Skip to content

Prevent cache poisoning in x-forwarded headers #14743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Nov 10, 2025
Merged

Prevent cache poisoning in x-forwarded headers #14743

merged 6 commits into from
Nov 10, 2025
+347 −62

Conversation

@matthewp
Copy link
Contributor

@matthewp matthewp commented Nov 10, 2025

Changes

  • Fully sanitizes X-Forwarded-Host, Host, X-Forwarded-Proto and X-Forwarded-Port to prevent manipulation of Astro.url that could cause cache poisoning.

Testing

New tests added

Docs

N/A, bug fix

@matthewp
Restrict X-Forwarded-Proto and X-Forwarded-Port
d6544cc
@matthewp
Fix X-Forwarded header security vulnerabilities
91504bd 
- Sanitize hostnames to reject paths and prevent path injection
- Validate X-Forwarded-Proto, X-Forwarded-Host, X-Forwarded-Port headers
- Add strict rejection for invalid hostnames (those with path separators)
- Implement single sanitizeHost() function in App class, used by both validateForwardedHeaders() and node.ts
- Add comprehensive security tests for header validation
@matthewp
Fix path injection and port matching bugs in header validation
b12cf80 
- Reject both forward and backward slashes in hostnames using single regex
- Fix allowedDomains port matching by validating full hostname:port combo instead of just hostname
- Add test for X-Forwarded-Host with embedded port in allowedDomains pattern
@changeset-bot
Copy link

changeset-bot bot commented Nov 10, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 5273707

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions github-actions bot added pkg: integration Related to any renderer integration (scope) pkg: astro Related to the core `astro` package (scope) labels Nov 10, 2025
@codspeed-hq
Copy link

codspeed-hq bot commented Nov 10, 2025
edited
Loading

CodSpeed Performance Report

Merging #14743 will not alter performance

Comparing xforwardedstuff (5273707) with main (91780cf)1

Summary

✅ 6 untouched

Footnotes

  1. No successful run was found on main (8d7ee36) during the generation of this report, so 91780cf was used instead as the comparison base. There might be some changes unrelated to this pull request in this report.

@matthewp
fix: validate X-Forwarded headers with port pattern matching
7f9fa63 
Fixes protocol validation to accept http/https when allowedDomains exist but lack protocol patterns. Restructures port/host validation to validate port first, then include it when validating host against patterns. Properly extracts hostname without port to avoid duplication when combining with X-Forwarded-Port.
@matthewp matthewp marked this pull request as ready for review November 10, 2025 19:06
florian-lefebvre
florian-lefebvre reviewed Nov 10, 2025
View reviewed changes
@matthewp matthewp merged commit dafbb1b into main Nov 10, 2025
26 checks passed
@matthewp matthewp deleted the xforwardedstuff branch November 10, 2025 20:18
@astrobot-houston astrobot-houston mentioned this pull request Nov 10, 2025
Merged
@florian-lefebvre florian-lefebvre mentioned this pull request Nov 10, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@delucis delucis delucis approved these changes

@florian-lefebvre florian-lefebvre florian-lefebvre approved these changes

Assignees

No one assigned

Labels

pkg: astro Related to the core `astro` package (scope) pkg: integration Related to any renderer integration (scope)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@matthewp @delucis @florian-lefebvre