Rate limiting can be bypassed via IP header spoofing

In `fastchat/serve/gradio_web_server.py`, `get_ip()` trusts `x-forwarded-for` and `cf-connecting-ip` headers without validation.

If the server isn't behind Cloudflare or a trusted proxy that overwrites these headers, users can set fake values like `x-forwarded-for: 1.2.3.4` to bypass rate limiting in `is_limit_reached()`.

    def get_ip(request: gr.Request):
        if "cf-connecting-ip" in request.headers:
            ip = request.headers["cf-connecting-ip"]
        elif "x-forwarded-for" in request.headers:
            ip = request.headers["x-forwarded-for"]

Might want to add a config option to specify trusted proxy sources.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Rate limiting can be bypassed via IP header spoofing #3784

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Rate limiting can be bypassed via IP header spoofing #3784

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions