From ef4a489a0ef6a05781d7e39c42a2c5bf23493a76 Mon Sep 17 00:00:00 2001
From: Christian Schuerings <christian.schuerings@sap.com>
Date: Thu, 9 Apr 2026 16:00:13 +0200
Subject: [PATCH 1/2] fix: read X-Forwarded-For for client IP in security audit
 events

On reverse-proxy deployments (e.g. BTP Cloud Foundry), socket.remoteAddress
returns the internal proxy IP, not the real client IP. Read X-Forwarded-For
first and fall back to socket.remoteAddress when absent, consistent with
how @sap/approuter resolves the client IP (lib/utils/logger.js:76).

Fixes #421
---
 lib/generic-handlers.js | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/generic-handlers.js b/lib/generic-handlers.js
index 299bb333..a995a575 100644
--- a/lib/generic-handlers.js
+++ b/lib/generic-handlers.js
@@ -147,7 +147,9 @@ async function validateAttachment(req) {
 
     if (scanEnabled) {
       if (status !== "Clean") {
-        const ipAddress = req.req?.socket?.remoteAddress
+        const ipAddress =
+          req.req?.headers?.["x-forwarded-for"] ||
+          req.req?.socket?.remoteAddress
         cds.spawn(async () => {
           try {
             const srv = await cds.connect.to("attachments")
@@ -272,7 +274,8 @@ async function validateAttachmentSize(req, validateContentLength = false) {
     const attachmentRef = await SELECT.one("filename")
       .from(req.target)
       .where({ up__ID: req.data.up__ID })
-    const ipAddress = req.req?.socket?.remoteAddress
+    const ipAddress =
+      req.req?.headers?.["x-forwarded-for"] || req.req?.socket?.remoteAddress
     cds.spawn(async () => {
       try {
         const AttachmentsSrv = await cds.connect.to("attachments")
@@ -330,7 +333,8 @@ function validateAttachmentMimeType(req) {
   const acceptableMediaTypes =
     req.target.elements.content["@Core.AcceptableMediaTypes"] || "*/*"
   if (!checkMimeTypeMatch(acceptableMediaTypes, mimeType)) {
-    const ipAddress = req.req?.socket?.remoteAddress
+    const ipAddress =
+      req.req?.headers?.["x-forwarded-for"] || req.req?.socket?.remoteAddress
     cds.spawn(async () => {
       try {
         const AttachmentsSrv = await cds.connect.to("attachments")

From 55b16ce99c7d7331799b6cf1e6cfc48d6b4c1977 Mon Sep 17 00:00:00 2001
From: Christian Schuerings <christian.schuerings@sap.com>
Date: Thu, 9 Apr 2026 16:03:27 +0200
Subject: [PATCH 2/2] chore: add Unreleased changelog entry for proxy IP fix

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6368fc38..b77123f1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 The format is based on [Keep a Changelog](http://keepachangelog.com/).
 
+## Unreleased
+
+### Fixed
+
+- Security audit events (`AttachmentSizeExceeded`, `AttachmentUploadRejected`, `AttachmentDownloadRejected`) now log the real client IP on reverse-proxy deployments (e.g. BTP Cloud Foundry) by reading `X-Forwarded-For` with fallback to `socket.remoteAddress`.
+
 ## Version 3.11.0
 
 ### Added