Add the negative depth case

Author: sedkis

request/real_ip.go

@@ -27,17 +27,19 @@ func RealIP(r *http.Request) string {
 	if fw := r.Header.Get(header.XForwardFor); fw != "" {
 		xffs := strings.Split(fw, ",")
 
-		// If no IPs, return the first IP in the chain
-		if len(xffs) == 0 {
-			return ""
-		}
-
 		// Get depth from config, default to 0 (first IP in chain)
 		depth := 0
 		if Global != nil {
 			depth = Global().HttpServerOptions.XFFDepth
 		}
 
+		// It's more secure to return empty if depth is invalid.
+		// Returning the first IP in the case of an incorrect depth is a security risk.
+		// and a buried failure.
+		if depth < 0 {
+			return ""
+		}
+
 		// If depth exceeds available IPs, return empty
 		if depth > len(xffs) {
 			return ""

request/real_ip_test.go

@@ -239,7 +239,7 @@ func TestXFFDepth(t *testing.T) {
 			name:     "Depth -5 (Negative Depth uses same as NO depth)",
 			xffValue: "10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1",
 			depth:    -5,
-			expected: "10.0.0.1",
+			expected: "",
 		},
 		{
 			name:     "Header with spaces",
@@ -253,6 +253,12 @@ func TestXFFDepth(t *testing.T) {
 			depth:    3,
 			expected: "11.0.0.1",
 		},
+		{
+			name:     "Empty header",
+			xffValue: "",
+			depth:    0,
+			expected: "192.168.1.1", // Should fall back to RemoteAddr
+		},
 		{
 			name:     "Invalid IP at selected depth",
 			xffValue: "10.0.0.1,invalid-ip,12.0.0.1,13.0.0.1",