test(lib): add a test for the X-Forwarded-For middleware (#912)

Previously the X-Forwarded-For middleware could return two commas in a row. This is a regression test to make sure that doesn't happen again. Imports a patch previously exclusive to Botstopper. Signed-off-by: Xe Iaso <me@xeiaso.net>
2025-08-03 01:38:14 -04:00 · 2025-07-25 10:58:41 -04:00 · 2025-07-25 10:58:41 -04:00 · 7d7028d25c
commit 7d7028d25c
parent 9affd2edf4
2 changed files with 43 additions and 0 deletions
--- a/lib/anubis_test.go
+++ b/lib/anubis_test.go
@ -926,3 +926,42 @@ func TestPassChallengeXSS(t *testing.T) {
 		}
 	})
 }
+
+func TestXForwardedForNoDoubleComma(t *testing.T) {
+	var h http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-Forwarded-For", r.Header.Get("X-Forwarded-For"))
+		fmt.Fprintln(w, "OK")
+	})
+
+	h = internal.XForwardedForToXRealIP(h)
+	h = internal.XForwardedForUpdate(false, h)
+
+	pol := loadPolicies(t, "testdata/permissive.yaml", 4)
+
+	srv := spawnAnubis(t, Options{
+		Next:   h,
+		Policy: pol,
+	})
+	ts := httptest.NewServer(srv)
+	t.Cleanup(ts.Close)
+
+	req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req.Header.Set("X-Real-Ip", "10.0.0.1")
+
+	resp, err := ts.Client().Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("response status is wrong, wanted %d but got: %s", http.StatusOK, resp.Status)
+	}
+
+	if xff := resp.Header.Get("X-Forwarded-For"); strings.HasPrefix(xff, ",,") {
+		t.Errorf("X-Forwarded-For has two leading commas: %q", xff)
+	}
+}
--- a/lib/testdata/permissive.yaml
+++ b/lib/testdata/permissive.yaml
@ -0,0 +1,4 @@
+bots:
+  - import: (data)/common/allow-private-addresses.yaml
+
+dnsbl: false