From 7d7028d25c8133435b269562bb00b878ec970435 Mon Sep 17 00:00:00 2001 From: Xe Iaso Date: Fri, 25 Jul 2025 10:58:41 -0400 Subject: [PATCH] test(lib): add a test for the X-Forwarded-For middleware (#912) Previously the X-Forwarded-For middleware could return two commas in a row. This is a regression test to make sure that doesn't happen again. Imports a patch previously exclusive to Botstopper. Signed-off-by: Xe Iaso --- lib/anubis_test.go | 39 ++++++++++++++++++++++++++++++++++++ lib/testdata/permissive.yaml | 4 ++++ 2 files changed, 43 insertions(+) create mode 100644 lib/testdata/permissive.yaml diff --git a/lib/anubis_test.go b/lib/anubis_test.go index d355fb1..c9dedba 100644 --- a/lib/anubis_test.go +++ b/lib/anubis_test.go @@ -926,3 +926,42 @@ func TestPassChallengeXSS(t *testing.T) { } }) } + +func TestXForwardedForNoDoubleComma(t *testing.T) { + var h http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("X-Forwarded-For", r.Header.Get("X-Forwarded-For")) + fmt.Fprintln(w, "OK") + }) + + h = internal.XForwardedForToXRealIP(h) + h = internal.XForwardedForUpdate(false, h) + + pol := loadPolicies(t, "testdata/permissive.yaml", 4) + + srv := spawnAnubis(t, Options{ + Next: h, + Policy: pol, + }) + ts := httptest.NewServer(srv) + t.Cleanup(ts.Close) + + req, err := http.NewRequest(http.MethodGet, ts.URL, nil) + if err != nil { + t.Fatal(err) + } + + req.Header.Set("X-Real-Ip", "10.0.0.1") + + resp, err := ts.Client().Do(req) + if err != nil { + t.Fatal(err) + } + + if resp.StatusCode != http.StatusOK { + t.Errorf("response status is wrong, wanted %d but got: %s", http.StatusOK, resp.Status) + } + + if xff := resp.Header.Get("X-Forwarded-For"); strings.HasPrefix(xff, ",,") { + t.Errorf("X-Forwarded-For has two leading commas: %q", xff) + } +} diff --git a/lib/testdata/permissive.yaml b/lib/testdata/permissive.yaml new file mode 100644 index 0000000..8e750d8 --- /dev/null +++ b/lib/testdata/permissive.yaml @@ -0,0 +1,4 @@ +bots: + - import: (data)/common/allow-private-addresses.yaml + +dnsbl: false