chuan/CLIProxyAPI
1
0
Fork 0
mirror of https://github.com/router-for-me/CLIProxyAPI.git synced 2026-02-03 04:50:52 +08:00
Code Issues Packages Projects Releases Wiki Activity

security: fix localhost middleware header spoofing vulnerability

Browse Source 
Fix critical security vulnerability in amp-restrict-management-to-localhost
feature where attackers could bypass localhost restriction by spoofing
X-Forwarded-For headers.

Changes:
- Use RemoteAddr (actual TCP connection) instead of ClientIP() in
  localhostOnlyMiddleware to prevent header spoofing attacks
- Add comprehensive test coverage for spoofing prevention (6 test cases)
- Update documentation with reverse proxy deployment guidance and
  limitations of the RemoteAddr approach

The fix prevents attacks like:
  curl -H "X-Forwarded-For: 127.0.0.1" https://server/api/user

Trade-off: Users behind reverse proxies will need to disable the feature
and use alternative security measures (firewall rules, proxy ACLs).

Addresses security review feedback from PR #287.
This commit is contained in:
Ben Vargas
2025-11-19 22:09:04 -07:00
parent 70ee4e0aa0
commit a6cb16bb48
3 changed files with 129 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
internal/api/modules/amp/routes.go
View File

@@ -16,14 +16,28 @@ import (
// localhostOnlyMiddleware restricts access to localhost (127.0.0.1, ::1) only.
// Returns 403 Forbidden for non-localhost clients.
//
// Security: Uses RemoteAddr (actual TCP connection) instead of ClientIP() to prevent
// header spoofing attacks via X-Forwarded-For or similar headers. This means the
// middleware will not work correctly behind reverse proxies - users deploying behind
// nginx/Cloudflare should disable this feature and use firewall rules instead.
func localhostOnlyMiddleware() gin.HandlerFunc {
return func(c *gin.Context) {
clientIP := c.ClientIP()
// Use actual TCP connection address (RemoteAddr) to prevent header spoofing
// This cannot be forged by X-Forwarded-For or other client-controlled headers
remoteAddr := c.Request.RemoteAddr
// RemoteAddr format is "IP:port" or "[IPv6]:port", extract just the IP
host, _, err := net.SplitHostPort(remoteAddr)
if err != nil {
// Try parsing as raw IP (shouldn't happen with standard HTTP, but be defensive)
host = remoteAddr
}
// Parse the IP to handle both IPv4 and IPv6
ip := net.ParseIP(clientIP)
ip := net.ParseIP(host)
if ip == nil {
log.Warnf("Amp management: invalid client IP %s, denying access", clientIP)
log.Warnf("Amp management: invalid RemoteAddr %s, denying access", remoteAddr)
c.AbortWithStatusJSON(403, gin.H{
"error": "Access denied: management routes restricted to localhost",
})
@@ -32,7 +46,7 @@ func localhostOnlyMiddleware() gin.HandlerFunc {
// Check if IP is loopback (127.0.0.1 or ::1)
if !ip.IsLoopback() {
log.Warnf("Amp management: non-localhost IP %s attempted access, denying", clientIP)
log.Warnf("Amp management: non-localhost connection from %s attempted access, denying", remoteAddr)
c.AbortWithStatusJSON(403, gin.H{
"error": "Access denied: management routes restricted to localhost",
})