						.build();
+				String remoteHost = remoteUriComponents.getHost();
+				int remotePort = (remoteUriComponents.getPort() != -1 ? remoteUriComponents.getPort() : 0);
+				if (remoteHost != null && !remoteHost.equals(originalRemoteHost)) {
+					builder.remoteAddress(InetSocketAddress.createUnresolved(remoteHost, remotePort));
+				}
+				else {
+					remoteAddressO.ifPresent(builder::remoteAddress);
+				}
 			}
 			removeForwardedHeaders(builder);
 			request = builder.build();

diff --git a/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java b/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java
@@ -97,9 +97,13 @@ public class UriComponentsBuilder implements UriBuilder, Cloneable {
 			"^" + HTTP_PATTERN + "(//(" + USERINFO_PATTERN + "@)?" + HOST_PATTERN + "(:" + PORT_PATTERN + ")?" + ")?" +
 					PATH_PATTERN + "(\\?" + LAST_PATTERN + ")?");
 
-	private static final Pattern FORWARDED_HOST_PATTERN = Pattern.compile("host=\"?([^;,\"]+)\"?");
+	private static final Pattern FORWARDED_HOST_PATTERN = Pattern.compile("(?i:host)=\"?([^;,\"]+)\"?");
 
-	private static final Pattern FORWARDED_PROTO_PATTERN = Pattern.compile("proto=\"?([^;,\"]+)\"?");
+	private static final Pattern FORWARDED_PROTO_PATTERN = Pattern.compile("(?i:proto)=\"?([^;,\"]+)\"?");
+
+	private static final Pattern FORWARDED_FOR_PATTERN = Pattern.compile("(?i:for)=\"?([^;,\"]+)\"?");
+
+	private static final String FORWARDED_FOR_NUMERIC_PORT_PATTERN = "^(\\d{1,5})$";
 
 	private static final Object[] EMPTY_VALUES = new Object[0];
 
@@ -832,6 +836,33 @@ public UriComponentsBuilder uriVariables(Map<String, Object> uriVariables) {
 		return this;
 	}
 
+	/**
+	 * Adapt this builders's host+port from the "for" parameter of the "Forwarded"
+	 * header or from "X-Forwarded-For" if "Forwarded" is not found. If neither
+	 * "Forwarded" nor "X-Forwarded-For" is found no changes are made to the
+	 * builder.
+	 * @param headers the HTTP headers to consider
+	 * @return this UriComponentsBuilder
+	 */
+	public UriComponentsBuilder adaptFromForwardedForHeader(HttpHeaders headers) {
+		String forwardedHeader = headers.getFirst("Forwarded");
+		if (StringUtils.hasText(forwardedHeader)) {
+			String forwardedToUse = StringUtils.tokenizeToStringArray(forwardedHeader, ",")[0];
+			Matcher matcher = FORWARDED_FOR_PATTERN.matcher(forwardedToUse);
+			if (matcher.find()) {
+				adaptForwardedForHost(matcher.group(1).trim());
+			}
+		}
+		else {
+			String forHeader = headers.getFirst("X-Forwarded-For");
+			if (StringUtils.hasText(forHeader)) {
+				String forwardedForToUse = StringUtils.tokenizeToStringArray(forHeader, ",")[0];
+				host(forwardedForToUse);
+			}
+		}
+		return this;
+	}
+
 	/**
 	 * Adapt this builder's scheme+host+port from the given headers, specifically
 	 * "Forwarded" (<a href="https://tools.ietf.org/html/rfc7239">RFC 7239</a>,
@@ -918,6 +949,24 @@ private void adaptForwardedHost(String hostToUse) {
 		}
 	}
 
+	private void adaptForwardedForHost(String hostToUse) {
+		String hostName = hostToUse;
+		int portSeparatorIdx = hostToUse.lastIndexOf(':');
+		if (portSeparatorIdx > hostToUse.lastIndexOf(']')) {
+			String hostPort = hostToUse.substring(portSeparatorIdx + 1);
+			// check if port is not obfuscated
+			if (hostPort.matches(FORWARDED_FOR_NUMERIC_PORT_PATTERN)) {
+				port(Integer.parseInt(hostPort));
+			}
+			hostName = hostToUse.substring(0, portSeparatorIdx);
+		}
+		if (hostName.matches(HOST_IPV6_PATTERN)) {
+			host(hostName.substring(hostName.indexOf('[') + 1, hostName.indexOf(']')));
+		} else {
+			host(hostName);
+		}
+	}
+
 	private void resetHierarchicalComponents() {
 		this.userInfo = null;
 		this.host = null;