[release/9.0] Forwarded Headers Middleware: Ignore XForwardedHeaders from Unknown Proxy (#61622)

* Header Spoofing Proof for XForwardedProto, XForwardedHost and XForwardedPrefix

* Fix Header Spoofing

---------

Co-authored-by: Yannic Hamann <[email protected]>

Author: github-actions[bot]

src/Middleware/HttpOverrides/src/ForwardedHeadersMiddleware.cs

@@ -220,19 +220,19 @@ public void ApplyForwarders(HttpContext context)
         for (; entriesConsumed < sets.Length; entriesConsumed++)
         {
             var set = sets[entriesConsumed];
-            if (checkFor)
+            // For the first instance, allow remoteIp to be null for servers that don't support it natively.
+            if (currentValues.RemoteIpAndPort != null && checkKnownIps && !CheckKnownAddress(currentValues.RemoteIpAndPort.Address))
             {
-                // For the first instance, allow remoteIp to be null for servers that don't support it natively.
-                if (currentValues.RemoteIpAndPort != null && checkKnownIps && !CheckKnownAddress(currentValues.RemoteIpAndPort.Address))
+                // Stop at the first unknown remote IP, but still apply changes processed so far.
+                if (_logger.IsEnabled(LogLevel.Debug))
                 {
-                    // Stop at the first unknown remote IP, but still apply changes processed so far.
-                    if (_logger.IsEnabled(LogLevel.Debug))
-                    {
-                        _logger.LogDebug(1, "Unknown proxy: {RemoteIpAndPort}", currentValues.RemoteIpAndPort);
-                    }
-                    break;
+                    _logger.LogDebug(1, "Unknown proxy: {RemoteIpAndPort}", currentValues.RemoteIpAndPort);
                 }
+                break;
+            }
 
+            if (checkFor)
+            {
                 if (IPEndPoint.TryParse(set.IpAndPortText, out var parsedEndPoint))
                 {
                     applyChanges = true;

src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs

@@ -962,6 +962,79 @@ public async Task AllOptionsDisabledRequestDoesntChange()
         Assert.Equal(PathString.Empty, context.Request.PathBase);
     }
 
+    [Theory]
+    [InlineData(ForwardedHeaders.XForwardedFor, false)]
+    [InlineData(ForwardedHeaders.XForwardedFor, true)]
+    [InlineData(ForwardedHeaders.XForwardedHost, false)]
+    [InlineData(ForwardedHeaders.XForwardedHost, true)]
+    [InlineData(ForwardedHeaders.XForwardedProto, false)]
+    [InlineData(ForwardedHeaders.XForwardedProto, true)]
+    [InlineData(ForwardedHeaders.XForwardedPrefix, false)]
+    [InlineData(ForwardedHeaders.XForwardedPrefix, true)]
+    public async Task IgnoreXForwardedHeadersFromUnknownProxy(ForwardedHeaders forwardedHeaders, bool unknownProxy)
+    {
+        using var host = new HostBuilder()
+            .ConfigureWebHost(webHostBuilder =>
+            {
+                webHostBuilder
+                .UseTestServer()
+                .Configure(app =>
+                {
+                    var options = new ForwardedHeadersOptions
+                    {
+                        ForwardedHeaders = forwardedHeaders
+                    };
+                    if (!unknownProxy)
+                    {
+                        var proxy = IPAddress.Parse("10.0.0.1");
+                        options.KnownProxies.Add(proxy);
+                    }
+                    app.UseForwardedHeaders(options);
+                });
+            }).Build();
+
+        await host.StartAsync();
+
+        var server = host.GetTestServer();
+
+        var context = await server.SendAsync(c =>
+        {
+            c.Request.Headers["X-Forwarded-For"] = "11.111.111.11";
+            c.Request.Headers["X-Forwarded-Host"] = "testhost";
+            c.Request.Headers["X-Forwarded-Proto"] = "Protocol";
+            c.Request.Headers["X-Forwarded-Prefix"] = "/pathbase";
+            c.Connection.RemoteIpAddress = IPAddress.Parse("10.0.0.1");
+            c.Connection.RemotePort = 99;
+        });
+
+        if (unknownProxy)
+        {
+            Assert.Equal("10.0.0.1", context.Connection.RemoteIpAddress.ToString());
+            Assert.Equal("localhost", context.Request.Host.ToString());
+            Assert.Equal("http", context.Request.Scheme);
+            Assert.Equal(PathString.Empty, context.Request.PathBase);
+        }
+        else
+        {
+            if (forwardedHeaders.HasFlag(ForwardedHeaders.XForwardedFor))
+            {
+                Assert.Equal("11.111.111.11", context.Connection.RemoteIpAddress.ToString());
+            }
+            if (forwardedHeaders.HasFlag(ForwardedHeaders.XForwardedHost))
+            {
+                Assert.Equal("testhost", context.Request.Host.ToString());
+            }
+            if (forwardedHeaders.HasFlag(ForwardedHeaders.XForwardedProto))
+            {
+                Assert.Equal("Protocol", context.Request.Scheme);
+            }
+            if (forwardedHeaders.HasFlag(ForwardedHeaders.XForwardedPrefix))
+            {
+                Assert.Equal("/pathbase", context.Request.PathBase);
+            }
+        }
+    }
+
     [Fact]
     public async Task PartiallyEnabledForwardsPartiallyChangesRequest()
     {