fix: use X-Forwarded-Host for hostname when "trust proxy" is set (#68)

silvermine · Jul 1, 2020 · 746e737 · 746e737
1 parent 03f1989
commit 746e737
Show file tree

Hide file tree

Showing 2 changed files with 96 additions and 22 deletions.
diff --git a/src/Request.ts b/src/Request.ts
@@ -507,7 +507,13 @@ export default class Request {
    }
 
    private _parseHostname(): string | undefined {
-      const host = (this.get('host') || '').replace(/:[0-9]*$/, '');
+      let host = (this.get('host') || '');
+
+      if (this.app.isEnabled('trust proxy')) {
+         host = this.get('x-forwarded-host') || host;
+      }
+
+      host = host.replace(/:[0-9]*$/, '');
 
       return _.isEmpty(host) ? undefined : host;
    }

diff --git a/tests/Request.test.ts b/tests/Request.test.ts
@@ -208,31 +208,99 @@ describe('Request', () => {
 
    describe('hostname property', () => {
 
-      it('parses correctly', () => {
-         let evt: RequestEvent = apiGatewayRequest(),
-             req;
+      const testCases = [
+         {
+            host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
+            expectedWithTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
+            expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
+         },
+         {
+            host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com:443',
+            expectedWithTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
+            expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
+         },
+         {
+            host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
+            xForwardedHost: 'api.example.com',
+            expectedWithTrustProxy: 'api.example.com',
+            expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
+         },
+         {
+            host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com:443',
+            xForwardedHost: 'api.example.com',
+            expectedWithTrustProxy: 'api.example.com',
+            expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
+         },
+         {
+            host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
+            xForwardedHost: 'api.example.com:433',
+            expectedWithTrustProxy: 'api.example.com',
+            expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
+         },
+         {
+            host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com:443',
+            xForwardedHost: 'api.example.com:443',
+            expectedWithTrustProxy: 'api.example.com',
+            expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
+         },
+      ];
 
-         evt.headers.Host = 'b5gee6dacf.execute-api.us-east-1.amazonaws.com:443';
-         req = new Request(app, evt, handlerContext());
-         expect(req.hostname).to.eql('b5gee6dacf.execute-api.us-east-1.amazonaws.com');
+      it('parses proper values - APIGW', () => {
+         _.each(testCases, (testCase) => {
+            let evt: RequestEvent = apiGatewayRequest(),
+                req;
+
+            evt.headers.Host = testCase.host;
+
+            if (testCase.xForwardedHost) {
+               evt.headers['X-Forwarded-Host'] = testCase.xForwardedHost;
+               evt.multiValueHeaders['X-Forwarded-Host'] = [ testCase.xForwardedHost ];
+            } else {
+               delete evt.headers['X-Forwarded-Host'];
+               delete evt.multiValueHeaders['X-Forwarded-Host'];
+            }
 
-         evt.headers.Host = 'b5gee6dacf.execute-api.us-east-1.amazonaws.com';
-         req = new Request(app, evt, handlerContext());
-         expect(req.hostname).to.eql('b5gee6dacf.execute-api.us-east-1.amazonaws.com');
+            app.enable('trust proxy');
+            req = new Request(app, evt, handlerContext());
+            expect(req.hostname).to.eql(testCase.expectedWithTrustProxy);
 
-         evt = albRequest();
-         if (evt.headers) {
-            evt.headers.host = 'b5gee6dacf.execute-api.us-east-1.amazonaws.com:443';
-         }
-         req = new Request(app, evt, handlerContext());
-         expect(req.hostname).to.eql('b5gee6dacf.execute-api.us-east-1.amazonaws.com');
+            app.disable('trust proxy');
+            req = new Request(app, evt, handlerContext());
+            expect(req.hostname).to.eql(testCase.expectedWithoutTrustProxy);
+         });
+      });
 
-         evt = albMultiValHeadersRequest();
-         if (evt.multiValueHeaders) {
-            evt.multiValueHeaders.host = [ 'b5gee6dacf.execute-api.us-east-1.amazonaws.com:443' ];
-         }
-         req = new Request(app, evt, handlerContext());
-         expect(req.hostname).to.eql('b5gee6dacf.execute-api.us-east-1.amazonaws.com');
+      it('parses proper values - ALB', () => {
+         _.each(testCases, (testCase) => {
+            let req;
+
+            _.each([ albRequest(), albMultiValHeadersRequest() ], (evt) => {
+               if (evt.headers) {
+                  evt.headers.host = testCase.host;
+                  if (testCase.xForwardedHost) {
+                     evt.headers['X-Forwarded-Host'] = testCase.xForwardedHost;
+                  } else {
+                     delete evt.headers['X-Forwarded-Host'];
+                  }
+               }
+               if (evt.multiValueHeaders) {
+                  evt.multiValueHeaders.host = [ testCase.host ];
+                  if (testCase.xForwardedHost) {
+                     evt.multiValueHeaders['X-Forwarded-Host'] = [ testCase.xForwardedHost ];
+                  } else {
+                     delete evt.multiValueHeaders['X-Forwarded-Host'];
+                  }
+               }
+
+               app.enable('trust proxy');
+               req = new Request(app, evt, handlerContext());
+               expect(req.hostname).to.eql(testCase.expectedWithTrustProxy);
+
+               app.disable('trust proxy');
+               req = new Request(app, evt, handlerContext());
+               expect(req.hostname).to.eql(testCase.expectedWithoutTrustProxy);
+            });
+         });
       });
 
    });