Skip to content

Commit

Permalink
Merge pull request #499 from benoitf/OPENVSX-498
Browse files Browse the repository at this point in the history
fix: X-Forwarded-Host header can be array or comma separated list
  • Loading branch information
amvanbaren authored Sep 21, 2022
2 parents 4995593 + 9d14dd7 commit f956110
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 4 deletions.
15 changes: 13 additions & 2 deletions server/src/main/java/org/eclipse/openvsx/util/UrlUtil.java
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;

import java.util.ArrayList;
import java.util.Collections;

import javax.servlet.http.HttpServletRequest;

import org.apache.commons.lang3.ArrayUtils;
Expand Down Expand Up @@ -159,11 +162,19 @@ protected static String getBaseUrl(HttpServletRequest request) {
// Use the host and port from the X-Forwarded-Host header if present
String host;
int port;
var forwardedHost = request.getHeader("X-Forwarded-Host");
if (forwardedHost == null) {
var forwardedHostHeadersEnumeration = request.getHeaders("X-Forwarded-Host");
if (forwardedHostHeadersEnumeration == null || !forwardedHostHeadersEnumeration.hasMoreElements()) {
host = request.getServerName();
port = request.getServerPort();
} else {
// take the first one
var forwardedHost = forwardedHostHeadersEnumeration.nextElement();

// if it's comma separated, take the first one
var forwardedHosts = forwardedHost.split(",");
if (forwardedHosts.length > 1) {
forwardedHost = forwardedHosts[0];
}
int colonIndex = forwardedHost.lastIndexOf(':');
if (colonIndex > 0) {
host = forwardedHost.substring(0, colonIndex);
Expand Down
47 changes: 45 additions & 2 deletions server/src/test/java/org/eclipse/openvsx/util/UrlUtilTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.doReturn;

import java.util.ArrayList;
import java.util.Collections;

import javax.servlet.http.HttpServletRequest;

import org.junit.jupiter.api.AfterEach;
Expand Down Expand Up @@ -100,9 +103,49 @@ public void testWithXForwarded() throws Exception {

// XForwarded content
doReturn("https").when(request).getHeader("X-Forwarded-Proto");
doReturn("open-vsx.org").when(request).getHeader("X-Forwarded-Host");
var items = new ArrayList<String>();
items.add("open-vsx.org");
doReturn(Collections.enumeration(items)).when(request).getHeaders("X-Forwarded-Host");
doReturn("/openvsx").when(request).getHeader("X-Forwarded-Prefix");
assertThat(UrlUtil.getBaseUrl(request)).isEqualTo("https://open-vsx.org/openvsx/");
}
}

// Check base URL is using array X-Forwarded-Host headers
@Test
public void testWithXForwardedHostArray() throws Exception {
// basic request
doReturn("http").when(request).getScheme();
doReturn("localhost").when(request).getServerName();
doReturn(8080).when(request).getServerPort();
doReturn("/").when(request).getContextPath();

// XForwarded content
doReturn("https").when(request).getHeader("X-Forwarded-Proto");
var items = new ArrayList<String>();
items.add("open-vsx.org");
items.add("foo.com");
items.add("bar.com");
doReturn(Collections.enumeration(items)).when(request).getHeaders("X-Forwarded-Host");
doReturn("/openvsx").when(request).getHeader("X-Forwarded-Prefix");
assertThat(UrlUtil.getBaseUrl(request)).isEqualTo("https://open-vsx.org/openvsx/");
}

// Check base URL is using comma separated X-Forwarded-Host headers
@Test
public void testWithXForwardedHostCommaSeparated() throws Exception {
// basic request
doReturn("http").when(request).getScheme();
doReturn("localhost").when(request).getServerName();
doReturn(8080).when(request).getServerPort();
doReturn("/").when(request).getContextPath();

// XForwarded content
doReturn("https").when(request).getHeader("X-Forwarded-Proto");
var items = new ArrayList<String>();
items.add("open-vsx.org, foo.com, bar.com");
doReturn(Collections.enumeration(items)).when(request).getHeaders("X-Forwarded-Host");
doReturn("/openvsx").when(request).getHeader("X-Forwarded-Prefix");
assertThat(UrlUtil.getBaseUrl(request)).isEqualTo("https://open-vsx.org/openvsx/");
}

}

0 comments on commit f956110

Please sign in to comment.