Skip to content

"trust proxy" does not make Request.hostname use the value of X-Forwarded-Host #68

Open
Open
"trust proxy" does not make Request.hostname use the value of X-Forwarded-Host#68
@onebytegone

Description

@onebytegone
onebytegone
opened on Jul 1, 2020

Regarding Request.hostname, the lambda-express code states:

When the trust proxy app setting is truthy, [the hostname] property will instead have the value of the X-Forwarded-Host header field.

Unfortunately, the hostname code doesn't seem to actually do that. Tests that are listed below fail due to this. Seems like either the docs or the code needs to change.

Unit Tests

describe('hostname property', () => {

   const testCases = [
      {
         host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
         expectedWithTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
         expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
      },
      {
         host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com:443',
         expectedWithTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
         expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
      },
      {
         host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
         xForwardedHost: 'api.example.com',
         expectedWithTrustProxy: 'api.example.com',
         expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
      },
      {
         host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com:443',
         xForwardedHost: 'api.example.com',
         expectedWithTrustProxy: 'api.example.com',
         expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
      },
      {
         host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
         xForwardedHost: 'api.example.com:433',
         expectedWithTrustProxy: 'api.example.com',
         expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
      },
      {
         host: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com:443',
         xForwardedHost: 'api.example.com:443',
         expectedWithTrustProxy: 'api.example.com',
         expectedWithoutTrustProxy: 'b5gee6dacf.execute-api.us-east-1.amazonaws.com',
      },
   ];

   it('parses proper values - APIGW', () => {
      _.each(testCases, (testCase) => {
         let evt: RequestEvent = apiGatewayRequest(),
               req;

         evt.headers.Host = testCase.host;

         if (testCase.xForwardedHost) {
            evt.headers['X-Forwarded-Host'] = testCase.xForwardedHost;
            evt.multiValueHeaders['X-Forwarded-Host'] = [ testCase.xForwardedHost ];
         } else {
            delete evt.headers['X-Forwarded-Host'];
            delete evt.multiValueHeaders['X-Forwarded-Host'];
         }

         app.enable('trust proxy');
         req = new Request(app, evt, handlerContext());
         expect(req.hostname).to.eql(testCase.expectedWithTrustProxy);

         app.disable('trust proxy');
         req = new Request(app, evt, handlerContext());
         expect(req.hostname).to.eql(testCase.expectedWithoutTrustProxy);
      });
   });

   it('parses proper values - ALB', () => {
      _.each(testCases, (testCase) => {
         let req;

         _.each([ albRequest(), albMultiValHeadersRequest() ], (evt) => {
            if (evt.headers) {
               evt.headers.host = testCase.host;
               if (testCase.xForwardedHost) {
                  evt.headers['X-Forwarded-Host'] = testCase.xForwardedHost;
               } else {
                  delete evt.headers['X-Forwarded-Host'];
               }
            }
            if (evt.multiValueHeaders) {
               evt.multiValueHeaders.host = [ testCase.host ];
               if (testCase.xForwardedHost) {
                  evt.multiValueHeaders['X-Forwarded-Host'] = [ testCase.xForwardedHost ];
               } else {
                  delete evt.multiValueHeaders['X-Forwarded-Host'];
               }
            }

            app.enable('trust proxy');
            req = new Request(app, evt, handlerContext());
            expect(req.hostname).to.eql(testCase.expectedWithTrustProxy);

            app.disable('trust proxy');
            req = new Request(app, evt, handlerContext());
            expect(req.hostname).to.eql(testCase.expectedWithoutTrustProxy);
         });
      });
   });

});

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions