catch the negative depth invalid config.

sedkis · sedkis · commit 57859568f968 · 2025-11-11T09:17:17.000-05:00
diff --git a/request/real_ip.go b/request/real_ip.go
@@ -45,8 +45,9 @@ func RealIP(r *http.Request) string {
 
 		// Choose the appropriate IP based on depth
 		// depth=0 means first IP (leftmost), depth=1 means last IP, depth=2 means second to last, etc.
+		// Negative depth is invalid and treated same as 0/unset.
 		var ip string
-		if depth == 0 {
+		if depth <= 0 {
 			ip = strings.TrimSpace(xffs[0])
 		} else {
 			ip = strings.TrimSpace(xffs[len(xffs)-depth])
diff --git a/request/real_ip_test.go b/request/real_ip_test.go
@@ -235,6 +235,12 @@ func TestXFFDepth(t *testing.T) {
 			depth:    0,
 			expected: "10.0.0.1",
 		},
+		{
+			name:     "Depth -5 (Negative Depth uses same as NO depth)",
+			xffValue: "10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1",
+			depth:    -5,
+			expected: "10.0.0.1",
+		},
 		{
 			name:     "Header with spaces",
 			xffValue: "10.0.0.1, 11.0.0.1, 12.0.0.1, 13.0.0.1",
