fixes an issue with x-forwarded headers and checkOrigin

Author: qzio

.changeset/many-flies-shine.md

@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Enable checkOrigin when astro is behind a reverse proxy

packages/astro/src/core/app/node.ts

@@ -19,6 +19,17 @@ interface NodeRequest extends IncomingMessage {
 	body?: unknown;
 }
 
+function findRequestPort(req: NodeRequest): string | undefined {
+		const hostheader = req.headers['host'];
+		if (hostheader) {
+			const hosturl = new URL(`https://${hostheader}`)
+			if (hosturl.port) {
+				return hosturl.port
+			}
+		}
+		return undefined
+}
+
 /**
  * Converts a NodeJS IncomingMessage into a web standard Request.
  * ```js
@@ -76,7 +87,7 @@ export function createRequest(
 		allowedDomains,
 	);
 	const hostname = validated.host ?? validatedHostname ?? 'localhost';
-	const port = validated.port;
+	const port = validated.port ?? findRequestPort(req)
 
 	let url: URL;
 	try {

packages/astro/src/core/app/validate-headers.ts

@@ -1,4 +1,4 @@
-import { matchPattern, type RemotePattern } from '@astrojs/internal-helpers/remote';
+import { matchPattern, matchHostname, type RemotePattern } from '@astrojs/internal-helpers/remote';
 
 /**
  * Sanitize a hostname by rejecting any with path separators.
@@ -85,57 +85,52 @@ export function validateForwardedHeaders(
 ): { protocol?: string; host?: string; port?: string } {
 	const result: { protocol?: string; host?: string; port?: string } = {};
 
-	// Validate protocol
-	if (forwardedProtocol) {
-		if (allowedDomains && allowedDomains.length > 0) {
-			const hasProtocolPatterns = allowedDomains.some((pattern) => pattern.protocol !== undefined);
-			if (hasProtocolPatterns) {
-				// Validate against allowedDomains patterns
-				try {
-					const testUrl = new URL(`${forwardedProtocol}://example.com`);
-					const isAllowed = allowedDomains.some((pattern) => matchPattern(testUrl, pattern));
-					if (isAllowed) {
-						result.protocol = forwardedProtocol;
-					}
-				} catch {
-					// Invalid protocol, omit from result
-				}
-			} else if (/^https?$/.test(forwardedProtocol)) {
-				// allowedDomains exist but no protocol patterns, allow http/https
-				result.protocol = forwardedProtocol;
-			}
-		} else if (/^https?$/.test(forwardedProtocol)) {
-			// No allowedDomains, only allow http/https
-			result.protocol = forwardedProtocol;
-		}
+	// Require allowed domains to validate any forwarded headers - prevents trusting unvalidated headers
+	if (!allowedDomains || allowedDomains.length === 0) {
+		return result
 	}
 
-	// Validate port first
-	if (forwardedPort && allowedDomains && allowedDomains.length > 0) {
-		const hasPortPatterns = allowedDomains.some((pattern) => pattern.port !== undefined);
-		if (hasPortPatterns) {
-			// Validate against allowedDomains patterns
-			const isAllowed = allowedDomains.some((pattern) => pattern.port === forwardedPort);
-			if (isAllowed) {
-				result.port = forwardedPort;
-			}
-		}
-		// If no port patterns, reject the header (strict security default)
-	}
+	let allowedDomain: RemotePattern = {}
 
 	// Validate host (extract port from hostname for validation)
 	// Reject empty strings and sanitize to prevent path injection
-	if (forwardedHost && forwardedHost.length > 0 && allowedDomains && allowedDomains.length > 0) {
-		const protoForValidation = result.protocol || 'https';
+	if (forwardedHost && forwardedHost.length > 0) {
 		const sanitized = sanitizeHost(forwardedHost);
 		if (sanitized) {
-			const { hostname, port: portFromHost } = parseHost(sanitized);
-			const portForValidation = result.port || portFromHost;
-			if (matchesAllowedDomains(hostname, protoForValidation, portForValidation, allowedDomains)) {
-				result.host = sanitized;
+			const { hostname } = parseHost(sanitized);
+			if (hostname) {
+				const testUrl = new URL(`https://${hostname}/`);
+				// do not match anything other than hostname here.
+				const found = allowedDomains.find((pattern) => matchHostname(testUrl, pattern.hostname, true));
+				if (found) {
+					result.host = sanitized;
+					allowedDomain = found
+				}
 			}
 		}
 	}
 
+	// If host is not valid, we cannot trust protocol or port from forwarded headers
+	if (!result.host || !allowedDomain.hostname) {
+		return result;
+	}
+
+	// Validate port
+	if (forwardedPort && allowedDomain.port && allowedDomain.port === forwardedPort) {
+		result.port = forwardedPort;
+	}
+
+	// Validate protocol
+	if (forwardedProtocol) {
+		if (allowedDomain.protocol) {
+			if (allowedDomain.protocol === forwardedProtocol) {
+				result.protocol = forwardedProtocol;
+			}
+		} else if (/^https?$/.test(forwardedProtocol)) {
+			// allowdDomains does not contain protocol, allow protocol
+			result.protocol = forwardedProtocol;
+		}
+	}
+
 	return result;
 }

packages/astro/test/units/app/node.test.js

@@ -77,6 +77,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							'x-forwarded-host': 'www2.example.com,www3.example.com',
+							'x-forwarded-proto': 'https',
 						},
 					},
 					{ allowedDomains: [{ hostname: '**.example.com' }] },
@@ -324,6 +325,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-proto': 'http',
 							'x-forwarded-port': '80',
 						},
@@ -339,6 +341,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-proto': 'http,https',
 							'x-forwarded-port': '80,443',
 						},
@@ -354,6 +357,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 						},
 					},
 					{ allowedDomains: [{ hostname: 'example.com' }] },
@@ -367,6 +371,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-proto': 'https://www.malicious-url.com/?tank=',
 						},
 					},
@@ -381,6 +386,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-proto': 'x:admin?',
 						},
 					},
@@ -395,6 +401,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-proto': 'https://localhost/vulnerable?',
 						},
 					},
@@ -409,6 +416,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-proto': 'javascript:alert(document.cookie)//',
 						},
 					},
@@ -423,6 +431,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-proto': '',
 						},
 					},
@@ -439,12 +448,12 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-port': '8443',
 						},
 					},
 					{
 						allowedDomains: [
-							{ hostname: 'example.com' },
 							{ hostname: 'example.com', port: '8443' },
 						],
 					},
@@ -458,12 +467,12 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-port': '8443,3000',
 						},
 					},
 					{
 						allowedDomains: [
-							{ hostname: 'example.com' },
 							{ hostname: 'example.com', port: '8443' },
 						],
 					},
@@ -477,6 +486,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-port': '8443',
 						},
 					},
@@ -491,6 +501,7 @@ describe('node', () => {
 						...mockNodeRequest,
 						headers: {
 							host: 'example.com:3000',
+							'x-forwarded-host': 'example.com',
 							'x-forwarded-port': '443',
 						},
 					},