diff --git a/CHANGELOG.md b/CHANGELOG.md index 6368fc38..b77123f1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). The format is based on [Keep a Changelog](http://keepachangelog.com/). +## Unreleased + +### Fixed + +- Security audit events (`AttachmentSizeExceeded`, `AttachmentUploadRejected`, `AttachmentDownloadRejected`) now log the real client IP on reverse-proxy deployments (e.g. BTP Cloud Foundry) by reading `X-Forwarded-For` with fallback to `socket.remoteAddress`. + ## Version 3.11.0 ### Added diff --git a/lib/generic-handlers.js b/lib/generic-handlers.js index 299bb333..a995a575 100644 --- a/lib/generic-handlers.js +++ b/lib/generic-handlers.js @@ -147,7 +147,9 @@ async function validateAttachment(req) { if (scanEnabled) { if (status !== "Clean") { - const ipAddress = req.req?.socket?.remoteAddress + const ipAddress = + req.req?.headers?.["x-forwarded-for"] || + req.req?.socket?.remoteAddress cds.spawn(async () => { try { const srv = await cds.connect.to("attachments") @@ -272,7 +274,8 @@ async function validateAttachmentSize(req, validateContentLength = false) { const attachmentRef = await SELECT.one("filename") .from(req.target) .where({ up__ID: req.data.up__ID }) - const ipAddress = req.req?.socket?.remoteAddress + const ipAddress = + req.req?.headers?.["x-forwarded-for"] || req.req?.socket?.remoteAddress cds.spawn(async () => { try { const AttachmentsSrv = await cds.connect.to("attachments") @@ -330,7 +333,8 @@ function validateAttachmentMimeType(req) { const acceptableMediaTypes = req.target.elements.content["@Core.AcceptableMediaTypes"] || "*/*" if (!checkMimeTypeMatch(acceptableMediaTypes, mimeType)) { - const ipAddress = req.req?.socket?.remoteAddress + const ipAddress = + req.req?.headers?.["x-forwarded-for"] || req.req?.socket?.remoteAddress cds.spawn(async () => { try { const AttachmentsSrv = await cds.connect.to("attachments")