Reject requests from the proxy itself (#52073)

* Reject requests from the proxy itself * Adjust tests
2025-04-23 08:47:57 +00:00 · 2021-06-27 19:02:51 +02:00 · 2021-06-27 19:02:51 +02:00 · eedf1c3ebe
commit eedf1c3ebe
parent dafddce446
2 changed files with 32 additions and 9 deletions
--- a/homeassistant/components/http/forwarded.py
+++ b/homeassistant/components/http/forwarded.py
@ -129,9 +129,11 @@ def async_setup_forwarded(
            overrides["remote"] = str(forwarded_ip)
            break
        else:
-            # If all the IP addresses are from trusted networks, take the left-most.
-            forwarded_for_index = -1
-            overrides["remote"] = str(forwarded_for[-1])
+            _LOGGER.warning(
+                "Request originated directly from a trusted proxy included in X-Forwarded-For: %s, this is likely a miss configuration and will be rejected",
+                forwarded_for_headers,
+            )
+            raise HTTPBadRequest()

        # Handle X-Forwarded-Proto
        forwarded_proto_headers: list[str] = request.headers.getall(
--- a/tests/components/http/test_forwarded.py
+++ b/tests/components/http/test_forwarded.py
@ -43,15 +43,9 @@ async def test_x_forwarded_for_without_trusted_proxy(aiohttp_client, caplog):
@pytest.mark.parametrize(
    "trusted_proxies,x_forwarded_for,remote",
    [
-        (
-            ["127.0.0.0/24", "1.1.1.1", "10.10.10.0/24"],
-            "10.10.10.10, 1.1.1.1",
-            "10.10.10.10",
-        ),
        (["127.0.0.0/24", "1.1.1.1"], "123.123.123.123, 2.2.2.2, 1.1.1.1", "2.2.2.2"),
        (["127.0.0.0/24", "1.1.1.1"], "123.123.123.123,2.2.2.2,1.1.1.1", "2.2.2.2"),
        (["127.0.0.0/24"], "123.123.123.123, 2.2.2.2, 1.1.1.1", "1.1.1.1"),
-        (["127.0.0.0/24"], "127.0.0.1", "127.0.0.1"),
        (["127.0.0.1", "1.1.1.1"], "123.123.123.123, 1.1.1.1", "123.123.123.123"),
        (["127.0.0.1", "1.1.1.1"], "123.123.123.123, 2.2.2.2, 1.1.1.1", "2.2.2.2"),
        (["127.0.0.1"], "255.255.255.255", "255.255.255.255"),
@ -83,6 +77,33 @@ async def test_x_forwarded_for_with_trusted_proxy(
    assert resp.status == 200


+@pytest.mark.parametrize(
+    "trusted_proxies,x_forwarded_for",
+    [
+        (
+            ["127.0.0.0/24", "1.1.1.1", "10.10.10.0/24"],
+            "10.10.10.10, 1.1.1.1",
+        ),
+        (["127.0.0.0/24"], "127.0.0.1"),
+    ],
+)
+async def test_x_forwarded_for_from_trusted_proxy_rejected(
+    trusted_proxies, x_forwarded_for, aiohttp_client
+):
+    """Test that we reject forwarded requests from proxy server itself."""
+
+    app = web.Application()
+    app.router.add_get("/", mock_handler)
+    async_setup_forwarded(
+        app, True, [ip_network(trusted_proxy) for trusted_proxy in trusted_proxies]
+    )
+
+    mock_api_client = await aiohttp_client(app)
+    resp = await mock_api_client.get("/", headers={X_FORWARDED_FOR: x_forwarded_for})
+
+    assert resp.status == 400
+
+
 async def test_x_forwarded_for_disabled_with_proxy(aiohttp_client, caplog):
    """Test that we warn when processing is disabled, but proxy has been detected."""