MCPcopy
hub / github.com/OpenNHP/opennhp / TestRealClientAddr

Function TestRealClientAddr

endpoints/relay/relay_test.go:14–105  ·  view source on GitHub ↗

TestRealClientAddr covers the security-sensitive parts of how the relay derives the originating client address: X-Real-IP must only be honored when the direct TCP peer is on loopback (a local reverse proxy), and a missing/malformed X-Real-IP from such a peer must surface as an error rather than a si

(t *testing.T)

Source from the content-addressed store, hash-verified

12// proxy), and a missing/malformed X-Real-IP from such a peer must
13// surface as an error rather than a silent fallback to 127.0.0.1.
14func TestRealClientAddr(t *testing.T) {
15 tests := []struct {
16 name string
17 remoteAddr string
18 xRealIP string
19 xff string // must NEVER be honored; included to verify it's ignored
20 wantErr bool
21 wantIP string
22 wantPort int
23 }{
24 {
25 name: "loopback peer with valid X-Real-IP returns the header value",
26 remoteAddr: "127.0.0.1:54321",
27 xRealIP: "203.0.113.7",
28 wantIP: "203.0.113.7",
29 wantPort: 54321,
30 },
31 {
32 name: "loopback peer with no X-Real-IP errors out (does not fall back to 127.0.0.1)",
33 remoteAddr: "127.0.0.1:54321",
34 xRealIP: "",
35 wantErr: true,
36 },
37 {
38 name: "loopback peer with malformed X-Real-IP errors out",
39 remoteAddr: "127.0.0.1:54321",
40 xRealIP: "not-an-ip",
41 wantErr: true,
42 },
43 {
44 name: "IPv6 loopback peer is treated as loopback (X-Real-IP honored)",
45 remoteAddr: "[::1]:54321",
46 xRealIP: "203.0.113.8",
47 wantIP: "203.0.113.8",
48 wantPort: 54321,
49 },
50 {
51 name: "non-loopback peer ignores X-Real-IP and returns the direct peer",
52 remoteAddr: "198.51.100.5:1234",
53 xRealIP: "203.0.113.99", // attacker setting it directly — must not be trusted
54 wantIP: "198.51.100.5",
55 wantPort: 1234,
56 },
57 {
58 name: "non-loopback peer ignores X-Forwarded-For",
59 remoteAddr: "198.51.100.5:1234",
60 xff: "203.0.113.99", // even from XFF — must not be trusted
61 wantIP: "198.51.100.5",
62 wantPort: 1234,
63 },
64 {
65 name: "loopback peer ignores X-Forwarded-For even when X-Real-IP is also set",
66 remoteAddr: "127.0.0.1:54321",
67 xRealIP: "203.0.113.7",
68 xff: "1.2.3.4", // attacker-prepended XFF — must be ignored
69 wantIP: "203.0.113.7",
70 wantPort: 54321,
71 },

Callers

nothing calls this directly

Calls 4

realClientAddrFunction · 0.85
SetMethod · 0.80
RunMethod · 0.45
StringMethod · 0.45

Tested by

no test coverage detected