fixes an issue with x-forwarded headers and checkOrigin

qzio · qzio · commit 42a1bb930d4f · 2026-02-17T18:14:48.000+01:00
diff --git a/.changeset/many-flies-shine.md b/.changeset/many-flies-shine.md
@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Enable checkOrigin when astro is behind a reverse proxy
diff --git a/packages/astro/src/core/app/node.ts b/packages/astro/src/core/app/node.ts
@@ -19,6 +19,17 @@ interface NodeRequest extends IncomingMessage {
 	body?: unknown;
 }
 
+function findRequestPort(req: NodeRequest, proto: string): string | undefined {
+		const hostheader = req.headers['host'];
+		if (hostheader) {
+			const hosturl = new URL(`${proto}://${hostheader}`)
+			if (hosturl.port) {
+				return hosturl.port
+			}
+		}
+		return undefined
+}
+
 /**
  * Converts a NodeJS IncomingMessage into a web standard Request.
  * ```js
@@ -76,7 +87,7 @@ export function createRequest(
 		allowedDomains,
 	);
 	const hostname = validated.host ?? validatedHostname ?? 'localhost';
-	const port = validated.port;
+	const port = validated.port ?? req.socket?.localPort?.toString() ?? findRequestPort(req, protocol);
 
 	let url: URL;
 	try {
diff --git a/packages/astro/src/core/app/validate-headers.ts b/packages/astro/src/core/app/validate-headers.ts
@@ -1,4 +1,4 @@
-import { matchPattern, type RemotePattern } from '@astrojs/internal-helpers/remote';
+import { matchPattern, matchHostname, type RemotePattern } from '@astrojs/internal-helpers/remote';
 
 /**
  * Sanitize a hostname by rejecting any with path separators.
@@ -85,55 +85,56 @@ export function validateForwardedHeaders(
 ): { protocol?: string; host?: string; port?: string } {
 	const result: { protocol?: string; host?: string; port?: string } = {};
 
-	// Validate protocol
-	if (forwardedProtocol) {
-		if (allowedDomains && allowedDomains.length > 0) {
-			const hasProtocolPatterns = allowedDomains.some((pattern) => pattern.protocol !== undefined);
-			if (hasProtocolPatterns) {
-				// Validate against allowedDomains patterns
-				try {
-					const testUrl = new URL(`${forwardedProtocol}://example.com`);
-					const isAllowed = allowedDomains.some((pattern) => matchPattern(testUrl, pattern));
-					if (isAllowed) {
-						result.protocol = forwardedProtocol;
+	// Require allowed domains to validate any forwarded headers - prevents trusting unvalidated headers
+	if (!allowedDomains || allowedDomains.length === 0) {
+		return result
+	}
+
+	let allowedDomain: RemotePattern = {}
+
+	// Validate host (extract port from hostname for validation)
+	// Reject empty strings and sanitize to prevent path injection
+	if (forwardedHost && forwardedHost.length > 0) {
+		const sanitized = sanitizeHost(forwardedHost);
+		if (sanitized) {
+			const { hostname, port } = parseHost(sanitized);
+			if (hostname) {
+				const testUrl = new URL(`https://${hostname}/`);
+				// do not match anything other than hostname here.
+				const found = allowedDomains.find((pattern) => matchHostname(testUrl, pattern.hostname, true));
+				if (found) {
+					// also check for ports in the forwarded header, if there is a mismatch, return
+					if (port) {
+						if (found.port && found.port !== port) {
+							return result;
+						}
 					}
-				} catch {
-					// Invalid protocol, omit from result
+					result.host = sanitized;
+					allowedDomain = found
 				}
-			} else if (/^https?$/.test(forwardedProtocol)) {
-				// allowedDomains exist but no protocol patterns, allow http/https
-				result.protocol = forwardedProtocol;
 			}
-		} else if (/^https?$/.test(forwardedProtocol)) {
-			// No allowedDomains, only allow http/https
-			result.protocol = forwardedProtocol;
 		}
 	}
 
-	// Validate port first
-	if (forwardedPort && allowedDomains && allowedDomains.length > 0) {
-		const hasPortPatterns = allowedDomains.some((pattern) => pattern.port !== undefined);
-		if (hasPortPatterns) {
-			// Validate against allowedDomains patterns
-			const isAllowed = allowedDomains.some((pattern) => pattern.port === forwardedPort);
-			if (isAllowed) {
-				result.port = forwardedPort;
-			}
-		}
-		// If no port patterns, reject the header (strict security default)
+	// If host is not valid, we cannot trust protocol or port from forwarded headers
+	if (!result.host || !allowedDomain.hostname) {
+		return result;
 	}
 
-	// Validate host (extract port from hostname for validation)
-	// Reject empty strings and sanitize to prevent path injection
-	if (forwardedHost && forwardedHost.length > 0 && allowedDomains && allowedDomains.length > 0) {
-		const protoForValidation = result.protocol || 'https';
-		const sanitized = sanitizeHost(forwardedHost);
-		if (sanitized) {
-			const { hostname, port: portFromHost } = parseHost(sanitized);
-			const portForValidation = result.port || portFromHost;
-			if (matchesAllowedDomains(hostname, protoForValidation, portForValidation, allowedDomains)) {
-				result.host = sanitized;
+	// Validate port
+	if (forwardedPort && allowedDomain.port && allowedDomain.port === forwardedPort) {
+		result.port = forwardedPort;
+	}
+
+	// Validate protocol
+	if (forwardedProtocol) {
+		if (allowedDomain.protocol) {
+			if (allowedDomain.protocol === forwardedProtocol) {
+				result.protocol = forwardedProtocol;
 			}
+		} else if (/^https?$/.test(forwardedProtocol)) {
+			// allowdDomains does not contain protocol, allow protocol
+			result.protocol = forwardedProtocol;
 		}
 	}
 
diff --git a/packages/astro/test/units/app/node.test.js b/packages/astro/test/units/app/node.test.js
@@ -77,6 +77,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							'x-forwarded-host': 'www2.example.com,www3.example.com',
+							'x-forwarded-proto': 'https',
 						},
 					},
 					{ allowedDomains: [{ hostname: '**.example.com' }] },
@@ -324,6 +325,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-proto': 'http',
 							'x-forwarded-port': '80',
 						},
@@ -339,6 +341,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-proto': 'http,https',
 							'x-forwarded-port': '80,443',
 						},
@@ -354,6 +357,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 						},
 					},
 					{ allowedDomains: [{ hostname: 'example.com' }] },
@@ -367,6 +371,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-proto': 'https://www.malicious-url.com/?tank=',
 						},
 					},
@@ -381,6 +386,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-proto': 'x:admin?',
 						},
 					},
@@ -395,6 +401,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-proto': 'https://localhost/vulnerable?',
 						},
 					},
@@ -409,6 +416,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-proto': 'javascript:alert(document.cookie)//',
 						},
 					},
@@ -423,6 +431,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-proto': '',
 						},
 					},
@@ -439,12 +448,12 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-port': '8443',
 						},
 					},
 					{
 						allowedDomains: [
-							{ hostname: 'example.com' },
 							{ hostname: 'example.com', port: '8443' },
 						],
 					},
@@ -458,12 +467,12 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-port': '8443,3000',
 						},
 					},
 					{
 						allowedDomains: [
-							{ hostname: 'example.com' },
 							{ hostname: 'example.com', port: '8443' },
 						],
 					},
@@ -477,6 +486,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-port': '8443',
 						},
 					},
@@ -491,6 +501,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com:3000',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-port': '443',
 						},
 					},
diff --git a/packages/integrations/node/test/url.test.js b/packages/integrations/node/test/url.test.js
@@ -48,7 +48,7 @@ describe('URL', () => {
 	it('return http when the X-Forwarded-Proto header is set to http', async () => {
 		const { handler } = await import('./fixtures/url/dist/server/entry.mjs');
 		const { req, res, text } = createRequestAndResponse({
-			headers: { 'X-Forwarded-Proto': 'http' },
+			headers: { 'X-Forwarded-Proto': 'http', 'X-Forwarded-Host': 'legitimate.example.com'  },
 			url: '/',
 		});
 
@@ -62,7 +62,7 @@ describe('URL', () => {
 	it('return https when the X-Forwarded-Proto header is set to https', async () => {
 		const { handler } = await import('./fixtures/url/dist/server/entry.mjs');
 		const { req, res, text } = createRequestAndResponse({
-			headers: { 'X-Forwarded-Proto': 'https' },
+			headers: { 'X-Forwarded-Proto': 'https', 'X-Forwarded-Host': 'legitimate.example.com' },
 			url: '/',
 		});
 
@@ -71,6 +71,7 @@ describe('URL', () => {
 
 		const html = await text();
 		assert.equal(html.includes('https:'), true);
+
 	});
 
 	it('includes forwarded host and port in the url', async () => {
@@ -132,7 +133,7 @@ describe('URL', () => {
 		const $ = cheerio.load(html);
 
 		// Should use the Host header, not X-Forwarded-Host when allowedDomains is not configured
-		assert.equal($('body').text(), 'https://legitimate.example.com/');
+		assert.equal($('body').text(), 'http://legitimate.example.com/');
 	});
 
 	it('rejects port in forwarded host when port not in allowedDomains', async () => {
@@ -153,7 +154,7 @@ describe('URL', () => {
 		const $ = cheerio.load(html);
 
 		// Port 8080 not in allowedDomains (only 444), so should fall back to Host header
-		assert.equal($('body').text(), 'https://localhost:3000/');
+		assert.equal($('body').text(), 'http://localhost:3000/');
 	});
 
 	it('rejects empty X-Forwarded-Host with allowedDomains configured', async () => {
@@ -174,7 +175,7 @@ describe('URL', () => {
 		const $ = cheerio.load(html);
 
 		// Empty X-Forwarded-Host should be rejected and fall back to Host header
-		assert.equal($('body').text(), 'https://legitimate.example.com/');
+		assert.equal($('body').text(), 'http://legitimate.example.com/');
 	});
 
 	it('rejects X-Forwarded-Host with path injection attempt', async () => {
@@ -195,6 +196,6 @@ describe('URL', () => {
 		const $ = cheerio.load(html);
 
 		// Path injection attempt should be rejected and fall back to Host header
-		assert.equal($('body').text(), 'https://localhost:3000/');
+		assert.equal($('body').text(), 'http://localhost:3000/');
 	});
 });

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'astro': patch
 +---
++
 +Enable checkOrigin when astro is behind a reverse proxy