fix(chaitin-waf): use trusted client IP source for WAF backend#13339
Open
shreemaan-abhishek wants to merge 2 commits intoapache:masterfrom
Open
fix(chaitin-waf): use trusted client IP source for WAF backend#13339shreemaan-abhishek wants to merge 2 commits intoapache:masterfrom
shreemaan-abhishek wants to merge 2 commits intoapache:masterfrom
Conversation
The plugin populated `client_ip` sent to the Chaitin WAF backend by reading `ctx.var.http_x_forwarded_for` directly when `real_client_ip` is enabled, bypassing nginx's `real_ip` module. Any external client could supply an arbitrary `X-Forwarded-For` header and have it forwarded to the WAF unchecked. Replace the raw-header read with `core.request.get_remote_client_ip` (realip-aware) when `real_client_ip = true`, and `core.request.get_ip` (direct TCP peer) when false. This applies the same fix shape used for wolf-rbac in apache#13329.
dosubot
Bot
added
size:M
`get_conf` merged `real_client_ip` with `or`, which silently fell back to the default `true` whenever the user explicitly set `false`, making the toggle ineffective. Replace with an explicit nil check so both `true` and `false` overrides are honored. Also tighten the existing `real_client_ip = false` test to assert the chosen `client_ip` (not just the response), and add a regression case that verifies the `false` branch wins over `set_real_ip_from`-trusted `X-Forwarded-For` rewrites.
dosubot
Bot
added
size:L
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The chaitin-waf plugin populates the
client_ipfield sent to the Chaitin WAF backend by readingctx.var.http_x_forwarded_fordirectly whenconfig.real_client_ip = true(the default). This bypasses nginx'sreal_ipmodule: any external client can supply an arbitraryX-Forwarded-Forheader and have it forwarded verbatim to the WAF, making attribution and policy decisions on that field attacker-controllable.This change replaces the raw-header read with
core.request.get_remote_client_ip(ctx)(which returns$remote_addrafterreal_ipprocessing) whenreal_client_ipis enabled, andcore.request.get_ip(ctx)(direct TCP peer, ignoring realip rewrites) when disabled. The toggle's intent is preserved:real_client_ip = true(default): forwards the realip-resolved client IP — the forwarded header is honored only when the request comes from a trusted proxy listed inset_real_ip_from. Spoofed headers from untrusted sources are ignored.real_client_ip = false: forwards the actual TCP peer address.This applies the same fix shape used for wolf-rbac in #13329.
An
info-level log line records the chosenclient_ipfor auditability and to anchor the regression tests.Which issue(s) this PR fixes:
Fixes #
Checklist