Description
The getClientIp function in the AI gateway auth middleware unconditionally trusts the X-Forwarded-For header supplied by the client. An attacker can rotate through arbitrary fake IPs to bypass anonymous rate limiting entirely.
File: ai-gateway/src/middlewares/auth.ts (lines ~72-78)
Current Code
s function getClientIp(req: RequestContext): string { const forwarded = req.header("x-forwarded-for"); if (forwarded) { // blindly trusts whatever the client sends: return forwarded.split(",")[0].trim(); } return req.ip || req.socket.remoteAddress || "unknown"; }
Impact
Since anonymous rate limiting is the only cost control for unauthenticated users, an attacker can exhaust upstream LLM/search quotas without restriction by cycling fake X-Forwarded-For values.
Suggested Fix
Only trust X-Forwarded-For when the immediate connection comes from a known trusted proxy IP (check req.socket.remoteAddress against a configured allow-list). Otherwise fall back to req.socket.remoteAddress directly.
Description
The
getClientIpfunction in the AI gateway auth middleware unconditionally trusts theX-Forwarded-Forheader supplied by the client. An attacker can rotate through arbitrary fake IPs to bypass anonymous rate limiting entirely.File:
ai-gateway/src/middlewares/auth.ts(lines ~72-78)Current Code
s function getClientIp(req: RequestContext): string { const forwarded = req.header("x-forwarded-for"); if (forwarded) { // blindly trusts whatever the client sends: return forwarded.split(",")[0].trim(); } return req.ip || req.socket.remoteAddress || "unknown"; }Impact
Since anonymous rate limiting is the only cost control for unauthenticated users, an attacker can exhaust upstream LLM/search quotas without restriction by cycling fake
X-Forwarded-Forvalues.Suggested Fix
Only trust
X-Forwarded-Forwhen the immediate connection comes from a known trusted proxy IP (checkreq.socket.remoteAddressagainst a configured allow-list). Otherwise fall back toreq.socket.remoteAddressdirectly.