Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: don't include port twice from x-forwarded-host and x-forwarded-port headers #10917

Merged
merged 5 commits into from
May 3, 2024
Merged

fix: don't include port twice from x-forwarded-host and x-forwarded-port headers #10917

merged 5 commits into from
May 3, 2024

Conversation

jakobhellermann
Copy link
Contributor

@jakobhellermann jakobhellermann commented Apr 30, 2024
edited
Loading

fixes #10916

Changes

  • Fix internal server error when bot X-Forwarded-Host: hostname:8080 and X-Forwarded-Port: 8080 are set

Testing

add another test next to the existing URL tests for X-Forwarded-*

Docs

The docs shouldn't need to be changed since this is just a bugfix and now works as expected.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Apr 30, 2024
edited
Loading

🦋 Changeset detected

Latest commit: a6ebe3c

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions github-actions bot added the pkg: astro Related to the core `astro` package (scope) label Apr 30, 2024
jakobhellermann
jakobhellermann commented Apr 30, 2024
View reviewed changes
packages/astro/src/core/app/node.ts Outdated
@@ -66,7 +66,11 @@ export class NodeApp extends App {
const hostname =
req.headers['x-forwarded-host'] ?? req.headers.host ?? req.headers[':authority'];
const port = req.headers['x-forwarded-port'];
const url = `${protocol}://${hostname}${port ? `:${port}` : ''}${req.url}`;

const portInHostname = typeof hostname === "string" && typeof port === "string" && hostname.endsWith(port);
Copy link
Contributor Author

@jakobhellermann jakobhellermann Apr 30, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The typeof checks here are a bit ugly but necessary because the types here for hostname and port are string | string[] | undefined.

I'm assuming string[] happens when passing a header multiple times? The code as written before doesn't support that and instead templates an URl like https://hostname1,hostname2:port1,port2. I don't know what behavior would be correct here, respecting only the last sent header?

@github-actions github-actions bot added the pkg: integration Related to any renderer integration (scope) label Apr 30, 2024
@jakobhellermann
Copy link
Contributor Author

The code still fails with a 500 for

curl localhost:4321 -H X-Forwarded-Host: hostname:1111 -H X-Forwarded-Port: 9999

Maybe that's fine? It's obviously malformed.

matthewp
matthewp approved these changes Apr 30, 2024
View reviewed changes
Copy link
Contributor

@matthewp matthewp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, thanks!

@matthewp
Copy link
Contributor

Looks like this does break some tests 🤔

davidborzek
davidborzek reviewed Apr 30, 2024
View reviewed changes
packages/astro/src/core/app/node.ts Outdated
const url = `${protocol}://${hostname}${port ? `:${port}` : ''}${req.url}`;

const portInHostname = typeof hostname === "string" && typeof port === "string" && hostname.endsWith(port);
const hostnamePort = portInHostname ? hostname : `${hostname}:${port}`;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be const hostnamePort = portInHostname ? hostname : `${hostname}${port ? `:${port}` : ''}` because port can still be undefined.

@jakobhellermann
Copy link
Contributor Author

Tests are fixed now

@jakobhellermann @florian-lefebvre
Update .changeset/forty-wolves-turn.md
a6ebe3c 
Co-authored-by: Florian Lefebvre <contact@florian-lefebvre.dev>
@matthewp matthewp merged commit 3412535 into withastro:main May 3, 2024
13 checks passed
@astrobot-houston astrobot-houston mentioned this pull request May 3, 2024
Merged
@jakobhellermann jakobhellermann deleted the fix-double-port branch May 10, 2024 14:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidborzek davidborzek davidborzek left review comments

@matthewp matthewp matthewp approved these changes

@florian-lefebvre florian-lefebvre florian-lefebvre approved these changes

Assignees
No one assigned
Labels
pkg: astro Related to the core `astro` package (scope) pkg: integration Related to any renderer integration (scope)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Node SSR breaks when X-Forwarded-Host includes port and X-Forwarded-Port is also sent
4 participants
@jakobhellermann @matthewp @davidborzek @florian-lefebvre