From 5aadd36631a1839cc54d33ad2d6603c128479428 Mon Sep 17 00:00:00 2001
From: williamlardier <william.lardier@scality.com>
Date: Thu, 26 Dec 2024 13:56:08 +0100
Subject: [PATCH] Do not trust the x forwarded for header if not from a trusted
 proxy

Issue: ARSN-453
---
 lib/policyEvaluator/requestUtils.ts             | 2 +-
 tests/unit/policyEvaluator/requestUtils.spec.js | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/policyEvaluator/requestUtils.ts b/lib/policyEvaluator/requestUtils.ts
index 5f3c414d1..539b198d2 100644
--- a/lib/policyEvaluator/requestUtils.ts
+++ b/lib/policyEvaluator/requestUtils.ts
@@ -21,7 +21,7 @@ export function getClientIp(request: IncomingMessage, s3config?: S3Config): stri
     const requestConfig = s3config?.requests;
     const remoteAddress = request.socket.remoteAddress;
     // TODO What to do if clientIp === undefined ?
-    const clientIp = (requestConfig ? remoteAddress : request.headers['x-forwarded-for'] || remoteAddress)?.toString() ?? '';
+    const clientIp = remoteAddress?.toString() ?? '';
     if (requestConfig) {
         const { trustedProxyCIDRs, extractClientIPFromHeader } = requestConfig;
         /**
diff --git a/tests/unit/policyEvaluator/requestUtils.spec.js b/tests/unit/policyEvaluator/requestUtils.spec.js
index 7572d388a..ffa77df99 100644
--- a/tests/unit/policyEvaluator/requestUtils.spec.js
+++ b/tests/unit/policyEvaluator/requestUtils.spec.js
@@ -77,8 +77,8 @@ describe('requestUtils.getClientIp', () => {
         assert.strictEqual(result, testClientIp2);
     });
 
-    it('should return client Ip address from header if the request comes via proxies and ' +
-        'no request config is available', () => {
+    it('should not return client Ip address from header if the request comes via proxies and ' +
+        'no request config is available as the proxy is not trusted', () => {
         const request = new DummyRequest({
             headers: {
                 'x-forwarded-for': testClientIp1,
@@ -90,7 +90,7 @@ describe('requestUtils.getClientIp', () => {
             },
         });
         const result = requestUtils.getClientIp(request, configWithoutProxy);
-        assert.strictEqual(result, testClientIp1);
+        assert.strictEqual(result, testProxyIp);
     });
 
     it('should return client Ip address from socket info if the request comes via proxies and ' +