Add serverActions.allowedForwardedHosts option (#57529)

This new option specifies a list of host names that are considered safe, to accept as Server Action requests if they're different from the initial request origin. It can be very helpful when the hosted app has many layers of reverse proxies ahead.

Closes #57397.

Author: shuding

packages/next-swc/crates/next-core/src/next_app/app_page_entry.rs

@@ -155,13 +155,7 @@ async fn wrap_edge_page(
     // TODO(timneutkens): remove this
     let is_server_component = true;
 
-    //    let server_actions_body_size_limit =
-    // &next_config.experimental.server_actions.body_size_limit;
-    let server_actions_body_size_limit = next_config
-        .experimental
-        .server_actions
-        .as_ref()
-        .and_then(|sa| sa.body_size_limit.as_ref());
+    let server_actions = next_config.experimental.server_actions.as_ref();
 
     let sri_enabled = !dev
         && next_config
@@ -184,7 +178,7 @@ async fn wrap_edge_page(
             "nextConfig" => serde_json::to_string(next_config)?,
             "isServerComponent" => serde_json::Value::Bool(is_server_component).to_string(),
             "dev" => serde_json::Value::Bool(dev).to_string(),
-            "serverActionsBodySizeLimit" => serde_json::to_string(&server_actions_body_size_limit)?
+            "serverActions" => serde_json::to_string(&server_actions)?
         },
         indexmap! {
             "incrementalCacheHandler" => None,

packages/next/src/build/entries.ts

@@ -417,8 +417,7 @@ export function getEdgeServerEntry(opts: {
     middlewareConfig: Buffer.from(
       JSON.stringify(opts.middlewareConfig || {})
     ).toString('base64'),
-    serverActionsBodySizeLimit:
-      opts.config.experimental.serverActions?.bodySizeLimit,
+    serverActions: opts.config.experimental.serverActions,
   }
 
   return {

packages/next/src/build/templates/edge-ssr-app.ts

@@ -23,12 +23,12 @@ const error500Mod = null
 declare const sriEnabled: boolean
 declare const isServerComponent: boolean
 declare const dev: boolean
-declare const serverActionsBodySizeLimit: any
+declare const serverActions: any
 declare const nextConfig: NextConfigComplete
 // INJECT:sriEnabled
 // INJECT:isServerComponent
 // INJECT:dev
-// INJECT:serverActionsBodySizeLimit
+// INJECT:serverActions
 // INJECT:nextConfig
 
 const maybeJSONParse = (str?: string) => (str ? JSON.parse(str) : undefined)
@@ -58,9 +58,7 @@ const render = getRender({
   reactLoadableManifest,
   clientReferenceManifest: isServerComponent ? rscManifest : null,
   serverActionsManifest: isServerComponent ? rscServerManifest : null,
-  serverActionsBodySizeLimit: isServerComponent
-    ? serverActionsBodySizeLimit
-    : undefined,
+  serverActions: isServerComponent ? serverActions : undefined,
   subresourceIntegrityManifest,
   config: nextConfig,
   buildId: 'VAR_BUILD_ID',

packages/next/src/build/webpack/loaders/next-edge-ssr-loader/index.ts

@@ -26,7 +26,10 @@ export type EdgeSSRLoaderQuery = {
   incrementalCacheHandlerPath?: string
   preferredRegion: string | string[] | undefined
   middlewareConfig: string
-  serverActionsBodySizeLimit?: SizeLimit
+  serverActions?: {
+    bodySizeLimit?: SizeLimit
+    allowedForwardedHosts?: string[]
+  }
 }
 
 /*
@@ -75,7 +78,7 @@ const edgeSSRLoader: webpack.LoaderDefinitionFunction<EdgeSSRLoaderQuery> =
       incrementalCacheHandlerPath,
       preferredRegion,
       middlewareConfig: middlewareConfigBase64,
-      serverActionsBodySizeLimit,
+      serverActions,
     } = this.getOptions()
 
     const middlewareConfig: MiddlewareConfig = JSON.parse(
@@ -148,10 +151,10 @@ const edgeSSRLoader: webpack.LoaderDefinitionFunction<EdgeSSRLoaderQuery> =
           nextConfig: stringifiedConfig,
           isServerComponent: JSON.stringify(isServerComponent),
           dev: JSON.stringify(dev),
-          serverActionsBodySizeLimit:
-            typeof serverActionsBodySizeLimit === 'undefined'
+          serverActions:
+            typeof serverActions === 'undefined'
               ? 'undefined'
-              : JSON.stringify(serverActionsBodySizeLimit),
+              : JSON.stringify(serverActions),
         },
         {
           incrementalCacheHandler: incrementalCacheHandlerPath ?? null,

packages/next/src/build/webpack/loaders/next-edge-ssr-loader/render.ts

@@ -34,7 +34,7 @@ export function getRender({
   clientReferenceManifest,
   subresourceIntegrityManifest,
   serverActionsManifest,
-  serverActionsBodySizeLimit,
+  serverActions,
   config,
   buildId,
   nextFontManifest,
@@ -55,7 +55,10 @@ export function getRender({
   subresourceIntegrityManifest?: Record<string, string>
   clientReferenceManifest?: ClientReferenceManifest
   serverActionsManifest?: any
-  serverActionsBodySizeLimit?: SizeLimit
+  serverActions?: {
+    bodySizeLimit?: SizeLimit
+    allowedForwardedHosts?: string[]
+  }
   config: NextConfigComplete
   buildId: string
   nextFontManifest: NextFontManifest
@@ -87,7 +90,7 @@ export function getRender({
         supportsDynamicHTML: true,
         disableOptimizedLoading: true,
         serverActionsManifest,
-        serverActionsBodySizeLimit,
+        serverActions,
         nextFontManifest,
       },
       renderToHTML,

packages/next/src/build/webpack/plugins/flight-client-entry-plugin.ts

@@ -32,15 +32,13 @@ import {
 import { traverseModules, forEachEntryModule } from '../utils'
 import { normalizePathSep } from '../../../shared/lib/page-path/normalize-path-sep'
 import { getProxiedPluginState } from '../../build-context'
-import type { SizeLimit } from '../../../../types'
 import semver from 'next/dist/compiled/semver'
 import { generateRandomActionKeyRaw } from '../../../server/app-render/action-encryption-utils'
 
 interface Options {
   dev: boolean
   appDir: string
   isEdgeServer: boolean
-  serverActionsBodySizeLimit?: SizeLimit
 }
 
 const PLUGIN_NAME = 'FlightClientEntryPlugin'
@@ -160,14 +158,12 @@ export class FlightClientEntryPlugin {
   dev: boolean
   appDir: string
   isEdgeServer: boolean
-  serverActionsBodySizeLimit?: SizeLimit
   assetPrefix: string
 
   constructor(options: Options) {
     this.dev = options.dev
     this.appDir = options.appDir
     this.isEdgeServer = options.isEdgeServer
-    this.serverActionsBodySizeLimit = options.serverActionsBodySizeLimit
     this.assetPrefix = !this.dev && !this.isEdgeServer ? '../' : ''
   }
 

packages/next/src/export/index.ts

@@ -488,8 +488,7 @@ export async function exportAppImpl(
     optimizeFonts: nextConfig.optimizeFonts as FontConfig,
     largePageDataBytes: nextConfig.experimental.largePageDataBytes,
     serverComponents: options.hasAppDir,
-    serverActionsBodySizeLimit:
-      nextConfig.experimental.serverActions?.bodySizeLimit,
+    serverActions: nextConfig.experimental.serverActions,
     nextFontManifest: require(join(
       distDir,
       'server',

packages/next/src/lib/turbopack-warning.ts

@@ -79,6 +79,7 @@ const supportedTurbopackNextConfigOptions = [
   'experimental.scrollRestoration',
   'experimental.forceSwcTransforms',
   'experimental.serverActions.bodySizeLimit',
+  'experimental.serverActions.allowedForwardedHosts',
   'experimental.memoryBasedWorkersCount',
   'experimental.clientRouterFilterRedirects',
   'experimental.webpackBuildWorker',

packages/next/src/server/app-render/action-handler.ts

@@ -216,7 +216,7 @@ export async function handleAction({
   generateFlight,
   staticGenerationStore,
   requestStore,
-  serverActionsBodySizeLimit,
+  serverActions,
   ctx,
 }: {
   req: IncomingMessage
@@ -232,7 +232,10 @@ export async function handleAction({
   generateFlight: GenerateFlight
   staticGenerationStore: StaticGenerationStore
   requestStore: RequestStore
-  serverActionsBodySizeLimit?: SizeLimit
+  serverActions?: {
+    bodySizeLimit?: SizeLimit
+    allowedForwardedHosts?: string[]
+  }
   ctx: AppRenderContext
 }): Promise<
   | undefined
@@ -277,32 +280,41 @@ export async function handleAction({
       'Missing `origin` header from a forwarded Server Actions request.'
     )
   } else if (!host || originHostname !== host) {
-    // This is an attack. We should not proceed the action.
-    console.error(
-      '`x-forwarded-host` and `host` headers do not match `origin` header from a forwarded Server Actions request. Aborting the action.'
-    )
+    // If the customer sets a list of allowed hosts, we'll allow the request.
+    // These can be their reverse proxies or other safe hosts.
+    if (
+      typeof host === 'string' &&
+      serverActions?.allowedForwardedHosts?.includes(host)
+    ) {
+      // Ignore it
+    } else {
+      // This is an attack. We should not proceed the action.
+      console.error(
+        '`x-forwarded-host` and `host` headers do not match `origin` header from a forwarded Server Actions request. Aborting the action.'
+      )
 
-    const error = new Error('Invalid Server Actions request.')
+      const error = new Error('Invalid Server Actions request.')
 
-    if (isFetchAction) {
-      res.statusCode = 500
-      await Promise.all(staticGenerationStore.pendingRevalidates || [])
-      const promise = Promise.reject(error)
-      try {
-        await promise
-      } catch {}
+      if (isFetchAction) {
+        res.statusCode = 500
+        await Promise.all(staticGenerationStore.pendingRevalidates || [])
+        const promise = Promise.reject(error)
+        try {
+          await promise
+        } catch {}
 
-      return {
-        type: 'done',
-        result: await generateFlight(ctx, {
-          actionResult: promise,
-          // if the page was not revalidated, we can skip the rendering the flight tree
-          skipFlight: !staticGenerationStore.pathWasRevalidated,
-        }),
+        return {
+          type: 'done',
+          result: await generateFlight(ctx, {
+            actionResult: promise,
+            // if the page was not revalidated, we can skip the rendering the flight tree
+            skipFlight: !staticGenerationStore.pathWasRevalidated,
+          }),
+        }
       }
-    }
 
-    throw error
+      throw error
+    }
   }
 
   // ensure we avoid caching server actions unexpectedly
@@ -421,15 +433,14 @@ export async function handleAction({
 
           const actionData = Buffer.concat(chunks).toString('utf-8')
 
-          const limit = require('next/dist/compiled/bytes').parse(
-            serverActionsBodySizeLimit ?? '1mb'
-          )
+          const readableLimit = serverActions?.bodySizeLimit ?? '1 MB'
+          const limit = require('next/dist/compiled/bytes').parse(readableLimit)
 
           if (actionData.length > limit) {
             const { ApiError } = require('../api-utils')
             throw new ApiError(
               413,
-              `Body exceeded ${serverActionsBodySizeLimit} limit.
+              `Body exceeded ${readableLimit} limit.
 To configure the body size limit for Server Actions, see: https://nextjs.org/docs/app/api-reference/server-actions#size-limitation`
             )
           }

packages/next/src/server/app-render/app-render.tsx

@@ -409,7 +409,7 @@ async function renderToHTMLOrFlightImpl(
     dev,
     nextFontManifest,
     supportsDynamicHTML,
-    serverActionsBodySizeLimit,
+    serverActions,
     buildId,
     appDirDevErrorLogger,
     assetPrefix = '',
@@ -955,7 +955,7 @@ async function renderToHTMLOrFlightImpl(
     generateFlight,
     staticGenerationStore: staticGenerationStore,
     requestStore: requestStore,
-    serverActionsBodySizeLimit,
+    serverActions,
     ctx,
   })