Remove headers set by a trusted proxy from outputs

router/generic.go

@@ -79,8 +79,8 @@ func getAllAsString(ctx *gin.Context) {
 		output += geoASNRecordToString(record) + "\n"
 	}
 
-	h := ctx.Request.Header
-	h["Host"] = []string{ctx.Request.Host}
+	h := httputils.GetHeadersWithoutTrustedHeaders(ctx)
+	h.Set("Host", ctx.Request.Host)
 	output += httputils.HeadersToSortedString(h)
 
 	ctx.String(http.StatusOK, output)
@@ -113,6 +113,6 @@ func jsonOutput(ctx *gin.Context) JSONResponse {
 		ASN:             asnRecord.AutonomousSystemNumber,
 		ASNOrganization: asnRecord.AutonomousSystemOrganization,
 		Host:            ctx.Request.Host,
-		Headers:         ctx.Request.Header,
+		Headers:         httputils.GetHeadersWithoutTrustedHeaders(ctx),
 	}
 }

router/generic_test.go

@@ -102,9 +102,6 @@ func TestClientPort(t *testing.T) {
 		params  []string
 		headers map[string][]string
 	}
-	type expected struct {
-		body string
-	}
 	tests := []struct {
 		name     string
 		args     args
@@ -249,8 +246,6 @@ ASN Organization:
 
 Header1: one
 Host: test
-X-Real-Ip: 81.2.69.192
-X-Real-Port: 1001
 `
 	_, _ = setting.Setup(
 		[]string{

router/headers.go

@@ -10,15 +10,17 @@ import (
 )
 
 func getHeadersAsSortedString(ctx *gin.Context) {
-	h := ctx.Request.Header
-	h["Host"] = []string{ctx.Request.Host}
+	h := httputils.GetHeadersWithoutTrustedHeaders(ctx)
+	h.Set("Host", ctx.Request.Host)
 
 	ctx.String(http.StatusOK, httputils.HeadersToSortedString(h))
 }
 
 func getHeaderAsString(ctx *gin.Context) {
+	headers := httputils.GetHeadersWithoutTrustedHeaders(ctx)
+
 	h := ctx.Params.ByName("header")
-	if v := ctx.GetHeader(h); v != "" {
+	if v := headers.Get(ctx.Params.ByName("header")); v != "" {
 		ctx.String(http.StatusOK, template.HTMLEscapeString(v))
 	} else if strings.ToLower(h) == "host" {
 		ctx.String(http.StatusOK, template.HTMLEscapeString(ctx.Request.Host))

router/headers_test.go

@@ -5,6 +5,7 @@ import (
 	"net/http/httptest"
 	"testing"
 
+	"github.com/dcarrillo/whatismyip/internal/setting"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -26,13 +27,20 @@ Header2: value22
 Header3: value3
 Host: 
 `
-
+	_, _ = setting.Setup([]string{
+		"-geoip2-city", "city",
+		"-geoip2-asn", "asn",
+		"-trusted-header", trustedHeader,
+		"-trusted-port-header", trustedPortHeader,
+	})
 	req, _ := http.NewRequest("GET", "/headers", nil)
 	req.Header = map[string][]string{
 		"Header1": {"value1"},
 		"Header2": {"value21", "value22"},
 		"Header3": {"value3"},
 	}
+	req.Header.Set(trustedHeader, "1.1.1.1")
+	req.Header.Set(trustedPortHeader, "1025")
 
 	w := httptest.NewRecorder()
 	app.ServeHTTP(w, req)

router/setup_test.go

@@ -34,8 +34,8 @@ var (
 		text: "text/plain; charset=utf-8",
 		json: "application/json; charset=utf-8",
 	}
-	jsonIPv4 = `{"client_port":"1001","ip":"81.2.69.192","ip_version":4,"country":"United Kingdom","country_code":"GB","city":"London","latitude":51.5142,"longitude":-0.0931,"postal_code":"","time_zone":"Europe/London","asn":0,"asn_organization":"","host":"test","headers":{"X-Real-Ip":["81.2.69.192"], "X-Real-Port":["1001"]}}`
-	jsonIPv6 = `{"asn":3352, "asn_organization":"TELEFONICA DE ESPANA", "city":"", "client_port":"1001", "country":"", "country_code":"", "headers":{"X-Real-Ip":["2a02:9000::1"], "X-Real-Port":["1001"]}, "host":"test", "ip":"2a02:9000::1", "ip_version":6, "latitude":0, "longitude":0, "postal_code":"", "time_zone":""}`
+	jsonIPv4 = `{"client_port":"1001","ip":"81.2.69.192","ip_version":4,"country":"United Kingdom","country_code":"GB","city":"London","latitude":51.5142,"longitude":-0.0931,"postal_code":"","time_zone":"Europe/London","asn":0,"asn_organization":"","host":"test", "headers": {}}`
+	jsonIPv6 = `{"asn":3352, "asn_organization":"TELEFONICA DE ESPANA", "city":"", "client_port":"1001", "country":"", "country_code":"", "host":"test", "ip":"2a02:9000::1", "ip_version":6, "latitude":0, "longitude":0, "postal_code":"", "time_zone":"", "headers": {}}`
 )
 
 const trustedHeader = "X-Real-IP"