Fixes an issue with x-forwarded headers and checkOrigin'

.changeset/many-flies-shine.md

@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Enable checkOrigin when astro is behind a reverse proxy

packages/astro/src/core/app/node.ts

@@ -19,6 +19,17 @@ interface NodeRequest extends IncomingMessage {
 	body?: unknown;
 }
 
+function findRequestPort(req: NodeRequest, proto: string): string | undefined {
+		const hostheader = req.headers['host'];
+		if (hostheader) {
+			const hosturl = new URL(`${proto}://${hostheader}`)
+			if (hosturl.port) {
+				return hosturl.port
+			}
+		}
+		return undefined
+}
+
 /**
  * Converts a NodeJS IncomingMessage into a web standard Request.
  * ```js
@@ -76,7 +87,7 @@ export function createRequest(
 		allowedDomains,
 	);
 	const hostname = validated.host ?? validatedHostname ?? 'localhost';
-	const port = validated.port;
+	const port = validated.port ?? req.socket?.localPort?.toString() ?? findRequestPort(req, protocol);
 
 	let url: URL;
 	try {

packages/astro/src/core/app/validate-headers.ts

@@ -1,4 +1,4 @@
-import { matchPattern, type RemotePattern } from '@astrojs/internal-helpers/remote';
+import { matchPattern, matchHostname, type RemotePattern } from '@astrojs/internal-helpers/remote';
 
 /**
  * Sanitize a hostname by rejecting any with path separators.
@@ -85,57 +85,82 @@ export function validateForwardedHeaders(
 ): { protocol?: string; host?: string; port?: string } {
 	const result: { protocol?: string; host?: string; port?: string } = {};
 
-	// Validate protocol
-	if (forwardedProtocol) {
-		if (allowedDomains && allowedDomains.length > 0) {
-			const hasProtocolPatterns = allowedDomains.some((pattern) => pattern.protocol !== undefined);
-			if (hasProtocolPatterns) {
-				// Validate against allowedDomains patterns
-				try {
-					const testUrl = new URL(`${forwardedProtocol}://example.com`);
-					const isAllowed = allowedDomains.some((pattern) => matchPattern(testUrl, pattern));
-					if (isAllowed) {
-						result.protocol = forwardedProtocol;
-					}
-				} catch {
-					// Invalid protocol, omit from result
-				}
-			} else if (/^https?$/.test(forwardedProtocol)) {
-				// allowedDomains exist but no protocol patterns, allow http/https
-				result.protocol = forwardedProtocol;
-			}
-		} else if (/^https?$/.test(forwardedProtocol)) {
-			// No allowedDomains, only allow http/https
-			result.protocol = forwardedProtocol;
-		}
+	// Require allowed domains to validate any forwarded headers - prevents trusting unvalidated headers
+	if (!allowedDomains || allowedDomains.length === 0) {
+		return result
 	}
 
-	// Validate port first
-	if (forwardedPort && allowedDomains && allowedDomains.length > 0) {
-		const hasPortPatterns = allowedDomains.some((pattern) => pattern.port !== undefined);
-		if (hasPortPatterns) {
-			// Validate against allowedDomains patterns
-			const isAllowed = allowedDomains.some((pattern) => pattern.port === forwardedPort);
-			if (isAllowed) {
-				result.port = forwardedPort;
-			}
-		}
-		// If no port patterns, reject the header (strict security default)
+	// require a hostname
+	if (!forwardedHost || forwardedHost.length === 0) {
+		return result;
 	}
 
 	// Validate host (extract port from hostname for validation)
 	// Reject empty strings and sanitize to prevent path injection
-	if (forwardedHost && forwardedHost.length > 0 && allowedDomains && allowedDomains.length > 0) {
-		const protoForValidation = result.protocol || 'https';
-		const sanitized = sanitizeHost(forwardedHost);
-		if (sanitized) {
-			const { hostname, port: portFromHost } = parseHost(sanitized);
-			const portForValidation = result.port || portFromHost;
-			if (matchesAllowedDomains(hostname, protoForValidation, portForValidation, allowedDomains)) {
-				result.host = sanitized;
+	const sanitized = sanitizeHost(forwardedHost);
+	if (!sanitized) {
+		return result;
+	}
+	const { hostname, port } = parseHost(sanitized);
+	if (!hostname) {
+		return result;
+	}
+
+	const testUrl = new URL(`https://${hostname}/`);
+	// do not match anything other than hostname here.
+	const found = allowedDomains.find((pattern) => matchHostname(testUrl, pattern.hostname, true));
+	if (!found) {
+		return result;
+	}
+
+	// we might need to set the port...
+	// if allowedDomain specified a port, but none was found, reject all the headers.
+	if (found.port) {
+		if (port && found.port !== port) {
+			return result;
+		}
+		if (forwardedPort && found.port !== forwardedPort) {
+			return result;
+		}
+	}
+
+	if (forwardedPort || port) {
+		if (found.port) {
+			if (port) {
+				if (forwardedPort && forwardedPort !== port) {
+					// weird case.
+					return result;
+				}
+				if (found.port === port) {
+					result.port = port;
+				} else {
+					return result
+				}
+			} else if (found.port === forwardedPort) {
+					result.port = forwardedPort;
+			} else {
+
+				// found port but no match
+				return result
 			}
+		} else {
+			// If no port patterns, reject the header (strict security default)
 		}
 	}
 
-	return result;
+	// if a protocol is configured, ensure it is correct.
+	if (found.protocol) {
+		if (found.protocol !== forwardedProtocol) {
+			return result;
+		}
+
+		// all good
+		result.protocol = found.protocol;
+	} else if (forwardedProtocol && /^https?$/.test(forwardedProtocol)) {
+		// fallback to allow if it is not specified in the allowedDomains, but only if it is http or https
+		result.protocol = forwardedProtocol;
+	}
+
+	result.host = hostname;
+	return result
 }