Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug]: X-Forwarded-For and X-Real-IP are not respected #6739

Open
1 task done
checkraisefold opened this issue Mar 10, 2025 · 3 comments
Open
1 task done

[bug]: X-Forwarded-For and X-Real-IP are not respected #6739

checkraisefold opened this issue Mar 10, 2025 · 3 comments
Assignees
@akshat5302
Labels
🐛bug Something isn't working

Comments

@checkraisefold
Copy link

checkraisefold commented Mar 10, 2025
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Current behavior

Currently, existing code fetches the client IP with REMOTE_ADDR from the request metadata. This is incorrect behind a reverse proxy.

Code exists to use X-Forwarded-For, but it is entirely unused.

plane/apiserver/plane/utils/ip_address.py

Lines 1 to 7 in 9ee1d8c

def get_client_ip(request):
x_forwarded_for = request.META.get("HTTP_X_FORWARDED_FOR")
if x_forwarded_for:
ip = x_forwarded_for.split(",")[0]
else:
ip = request.META.get("REMOTE_ADDR")
return ip

Steps to reproduce

  1. Log in on a correctly configured reverse proxied Plane instance
  2. Check last_login_ip; it will not match the sent X-Forwarded-For header

Environment

Production

Browser

Mozilla Firefox

Variant

Self-hosted

Version

v0.25.1
@checkraisefold checkraisefold added the 🐛bug Something isn't working label Mar 10, 2025
@pushya22 pushya22 assigned akshat5302 and unassigned vihar and pushya22 Mar 10, 2025
@janreges
Copy link
Contributor

@checkraisefold, @pushya22, @vihar, @akshat5302 - gyus be careful, this looks like a security risk.

A header like X-Forwarded-For should only be taken into account if the request comes over the network from the allowed so-called "trusted proxies" IP ranges. But I don't see any work and configuration of such allowed IP ranges in this code. In that case, anyone could substitute any other IP address with the header and thus bypass some protections or other functionalities tied to the IP address.

@checkraisefold
Copy link
Author

@checkraisefold, @pushya22, @vihar, @akshat5302 - gyus be careful, this looks like a security risk.

A header like X-Forwarded-For should only be taken into account if the request comes over the network from the allowed so-called "trusted proxies" IP ranges. But I don't see any work and configuration of such allowed IP ranges in this code. In that case, anyone could substitute any other IP address with the header and thus bypass some protections or other functionalities tied to the IP address.

I think Nginx handles this correctly, but this is definitely still a security consideration. Most other apps handle this with a trusted proxy configuration with CIDR ranges if I recall, which should be the proper solution here!

@pablohashescobar
Copy link
Collaborator

@checkraisefold, @janreges, thanks for flagging this. I see the error, and we will fix it for the reverse proxy as well. The IP rate limiting and other security-based checks are handled by Django internally, so it is not a security issue right now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@akshat5302 akshat5302

Labels
🐛bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@janreges @vihar @checkraisefold @akshat5302 @pablohashescobar @pushya22