Add support for X-Forwarded-For and Forwarded for

See gh-23260, gh-23582

Author: Kirill Serebrennikov

spring-web/src/main/java/org/springframework/http/server/reactive/DefaultServerHttpRequestBuilder.java

@@ -57,6 +57,9 @@ class DefaultServerHttpRequestBuilder implements ServerHttpRequest.Builder {
 	@Nullable
 	private SslInfo sslInfo;
 
+	@Nullable
+	private InetSocketAddress remoteAddress;
+
 	private Flux<DataBuffer> body;
 
 	private final ServerHttpRequest originalRequest;
@@ -68,6 +71,7 @@ public DefaultServerHttpRequestBuilder(ServerHttpRequest original) {
 		this.uri = original.getURI();
 		this.headers = HttpHeaders.writableHttpHeaders(original.getHeaders());
 		this.httpMethodValue = original.getMethodValue();
+		this.remoteAddress = original.getRemoteAddress();
 		this.body = original.getBody();
 		this.originalRequest = original;
 	}
@@ -117,10 +121,16 @@ public ServerHttpRequest.Builder sslInfo(SslInfo sslInfo) {
 		return this;
 	}
 
+	@Override
+	public ServerHttpRequest.Builder remoteAddress(InetSocketAddress remoteAddress) {
+		this.remoteAddress = remoteAddress;
+		return this;
+	}
+
 	@Override
 	public ServerHttpRequest build() {
 		return new MutatedServerHttpRequest(getUriToUse(), this.contextPath,
-				this.httpMethodValue, this.sslInfo, this.body, this.originalRequest);
+				this.httpMethodValue, this.sslInfo, this.remoteAddress, this.body, this.originalRequest);
 	}
 
 	private URI getUriToUse() {
@@ -169,18 +179,22 @@ private static class MutatedServerHttpRequest extends AbstractServerHttpRequest
 		@Nullable
 		private final SslInfo sslInfo;
 
+		@Nullable
+		private InetSocketAddress remoteAddress;
+
 		private final Flux<DataBuffer> body;
 
 		private final ServerHttpRequest originalRequest;
 
 
 		public MutatedServerHttpRequest(URI uri, @Nullable String contextPath,
-				String methodValue, @Nullable SslInfo sslInfo,
+				String methodValue, @Nullable SslInfo sslInfo, @Nullable InetSocketAddress remoteAddress,
 				Flux<DataBuffer> body, ServerHttpRequest originalRequest) {
 
 			super(uri, contextPath, originalRequest.getHeaders());
 			this.methodValue = methodValue;
-			this.sslInfo = sslInfo != null ? sslInfo : originalRequest.getSslInfo();
+			this.remoteAddress = (remoteAddress != null ? remoteAddress : originalRequest.getRemoteAddress());
+			this.sslInfo = (sslInfo != null ? sslInfo : originalRequest.getSslInfo());
 			this.body = body;
 			this.originalRequest = originalRequest;
 		}
@@ -204,7 +218,7 @@ public InetSocketAddress getLocalAddress() {
 		@Override
 		@Nullable
 		public InetSocketAddress getRemoteAddress() {
-			return this.originalRequest.getRemoteAddress();
+			return this.remoteAddress;
 		}
 
 		@Override

spring-web/src/main/java/org/springframework/http/server/reactive/ServerHttpRequest.java

@@ -175,6 +175,12 @@ interface Builder {
 		 */
 		Builder sslInfo(SslInfo sslInfo);
 
+		/**
+		 * Set the address of the remote client.
+		 * @since 5.3
+		 */
+		Builder remoteAddress(InetSocketAddress remoteAddress);
+
 		/**
 		 * Build a {@link ServerHttpRequest} decorator with the mutated properties.
 		 */

spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java

@@ -24,6 +24,7 @@
 import java.util.Map;
 import java.util.Set;
 import java.util.function.Supplier;
+import java.util.regex.Pattern;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
@@ -32,6 +33,7 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpServletResponseWrapper;
 
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpRequest;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.server.ServletServerHttpRequest;
@@ -67,7 +69,7 @@
 public class ForwardedHeaderFilter extends OncePerRequestFilter {
 
 	private static final Set<String> FORWARDED_HEADER_NAMES =
-			Collections.newSetFromMap(new LinkedCaseInsensitiveMap<>(6, Locale.ENGLISH));
+			Collections.newSetFromMap(new LinkedCaseInsensitiveMap<>(10, Locale.ENGLISH));
 
 	static {
 		FORWARDED_HEADER_NAMES.add("Forwarded");
@@ -76,6 +78,7 @@ public class ForwardedHeaderFilter extends OncePerRequestFilter {
 		FORWARDED_HEADER_NAMES.add("X-Forwarded-Proto");
 		FORWARDED_HEADER_NAMES.add("X-Forwarded-Prefix");
 		FORWARDED_HEADER_NAMES.add("X-Forwarded-Ssl");
+		FORWARDED_HEADER_NAMES.add("X-Forwarded-For");
 	}
 
 
@@ -217,6 +220,10 @@ public Enumeration<String> getHeaderNames() {
 	 */
 	private static class ForwardedHeaderExtractingRequest extends ForwardedHeaderRemovingRequest {
 
+		private static final String X_FORWARDED_FOR_HEADER = "X-Forwarded-For";
+		private static final String FORWARDED_HEADER = "Forwarded";
+		private static final Pattern FORWARDED_FOR_PATTERN = Pattern.compile("(?i:^[^,]*for=.+)");
+
 		@Nullable
 		private final String scheme;
 
@@ -227,6 +234,14 @@ private static class ForwardedHeaderExtractingRequest extends ForwardedHeaderRem
 
 		private final int port;
 
+		@Nullable
+		private final String remoteHost;
+
+		@Nullable
+		private final String remoteAddr;
+
+		private final int remotePort;
+
 		private final ForwardedPrefixExtractor forwardedPrefixExtractor;
 
 
@@ -242,6 +257,25 @@ private static class ForwardedHeaderExtractingRequest extends ForwardedHeaderRem
 			this.host = uriComponents.getHost();
 			this.port = (port == -1 ? (this.secure ? 443 : 80) : port);
 
+			HttpHeaders headers = httpRequest.getHeaders();
+			boolean hasForwardedFor = StringUtils.hasText(headers.getFirst(X_FORWARDED_FOR_HEADER)) ||
+					(StringUtils.hasText(headers.getFirst(FORWARDED_HEADER)) &&
+						FORWARDED_FOR_PATTERN.matcher(headers.getFirst(FORWARDED_HEADER)).matches());
+			if (hasForwardedFor) {
+				UriComponents remoteUriComponents = UriComponentsBuilder.newInstance()
+						.host(request.getRemoteHost())
+						.port(request.getRemotePort())
+						.adaptFromForwardedForHeader(headers)
+						.build();
+				this.remoteHost = remoteUriComponents.getHost();
+				this.remoteAddr = this.remoteHost;
+				this.remotePort = remoteUriComponents.getPort();
+			} else {
+				this.remoteHost = request.getRemoteHost();
+				this.remoteAddr = request.getRemoteAddr();
+				this.remotePort = request.getRemotePort();
+			}
+
 			String baseUrl = this.scheme + "://" + this.host + (port == -1 ? "" : ":" + port);
 			Supplier<HttpServletRequest> delegateRequest = () -> (HttpServletRequest) getRequest();
 			this.forwardedPrefixExtractor = new ForwardedPrefixExtractor(delegateRequest, pathHelper, baseUrl);
@@ -284,6 +318,23 @@ public String getRequestURI() {
 		public StringBuffer getRequestURL() {
 			return this.forwardedPrefixExtractor.getRequestUrl();
 		}
+
+		@Override
+		@Nullable
+		public String getRemoteHost() {
+			return this.remoteHost;
+		}
+
+		@Override
+		@Nullable
+		public String getRemoteAddr() {
+			return this.remoteAddr;
+		}
+
+		@Override
+		public int getRemotePort() {
+			return remotePort;
+		}
 	}
 
 

spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java

@@ -16,18 +16,21 @@
 
 package org.springframework.web.server.adapter;
 
+import java.net.InetSocketAddress;
 import java.net.URI;
 import java.util.Collections;
 import java.util.Locale;
 import java.util.Set;
 import java.util.function.Function;
+import java.util.regex.Pattern;
 
 import org.springframework.context.ApplicationContext;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.lang.Nullable;
 import org.springframework.util.LinkedCaseInsensitiveMap;
 import org.springframework.util.StringUtils;
+import org.springframework.web.util.UriComponents;
 import org.springframework.web.util.UriComponentsBuilder;
 
 /**
@@ -50,8 +53,11 @@
  */
 public class ForwardedHeaderTransformer implements Function<ServerHttpRequest, ServerHttpRequest> {
 
+	private static final String X_FORWARDED_FOR_HEADER = "X-Forwarded-For";
+	private static final String FORWARDED_HEADER = "Forwarded";
+	private static final Pattern FORWARDED_FOR_PATTERN = Pattern.compile("(?i:^[^,]*for=.+)");
 	static final Set<String> FORWARDED_HEADER_NAMES =
-			Collections.newSetFromMap(new LinkedCaseInsensitiveMap<>(8, Locale.ENGLISH));
+			Collections.newSetFromMap(new LinkedCaseInsensitiveMap<>(10, Locale.ENGLISH));
 
 	static {
 		FORWARDED_HEADER_NAMES.add("Forwarded");
@@ -60,6 +66,7 @@ public class ForwardedHeaderTransformer implements Function<ServerHttpRequest, S
 		FORWARDED_HEADER_NAMES.add("X-Forwarded-Proto");
 		FORWARDED_HEADER_NAMES.add("X-Forwarded-Prefix");
 		FORWARDED_HEADER_NAMES.add("X-Forwarded-Ssl");
+		FORWARDED_HEADER_NAMES.add("X-Forwarded-For");
 	}
 
 
@@ -100,6 +107,27 @@ public ServerHttpRequest apply(ServerHttpRequest request) {
 					builder.path(prefix + uri.getRawPath());
 					builder.contextPath(prefix);
 				}
+				InetSocketAddress remoteAddress = request.getRemoteAddress();
+				HttpHeaders headers = request.getHeaders();
+				boolean hasForwardedFor = StringUtils.hasText(headers.getFirst(X_FORWARDED_FOR_HEADER)) ||
+						(StringUtils.hasText(headers.getFirst(FORWARDED_HEADER)) &&
+								FORWARDED_FOR_PATTERN.matcher(headers.getFirst(FORWARDED_HEADER)).matches());
+				if (hasForwardedFor) {
+					String originalRemoteHost = ((remoteAddress != null) ? remoteAddress.getHostName() : null);
+					int originalRemotePort = ((remoteAddress != null) ? remoteAddress.getPort() : -1);
+					UriComponents remoteUriComponents = UriComponentsBuilder.newInstance()
+							.host(originalRemoteHost)
+							.port(originalRemotePort)
+							.adaptFromForwardedForHeader(headers)
+							.build();
+					String remoteHost = remoteUriComponents.getHost();
+					int remotePort = (remoteUriComponents.getPort() != -1 ? remoteUriComponents.getPort() : 0);
+					if (remoteHost != null) {
+						builder.remoteAddress(InetSocketAddress.createUnresolved(remoteHost, remotePort));
+					}
+				} else {
+					builder.remoteAddress(remoteAddress);
+				}
 			}
 			removeForwardedHeaders(builder);
 			request = builder.build();

spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java

@@ -97,9 +97,13 @@ public class UriComponentsBuilder implements UriBuilder, Cloneable {
 			"^" + HTTP_PATTERN + "(//(" + USERINFO_PATTERN + "@)?" + HOST_PATTERN + "(:" + PORT_PATTERN + ")?" + ")?" +
 					PATH_PATTERN + "(\\?" + LAST_PATTERN + ")?");
 
-	private static final Pattern FORWARDED_HOST_PATTERN = Pattern.compile("host=\"?([^;,\"]+)\"?");
+	private static final Pattern FORWARDED_HOST_PATTERN = Pattern.compile("(?i:host)=\"?([^;,\"]+)\"?");
 
-	private static final Pattern FORWARDED_PROTO_PATTERN = Pattern.compile("proto=\"?([^;,\"]+)\"?");
+	private static final Pattern FORWARDED_PROTO_PATTERN = Pattern.compile("(?i:proto)=\"?([^;,\"]+)\"?");
+
+	private static final Pattern FORWARDED_FOR_PATTERN = Pattern.compile("(?i:for)=\"?([^;,\"]+)\"?");
+
+	private static final String FORWARDED_FOR_NUMERIC_PORT_PATTERN = "^(\\d{1,5})$";
 
 	private static final Object[] EMPTY_VALUES = new Object[0];
 
@@ -723,6 +727,33 @@ public UriComponentsBuilder uriVariables(Map<String, Object> uriVariables) {
 		return this;
 	}
 
+	/**
+	 * Adapt this builders's host+port from the "for" parameter of the "Forwarded"
+	 * header or from "X-Forwarded-For" if "Forwarded" is not found. If neither
+	 * "Forwarded" nor "X-Forwarded-For" is found no changes are made to the
+	 * builder.
+	 * @param headers the HTTP headers to consider
+	 * @return this UriComponentsBuilder
+	 */
+	public UriComponentsBuilder adaptFromForwardedForHeader(HttpHeaders headers) {
+		String forwardedHeader = headers.getFirst("Forwarded");
+		if (StringUtils.hasText(forwardedHeader)) {
+			String forwardedToUse = StringUtils.tokenizeToStringArray(forwardedHeader, ",")[0];
+			Matcher matcher = FORWARDED_FOR_PATTERN.matcher(forwardedToUse);
+			if (matcher.find()) {
+				adaptForwardedForHost(matcher.group(1).trim());
+			}
+		}
+		else {
+			String forHeader = headers.getFirst("X-Forwarded-For");
+			if (StringUtils.hasText(forHeader)) {
+				String forwardedForToUse = StringUtils.tokenizeToStringArray(forHeader, ",")[0];
+				host(forwardedForToUse);
+			}
+		}
+		return this;
+	}
+
 	/**
 	 * Adapt this builder's scheme+host+port from the given headers, specifically
 	 * "Forwarded" (<a href="https://tools.ietf.org/html/rfc7239">RFC 7239</a>,
@@ -809,6 +840,24 @@ private void adaptForwardedHost(String hostToUse) {
 		}
 	}
 
+	private void adaptForwardedForHost(String hostToUse) {
+		String hostName = hostToUse;
+		int portSeparatorIdx = hostToUse.lastIndexOf(':');
+		if (portSeparatorIdx > hostToUse.lastIndexOf(']')) {
+			String hostPort = hostToUse.substring(portSeparatorIdx + 1);
+			// check if port is not obfuscated
+			if (hostPort.matches(FORWARDED_FOR_NUMERIC_PORT_PATTERN)) {
+				port(Integer.parseInt(hostPort));
+			}
+			hostName = hostToUse.substring(0, portSeparatorIdx);
+		}
+		if (hostName.matches(HOST_IPV6_PATTERN)) {
+			host(hostName.substring(hostName.indexOf('[') + 1, hostName.indexOf(']')));
+		} else {
+			host(hostName);
+		}
+	}
+
 	private void resetHierarchicalComponents() {
 		this.userInfo = null;
 		this.host = null;