mikkel/nexus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #1744 from mvanhorn/fix/board-mutation-forwarded-host

Browse source 
fix(server): include x-forwarded-host in board mutation origin check
This commit is contained in:
Dotta 2026-03-30 07:34:08 -05:00 committed by GitHub
commit 2d31c71fbe
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 24 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
server/src/__tests__/board-mutation-guard.test.ts
View file

@ -84,6 +84,28 @@ describe("boardMutationGuard", () => {
expect(res.status).toBe(204); expect(res.status).toBe(204);
}); });
it("allows board mutations when x-forwarded-host matches origin", async () => {
const app = createApp("board");
const res = await request(app)
.post("/mutate")
.set("Host", "127.0.0.1")
.set("X-Forwarded-Host", "10.90.10.20:3443")
.set("Origin", "https://10.90.10.20:3443")
.send({ ok: true });
expect(res.status).toBe(204);
});
it("blocks board mutations when x-forwarded-host does not match origin", async () => {
const app = createApp("board");
const res = await request(app)
.post("/mutate")
.set("Host", "127.0.0.1")
.set("X-Forwarded-Host", "10.90.10.20:3443")
.set("Origin", "https://evil.example.com")
.send({ ok: true });
expect(res.status).toBe(403);
});
it("does not block authenticated agent mutations", async () => { it("does not block authenticated agent mutations", async () => {
const middleware = boardMutationGuard(); const middleware = boardMutationGuard();
const req = { const req = {

3
server/src/middleware/board-mutation-guard.ts
View file

@ -18,7 +18,8 @@ function parseOrigin(value: string | undefined) {
function trustedOriginsForRequest(req: Request) { function trustedOriginsForRequest(req: Request) {
const origins = new Set(DEFAULT_DEV_ORIGINS.map((value) => value.toLowerCase())); const origins = new Set(DEFAULT_DEV_ORIGINS.map((value) => value.toLowerCase()));
const host = req.header("host")?.trim(); const forwardedHost = req.header("x-forwarded-host")?.split(",")[0]?.trim();
const host = forwardedHost || req.header("host")?.trim();
if (host) { if (host) {
origins.add(`http://${host}`.toLowerCase()); origins.add(`http://${host}`.toLowerCase());
origins.add(`https://${host}`.toLowerCase()); origins.add(`https://${host}`.toLowerCase());