Introduce rack.request.trusted_proxy.

ioquatix · ioquatix · commit bdeed011a7f4 · 2026-02-08T10:50:46.000+13:00
diff --git a/lib/rack/request.rb b/lib/rack/request.rb
@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'ipaddr'
 require_relative 'constants'
 require_relative 'utils'
 require_relative 'media_type'
@@ -588,11 +589,40 @@ def accept_language
       end
 
       def trusted_proxy?(ip)
-        Rack::Request.ip_filter.call(ip)
+        case get_header('rack.request.trusted_proxy')
+        when nil
+          # Default to class-level ip_filter:
+          Rack::Request.ip_filter.call(ip)
+        when true
+          # Trust all proxies:
+          true
+        when false
+          # Trust no proxies:
+          false
+        when Array
+          # Trust only specified IPs/ranges:
+          get_header('rack.request.trusted_proxy').any? do |pattern|
+            ip_matches?(ip, pattern)
+          end
+        end
       end
 
       private
 
+      # Check if an IP address matches a pattern (IP address or CIDR range).
+      def ip_matches?(ip, pattern)
+        # Direct string match for exact IP comparison:
+        return true if ip == pattern
+
+        begin
+          ip_addr = IPAddr.new(ip)
+          pattern_addr = IPAddr.new(pattern)
+          pattern_addr.include?(ip_addr)
+        rescue IPAddr::InvalidAddressError
+          false
+        end
+      end
+
       def default_session; {}; end
 
       # Assist with compatibility when processing `X-Forwarded-For`.
diff --git a/test/spec_request.rb b/test/spec_request.rb
@@ -1785,6 +1785,102 @@ def ip_app
     req.trusted_proxy?("2001:470:1f0b:18f8::1").must_equal false
   end
 
+  it "uses rack.request.trusted_proxy env key when set to nil (default behavior)" do
+    # When nil, should fall back to ip_filter
+    env = Rack::MockRequest.env_for("/")
+    env['rack.request.trusted_proxy'] = nil
+    req = make_request(env)
+    
+    req.trusted_proxy?('127.0.0.1').must_equal true
+    req.trusted_proxy?('10.0.0.1').must_equal true
+    req.trusted_proxy?('192.168.1.1').must_equal true
+    req.trusted_proxy?('1.2.3.4').must_equal false
+  end
+
+  it "trusts all proxies when rack.request.trusted_proxy is true" do
+    env = Rack::MockRequest.env_for("/")
+    env['rack.request.trusted_proxy'] = true
+    req = make_request(env)
+    
+    req.trusted_proxy?('127.0.0.1').must_equal true
+    req.trusted_proxy?('1.2.3.4').must_equal true
+    req.trusted_proxy?('8.8.8.8').must_equal true
+    req.trusted_proxy?('2001:470:1f0b:18f8::1').must_equal true
+  end
+
+  it "trusts no proxies when rack.request.trusted_proxy is false" do
+    env = Rack::MockRequest.env_for("/")
+    env['rack.request.trusted_proxy'] = false
+    req = make_request(env)
+    
+    req.trusted_proxy?('127.0.0.1').must_equal false
+    req.trusted_proxy?('10.0.0.1').must_equal false
+    req.trusted_proxy?('192.168.1.1').must_equal false
+    req.trusted_proxy?('1.2.3.4').must_equal false
+  end
+
+  it "trusts only specified IPs when rack.request.trusted_proxy is an array" do
+    env = Rack::MockRequest.env_for("/")
+    env['rack.request.trusted_proxy'] = ['10.0.0.1', '192.168.1.100']
+    req = make_request(env)
+    
+    req.trusted_proxy?('10.0.0.1').must_equal true
+    req.trusted_proxy?('192.168.1.100').must_equal true
+    req.trusted_proxy?('10.0.0.2').must_equal false
+    req.trusted_proxy?('192.168.1.101').must_equal false
+    req.trusted_proxy?('127.0.0.1').must_equal false
+  end
+
+  it "supports CIDR ranges in rack.request.trusted_proxy array" do
+    env = Rack::MockRequest.env_for("/")
+    env['rack.request.trusted_proxy'] = ['10.0.0.0/24', '192.168.1.0/28']
+    req = make_request(env)
+    
+    # 10.0.0.0/24 covers 10.0.0.0 - 10.0.0.255
+    req.trusted_proxy?('10.0.0.1').must_equal true
+    req.trusted_proxy?('10.0.0.100').must_equal true
+    req.trusted_proxy?('10.0.0.255').must_equal true
+    req.trusted_proxy?('10.0.1.1').must_equal false
+    
+    # 192.168.1.0/28 covers 192.168.1.0 - 192.168.1.15
+    req.trusted_proxy?('192.168.1.5').must_equal true
+    req.trusted_proxy?('192.168.1.15').must_equal true
+    req.trusted_proxy?('192.168.1.16').must_equal false
+  end
+
+  it "supports IPv6 addresses in rack.request.trusted_proxy array" do
+    env = Rack::MockRequest.env_for("/")
+    env['rack.request.trusted_proxy'] = ['2001:db8::1', 'fd00::/8']
+    req = make_request(env)
+    
+    req.trusted_proxy?('2001:db8::1').must_equal true
+    req.trusted_proxy?('2001:db8::2').must_equal false
+    req.trusted_proxy?('fd00::1').must_equal true
+    req.trusted_proxy?('fd00::ffff').must_equal true
+    req.trusted_proxy?('fe00::1').must_equal false
+  end
+
+  it "handles invalid IP addresses gracefully in rack.request.trusted_proxy" do
+    env = Rack::MockRequest.env_for("/")
+    env['rack.request.trusted_proxy'] = ['10.0.0.1', 'invalid-ip']
+    req = make_request(env)
+    
+    req.trusted_proxy?('10.0.0.1').must_equal true
+    req.trusted_proxy?('invalid-ip').must_equal true  # Direct string match
+    req.trusted_proxy?('192.168.1.1').must_equal false
+  end
+
+  it "can use Rack::Config to set rack.request.trusted_proxy" do
+    app = lambda { |env| [200, {}, [Rack::Request.new(env).trusted_proxy?('8.8.8.8').to_s]] }
+    config_app = Rack::Config.new(app) do |env|
+      env['rack.request.trusted_proxy'] = true
+    end
+    
+    mock = Rack::MockRequest.new(config_app)
+    res = mock.get '/'
+    res.body.must_equal 'true'
+  end
+
   it "sets the default session to an empty hash" do
     req = make_request(Rack::MockRequest.env_for("http://example.com:8080/"))
     session = req.session
