Do not trust the x forwarded for header if not from a trusted proxy

Issue: ARSN-453

lib/policyEvaluator/requestUtils.ts

@@ -21,7 +21,7 @@ export function getClientIp(request: IncomingMessage, s3config?: S3Config): stri
     const requestConfig = s3config?.requests;
     const remoteAddress = request.socket.remoteAddress;
     // TODO What to do if clientIp === undefined ?
-    const clientIp = (requestConfig ? remoteAddress : request.headers['x-forwarded-for'] || remoteAddress)?.toString() ?? '';
+    const clientIp = remoteAddress?.toString() ?? '';
     if (requestConfig) {
         const { trustedProxyCIDRs, extractClientIPFromHeader } = requestConfig;
         /**

tests/unit/policyEvaluator/requestUtils.spec.js

@@ -77,8 +77,8 @@ describe('requestUtils.getClientIp', () => {
         assert.strictEqual(result, testClientIp2);
     });
 
-    it('should return client Ip address from header if the request comes via proxies and ' +
-        'no request config is available', () => {
+    it('should not return client Ip address from header if the request comes via proxies and ' +
+        'no request config is available as the proxy is not trusted', () => {
         const request = new DummyRequest({
             headers: {
                 'x-forwarded-for': testClientIp1,
@@ -90,7 +90,7 @@ describe('requestUtils.getClientIp', () => {
             },
         });
         const result = requestUtils.getClientIp(request, configWithoutProxy);
-        assert.strictEqual(result, testClientIp1);
+        assert.strictEqual(result, testProxyIp);
     });
 
     it('should return client Ip address from socket info if the request comes via proxies and ' +