more tests and tweaks

qzio · qzio · commit 978e6d3d98aa · 2026-02-18T16:17:16.000+01:00
diff --git a/packages/astro/src/core/app/validate-headers.ts b/packages/astro/src/core/app/validate-headers.ts
@@ -90,7 +90,10 @@ export function validateForwardedHeaders(
 		return result
 	}
 
-	let allowedDomain: RemotePattern = {}
+	// require a hostname
+	if (!forwardedHost || forwardedHost.length === 0) {
+		return result;
+	}
 
 	// Validate host (extract port from hostname for validation)
 	// Reject empty strings and sanitize to prevent path injection
@@ -103,40 +106,46 @@ export function validateForwardedHeaders(
 				// do not match anything other than hostname here.
 				const found = allowedDomains.find((pattern) => matchHostname(testUrl, pattern.hostname, true));
 				if (found) {
-					// also check for ports in the forwarded header, if there is a mismatch, return
-					if (port) {
-						if (found.port && found.port !== port) {
-							return result;
+					// we might need to set the port...
+					if (forwardedPort || port) {
+						if (found.port) {
+
+							if (port) {
+								if (forwardedPort && forwardedPort !== port) {
+									// weird case.
+									return result;
+								}
+								if (found.port === port) {
+									result.port = port;
+								}
+							} else {
+								if (found.port === forwardedPort) {
+									result.port = forwardedPort;
+								}
+							}
+						} else {
+							// If no port patterns, reject the header (strict security default)
 						}
 					}
-					result.host = sanitized;
-					allowedDomain = found
-				}
-			}
-		}
-	}
 
-	// If host is not valid, we cannot trust protocol or port from forwarded headers
-	if (!result.host || !allowedDomain.hostname) {
-		return result;
-	}
+					// if a protocol is configured, ensure it is correct.
+					if (found.protocol) {
+						if (found.protocol !== forwardedProtocol) {
+							return result;
+						}
 
-	// Validate port
-	if (forwardedPort && allowedDomain.port && allowedDomain.port === forwardedPort) {
-		result.port = forwardedPort;
-	}
+						// all good
+						result.protocol = found.protocol;
+					} else if (forwardedProtocol && /^https?$/.test(forwardedProtocol)) {
+						// fallback to allow if it is not specified in the allowedDomains, but only if it is http or https
+						result.protocol = forwardedProtocol;
+					}
 
-	// Validate protocol
-	if (forwardedProtocol) {
-		if (allowedDomain.protocol) {
-			if (allowedDomain.protocol === forwardedProtocol) {
-				result.protocol = forwardedProtocol;
+					result.host = sanitized;
+					return result
+				}
 			}
-		} else if (/^https?$/.test(forwardedProtocol)) {
-			// allowdDomains does not contain protocol, allow protocol
-			result.protocol = forwardedProtocol;
 		}
 	}
-
-	return result;
+	return result
 }
diff --git a/packages/astro/test/units/app/node.test.js b/packages/astro/test/units/app/node.test.js
@@ -439,6 +439,131 @@ describe('node', () => {
 				);
 				assert.equal(result.url, 'https://example.com/');
 			});
+			it('accepts x-forwarded-proto when allowedDomains has protocol and hostname', () => {
+				const result = createRequest(
+					{
+						...mockNodeRequest,
+						socket: { encrypted: false, remoteAddress: '2.2.2.2' },
+						headers: {
+							host: 'myapp.example.com',
+							'x-forwarded-host': 'myapp.example.com',
+							'x-forwarded-proto': 'https',
+						},
+					},
+					{ allowedDomains: [{ protocol: 'https', hostname: 'myapp.example.com' }] },
+				);
+				// Without the fix, protocol validation fails due to hostname mismatch
+				// and falls back to socket.encrypted (false → http)
+				assert.equal(result.url, 'https://myapp.example.com/');
+			});
+
+			it('rejects x-forwarded-proto when it does not match protocol in allowedDomains', () => {
+				const result = createRequest(
+					{
+						...mockNodeRequest,
+						socket: { encrypted: false, remoteAddress: '2.2.2.2' },
+						headers: {
+							host: 'myapp.example.com',
+							'x-forwarded-proto': 'http',
+						},
+					},
+					{ allowedDomains: [{ protocol: 'https', hostname: 'myapp.example.com' }] },
+				);
+				// http is not in allowedDomains (only https), protocol falls back to socket (false → http)
+				// Host validation also fails because http doesn't match the pattern's protocol: 'https'
+				assert.equal(result.url, 'http://localhost/');
+			});
+
+			it('accepts x-forwarded-proto with wildcard hostname pattern in allowedDomains', () => {
+				const result = createRequest(
+					{
+						...mockNodeRequest,
+						socket: { encrypted: false, remoteAddress: '2.2.2.2' },
+						headers: {
+							'x-forwarded-host': 'joel.example.com',
+							'x-forwarded-proto': 'https',
+						},
+					},
+					{ allowedDomains: [{ protocol: 'https', hostname: '**.example.com' }] },
+				);
+				assert.equal(result.url, 'https://joel.example.com/');
+			});
+
+			it('constructs correct URL behind reverse proxy with all forwarded headers', () => {
+				// Simulates: Reverse proxy terminates TLS, connects to Astro via HTTP,
+				// forwards original protocol/host/port via X-Forwarded-* headers
+				const result = createRequest(
+					{
+						...mockNodeRequest,
+						socket: { encrypted: false, remoteAddress: '2.2.2.2' },
+						headers: {
+							host: 'myapp.example.com',
+							'x-forwarded-proto': 'https',
+							'x-forwarded-host': 'myapp.example.com',
+						},
+					},
+					{ allowedDomains: [{ protocol: 'https', hostname: 'myapp.example.com' }] },
+				);
+				assert.equal(result.url, 'https://myapp.example.com/');
+			});
+
+			it('hmmm', () => {
+				const result = createRequest(
+					{
+						...mockNodeRequest,
+						socket: { encrypted: false, remoteAddress: '2.2.2.2' },
+						headers: {
+							host: 'something-other.com',
+							'x-forwarded-proto': 'https',
+							'x-forwarded-host': 'myapp.example.com',
+						},
+					},
+					{ allowedDomains: [{ protocol: 'https', hostname: 'another.example.com' }] },
+				);
+				// should be 'http://something-other.com/' no?
+				assert.equal(result.url, 'http://localhost/');
+			});
+
+			it('trick validate-headers', () => {
+				const result = createRequest(
+					{
+						...mockNodeRequest,
+						socket: { encrypted: false, remoteAddress: '2.2.2.2' },
+						headers: {
+							host: 'this-header-does-nothing.com',
+							'x-forwarded-host': 'myapp.example.com',
+						},
+					},
+					{
+						allowedDomains: [
+							{ protocol: 'http', hostname: 'local.domain' },
+							{ protocol: 'https', hostname: 'myapp.example.com' }
+						]
+					},
+				);
+
+				assert.equal(result.url, 'http://localhost/');
+			});
+
+			it('trick validate-headers 2', () => {
+				const result = createRequest(
+					{
+						...mockNodeRequest,
+						socket: { encrypted: false, remoteAddress: '2.2.2.2' },
+						headers: {
+							'x-forwarded-proto': 'https',
+						},
+					},
+					{
+						allowedDomains: [
+							{ protocol: 'https', hostname: 'myapp.example.com' }
+						]
+					},
+				);
+
+				assert.equal(result.url, 'http://localhost/');
+			});
+
 		});
 
 		describe('x-forwarded-port', () => {
