fix: The client IP address may be determined incorrectly in some cases; this fixes a security vulnerability in which the Parse Server option masterKeyIps may be circumvented, see [GHSA-vm5r-c87r-pf6x](https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x) (#8372)

BREAKING CHANGE: The mechanism to determine the client IP address has been rewritten; to correctly determine the IP address it is now required to set the Parse Server option `trustProxy` accordingly if Parse Server runs behind a proxy server, see the express framework's [trust proxy](https://expressjs.com/en/guide/behind-proxies.html) setting (#8372)
2023-01-05 14:26:54 +01:00
parent b7815ed80a
commit 892040dc2f
7 changed files with 19 additions and 125 deletions
--- a/src/middlewares.js
+++ b/src/middlewares.js
@@ -288,22 +288,7 @@ export function handleParseHeaders(req, res, next) {
 }

 function getClientIp(req) {
-  if (req.headers['x-forwarded-for']) {
-    // try to get from x-forwared-for if it set (behind reverse proxy)
-    return req.headers['x-forwarded-for'].split(',')[0];
-  } else if (req.connection && req.connection.remoteAddress) {
-    // no proxy, try getting from connection.remoteAddress
-    return req.connection.remoteAddress;
-  } else if (req.socket) {
-    // try to get it from req.socket
-    return req.socket.remoteAddress;
-  } else if (req.connection && req.connection.socket) {
-    // try to get it form the connection.socket
-    return req.connection.socket.remoteAddress;
-  } else {
-    // if non above, fallback.
-    return req.ip;
-  }
+  return req.ip;
 }

 function httpAuth(req) {