Skip to content

fix(wolf-rbac): use trusted client IP source for access_check #13329

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
shreemaan-abhishek wants to merge 3 commits into
base: master
Choose a base branch
from
+33 −2
Open

fix(wolf-rbac): use trusted client IP source for access_check #13329

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a3583cb
fix(wolf-rbac): use trusted client IP source for access_check
shreemaan-abhishek May 5, 2026
246846b
test(wolf-rbac): assert clientIP respects trusted-proxy chain
shreemaan-abhishek May 5, 2026
4a2f37a
fix(wolf-rbac): also use trusted client IP in change_pwd log path
shreemaan-abhishek May 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions apisix/plugins/wolf-rbac.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -241,7 +241,7 @@ end
function _M.rewrite(conf, ctx)
local url = ctx.var.uri
local action = ctx.var.request_method
local client_ip = ctx.var.http_x_real_ip or core.request.get_ip(ctx)
local client_ip = core.request.get_remote_client_ip(ctx)
local perm_item = {action = action, url = url, clientIP = client_ip}
core.log.info("hit wolf-rbac rewrite")

Expand Down Expand Up @@ -422,7 +422,7 @@ local function get_wolf_token(ctx)
if rbac_token == nil then
local url = ctx.var.uri
local action = ctx.var.request_method
local client_ip = core.request.get_ip(ctx)
local client_ip = core.request.get_remote_client_ip(ctx)
local perm_item = {action = action, url = url, clientIP = client_ip}
core.log.info("no permission to access ",
core.json.delay_encode(perm_item), ", need login!")
Expand Down
1 change: 1 addition & 0 deletions t/lib/server.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -318,6 +318,7 @@ function _M.wolf_rbac_access_check()

local args = ngx.req.get_uri_args()
local resName = args.resName
ngx.log(ngx.WARN, "wolf_rbac_access_check clientIP: ", args.clientIP or "")
if resName == '/hello' or resName == '/wolf/rbac/custom/headers' then
ngx.say(json_encode({ok=true,
data={ userInfo={nickname="administrator",
Expand Down
30 changes: 30 additions & 0 deletions t/plugin/wolf-rbac.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -860,3 +860,33 @@ ssl_verify: true
qr/ssl_verify/
--- no_error_log
[error]



=== TEST 41: clientIP forwarded from trusted X-Real-IP source
--- http_config
real_ip_header X-Real-IP;
set_real_ip_from 127.0.0.1;
--- request
GET /hello
--- more_headers
Authorization: V1#wolf-rbac-app#wolf-rbac-token
X-Real-IP: 192.0.2.10
--- error_log
wolf_rbac_access_check clientIP: 192.0.2.10



=== TEST 42: spoofed X-Real-IP from untrusted source is ignored
--- http_config
real_ip_header X-Real-IP;
set_real_ip_from 192.0.2.1;
--- request
GET /hello
--- more_headers
Authorization: V1#wolf-rbac-app#wolf-rbac-token
X-Real-IP: 192.0.2.10
--- error_log
wolf_rbac_access_check clientIP: 127.0.0.1
--- no_error_log
wolf_rbac_access_check clientIP: 192.0.2.10
Loading