Merge pull request #53153 from geoand/#53150

geoand · web-flow · commit 25f31a6eb145 · 2026-03-19T17:46:56.000+02:00
Ensure that invalid forwarded headers results in HTTP 400
diff --git a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/proxy/InvalidProxyHostTest.java b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/proxy/InvalidProxyHostTest.java
@@ -0,0 +1,46 @@
+package io.quarkus.vertx.http.proxy;
+
+import static io.restassured.RestAssured.given;
+import static org.hamcrest.Matchers.equalTo;
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.enterprise.event.Observes;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusExtensionTest;
+import io.vertx.ext.web.Router;
+
+public class InvalidProxyHostTest {
+
+    @RegisterExtension
+    static final QuarkusExtensionTest config = new QuarkusExtensionTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(RouteInitializer.class))
+            .overrideRuntimeConfigKey("quarkus.http.proxy.proxy-address-forwarding", "true");
+
+    @Test
+    public void test() {
+        given()
+                .header("X-Forwarded-For", ":abcd")
+                .get("/path")
+                .then()
+                .statusCode(400);
+
+        given()
+                .header("X-Forwarded-For", "1.2.3.4")
+                .get("/path")
+                .then()
+                .body(equalTo("hello"));
+    }
+
+    @ApplicationScoped
+    public static class RouteInitializer {
+
+        public void register(@Observes Router router) {
+            router.route("/path").handler(rc -> rc.response().end("hello"));
+        }
+
+    }
+}
diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/options/HttpServerCommonHandlers.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/options/HttpServerCommonHandlers.java
@@ -98,10 +98,19 @@ public static Handler<HttpServerRequest> applyProxy(ProxyConfig proxyConfig, Han
             if (proxyCheckBuilder == null) {
                 // no proxy check => we do not restrict who can send `X-Forwarded` or `X-Forwarded-*` headers
                 final TrustedProxyCheck allowAllProxyCheck = allowAll();
-                return new Handler<HttpServerRequest>() {
+                return new Handler<>() {
                     @Override
                     public void handle(HttpServerRequest event) {
-                        root.handle(new ForwardedServerRequestWrapper(event, forwardingProxyOptions, allowAllProxyCheck));
+                        ForwardedServerRequestWrapper wrapper;
+                        try {
+                            wrapper = new ForwardedServerRequestWrapper(event, forwardingProxyOptions, allowAllProxyCheck);
+                            @SuppressWarnings("unused")
+                            var unused = wrapper.authority();
+                        } catch (IllegalArgumentException e) {
+                            event.response().setStatusCode(400).end();
+                            return;
+                        }
+                        root.handle(wrapper);
                     }
                 };
             } else {
