fix(API): reject non-integer TRUST_PROXY values instead of NaN

TheLastCicada · TheLastCicada · commit 499634ff2047 · 2026-05-26T11:38:39.000-07:00
parseInt() silently produced NaN for booleans and non-numeric strings,
which Express treats as falsy and disables proxy trust. Add
resolveTrustProxyHops() to enforce the documented non-negative integer
contract, log a startup warning for invalid values, and fall back to 0.
diff --git a/README.md b/README.md
@@ -265,7 +265,7 @@ In the `CHIA_ROOT` directory (usually `~/.chia/mainnet` on Linux), CADT will add
 * **APP**: This section contains shared configuration used by both V1 and V2 APIs.
   * **CW_PORT**: CADT port where the API will be available. 31310 by default.
   * **BIND_ADDRESS**: By default, CADT listens on localhost only. To enable remote connections to CADT, change this to `0.0.0.0` to listen on all network interfaces, or to an IP address to listen on a specific network interface.
-  * **TRUST_PROXY**: Number of reverse-proxy hops between the internet and CADT. Used to correctly identify real client IP addresses for rate limiting and logging when CADT is deployed behind one or more proxies. Set to `0` (the default) when CADT is accessed directly with no proxy in front of it. Set to `1` when behind a single proxy such as nginx or Cloudflare. Set to `2` when behind two proxies such as Cloudflare in front of nginx (a common cloud/k8s deployment). Never set to `true`; that would trust the user-supplied IP in the `X-Forwarded-For` header and defeat rate limiting.
+  * **TRUST_PROXY**: Number of reverse-proxy hops between the internet and CADT. Used to correctly identify real client IP addresses for rate limiting and logging when CADT is deployed behind one or more proxies. Must be a non-negative integer: set to `0` (the default) when CADT is accessed directly with no proxy in front of it, `1` when behind a single proxy such as nginx or Cloudflare, or `2` when behind two proxies such as Cloudflare in front of nginx (a common cloud/k8s deployment). Booleans (`true`/`false`) and non-numeric strings (e.g. `loopback`) are rejected, log a warning at startup, and fall back to `0`; in particular, never set to `true`, which would trust the user-supplied IP in the `X-Forwarded-For` header and defeat rate limiting.
   * **DATALAYER_URL**: URL and port to connect to the [Chia DataLayer RPC](https://docs.chia.net/datalayer-rpc). If Chia is installed locally with default settings, https://localhost:8562 will work.
   * **WALLET_URL**: URL and port to connect to the [Chia Wallet RPC](https://docs.chia.net/wallet-rpc). If Chia is installed on the same machine as CADT with default settings, https://localhost:9256 will work.
   * **USE_SIMULATOR**: Developer setting to populate CADT from a governance file and enable some extra APIs. Should always be "false" under normal usage.
diff --git a/src/middleware.js b/src/middleware.js
@@ -21,6 +21,7 @@ import { OrganizationsV2 } from './models/v2/index.js';
 import { logger } from './config/logger.js';
 import { sendReadOnlyError } from './utils/read-only-response.js';
 import { getRateLimitRetryAfterSeconds } from './utils/rate-limit.js';
+import { resolveTrustProxyHops } from './utils/trust-proxy.js';
 import {
   checkDiskSpace,
   logDiskSpaceStatus,
@@ -64,7 +65,12 @@ const app = express();
 // This also silences the express-rate-limit ValidationError that fires
 // when X-Forwarded-For is present but trust proxy is disabled.
 // Never use `true`; it trusts the user-supplied leftmost IP.
-const trustProxy = parseInt(getConfig().APP.TRUST_PROXY ?? 0, 10);
+//
+// resolveTrustProxyHops enforces the non-negative integer contract and
+// logs a warning for any other value so that booleans / typos / strings
+// like "loopback" don't silently disable proxy trust via NaN (see
+// src/utils/trust-proxy.js for the rationale).
+const trustProxy = resolveTrustProxyHops(getConfig().APP.TRUST_PROXY);
 app.set('trust proxy', trustProxy);
 
 app.use(
diff --git a/src/utils/defaultConfig.js b/src/utils/defaultConfig.js
@@ -4,13 +4,18 @@ export const defaultConfig = {
     BIND_ADDRESS: 'localhost',
     /**
      * Number of reverse-proxy hops between the internet and CADT.
-     * Passed directly to Express `trust proxy`.
+     * Passed to Express `trust proxy` via `resolveTrustProxyHops`
+     * (src/utils/trust-proxy.js), which requires a non-negative
+     * integer:
      *   0  – no proxy (default, direct access)
      *   1  – one hop  (nginx OR Cloudflare-only)
      *   2  – two hops (Cloudflare → nginx, typical k8s ingress setup)
-     * Setting this correctly lets express-rate-limit see the real client IP
-     * instead of the proxy IP.  Never set to `true`; that trusts the
-     * user-supplied leftmost IP and defeats rate limiting.
+     * Setting this correctly lets express-rate-limit see the real
+     * client IP instead of the proxy IP.  Booleans (`true`/`false`)
+     * and non-numeric strings (e.g. `"loopback"`) are explicitly
+     * rejected and fall back to 0 with a warning log; `true` in
+     * particular would trust the user-supplied leftmost IP and defeat
+     * rate limiting.
      */
     TRUST_PROXY: 0,
     DATALAYER_URL: 'https://localhost:8562',
diff --git a/src/utils/trust-proxy.js b/src/utils/trust-proxy.js
@@ -0,0 +1,96 @@
+'use strict';
+
+import { logger } from '../config/logger.js';
+
+// Express's `trust proxy` accepts booleans, numbers, strings (subnets,
+// CIDRs, "loopback", etc.), arrays and functions. CADT's contract is
+// intentionally narrower: TRUST_PROXY must be a non-negative integer
+// representing the number of reverse-proxy hops, as documented in
+// src/utils/defaultConfig.js.
+//
+// The previous implementation used `parseInt(rawValue, 10)`, which
+// silently produced `NaN` for any non-numeric input (`true`, `false`,
+// the strings "true"/"false"/"loopback", typos, etc.). Express treats
+// `NaN` as falsy and disables proxy trust, so an operator who set
+// `TRUST_PROXY=true` believing they were enabling proxy trust would
+// actually get the opposite outcome with no log message. Worse,
+// `docker-entrypoint.sh` converts the env var "true"/"false" to a YAML
+// boolean, so the bug fires for the most plausible "just enable it"
+// configuration mistake.
+//
+// `resolveTrustProxyHops` enforces the integer contract and logs a
+// clear warning when the input is outside it, defaulting to 0 (no
+// trust) so the failure mode is "rate limiting matches no proxy" rather
+// than "rate limiting silently trusts the world".
+
+// Number.isSafeInteger already returns false for NaN, Infinity, and any
+// non-integer numeric value, so an explicit isFinite check would be
+// redundant.
+const isNonNegativeSafeInteger = (value) =>
+  Number.isSafeInteger(value) && value >= 0;
+
+/**
+ * Coerce a raw TRUST_PROXY config value to a non-negative integer hop
+ * count suitable for `app.set('trust proxy', n)`.
+ *
+ * @param {unknown} rawValue
+ * @param {{warn: (msg: string) => void}} [log]  Logger override for tests.
+ * @returns {number}
+ */
+export const resolveTrustProxyHops = (rawValue, log = logger) => {
+  if (rawValue === undefined || rawValue === null) {
+    return 0;
+  }
+
+  if (typeof rawValue === 'number') {
+    if (isNonNegativeSafeInteger(rawValue)) {
+      return rawValue;
+    }
+    log.warn(
+      `[middleware]: TRUST_PROXY=${rawValue} is not a non-negative integer; ` +
+        'falling back to 0 (no proxy trust). See defaultConfig.js for valid values.',
+    );
+    return 0;
+  }
+
+  if (typeof rawValue === 'boolean') {
+    // Booleans are explicitly unsupported because the comment in
+    // defaultConfig.js says "Never set to `true`; that trusts the
+    // user-supplied leftmost IP and defeats rate limiting". We also
+    // reject `false` so operators get a clear log when their config
+    // does not match the documented contract (instead of getting 0 by
+    // accident).
+    log.warn(
+      `[middleware]: TRUST_PROXY is set to boolean \`${rawValue}\`; ` +
+        'only non-negative integers (0, 1, 2, …) are supported. ' +
+        'Falling back to 0 (no proxy trust). See defaultConfig.js.',
+    );
+    return 0;
+  }
+
+  if (typeof rawValue === 'string') {
+    const trimmed = rawValue.trim();
+    if (trimmed === '') {
+      return 0;
+    }
+    // Require an exact non-negative integer literal so "loopback",
+    // "2 hops", "1.5" and "+2" don't get silently coerced.
+    if (/^\d+$/.test(trimmed)) {
+      const parsed = Number(trimmed);
+      if (isNonNegativeSafeInteger(parsed)) {
+        return parsed;
+      }
+    }
+    log.warn(
+      `[middleware]: TRUST_PROXY="${rawValue}" is not a non-negative integer string; ` +
+        'falling back to 0 (no proxy trust). See defaultConfig.js.',
+    );
+    return 0;
+  }
+
+  log.warn(
+    `[middleware]: TRUST_PROXY has unsupported type \`${typeof rawValue}\`; ` +
+      'falling back to 0 (no proxy trust).',
+  );
+  return 0;
+};
diff --git a/tests/v2/integration/trust-proxy.spec.js b/tests/v2/integration/trust-proxy.spec.js
@@ -0,0 +1,167 @@
+'use strict';
+
+import { expect } from 'chai';
+import { resolveTrustProxyHops } from '../../../src/utils/trust-proxy.js';
+
+// Pure-function spec for the TRUST_PROXY config resolver. Lives under
+// tests/v2/integration so it runs in the V2 mocha bucket, but the helper
+// itself is version-agnostic.
+//
+// The behaviour matters because the previous implementation used
+// `parseInt(rawValue, 10)`, which silently produced `NaN` for booleans
+// and non-numeric strings. `app.set('trust proxy', NaN)` is treated as
+// falsy by Express, so an operator who set `TRUST_PROXY=true` thinking
+// they were enabling proxy trust would actually disable it without any
+// log message.
+describe('resolveTrustProxyHops', function () {
+  const makeLog = () => {
+    const warnings = [];
+    return {
+      warnings,
+      logger: {
+        warn: (msg) => warnings.push(msg),
+      },
+    };
+  };
+
+  describe('valid integer inputs (no warning)', function () {
+    const validCases = [
+      { label: '0 (number)', input: 0, expected: 0 },
+      { label: '1 (number)', input: 1, expected: 1 },
+      { label: '2 (number)', input: 2, expected: 2 },
+      { label: '"0" (string)', input: '0', expected: 0 },
+      { label: '"1" (string)', input: '1', expected: 1 },
+      { label: '"  2  " (padded string)', input: '  2  ', expected: 2 },
+      { label: '10 (large hop count)', input: 10, expected: 10 },
+    ];
+
+    validCases.forEach(({ label, input, expected }) => {
+      it(`returns ${expected} for ${label}`, function () {
+        const { logger, warnings } = makeLog();
+        expect(resolveTrustProxyHops(input, logger)).to.equal(expected);
+        expect(warnings, 'no warnings expected for valid input').to.have.length(0);
+      });
+    });
+  });
+
+  describe('empty / unset inputs default to 0 silently', function () {
+    [
+      { label: 'undefined', input: undefined },
+      { label: 'null', input: null },
+      { label: '"" (empty string)', input: '' },
+      { label: '"   " (whitespace-only string)', input: '   ' },
+    ].forEach(({ label, input }) => {
+      it(`returns 0 for ${label} with no warning`, function () {
+        const { logger, warnings } = makeLog();
+        expect(resolveTrustProxyHops(input, logger)).to.equal(0);
+        expect(warnings, 'no warnings expected for unset input').to.have.length(0);
+      });
+    });
+  });
+
+  describe('boolean inputs fall back to 0 with a warning', function () {
+    // Booleans are the practical regression we are fixing: docker-entrypoint.sh
+    // converts the env strings "true"/"false" to YAML booleans, and the
+    // previous parseInt() produced NaN for both.
+    [true, false].forEach((input) => {
+      it(`returns 0 and warns for boolean \`${input}\``, function () {
+        const { logger, warnings } = makeLog();
+        expect(resolveTrustProxyHops(input, logger)).to.equal(0);
+        expect(warnings).to.have.length(1);
+        expect(warnings[0]).to.match(/TRUST_PROXY/);
+        expect(warnings[0]).to.include(String(input));
+      });
+    });
+  });
+
+  describe('invalid number inputs fall back to 0 with a warning', function () {
+    [
+      { label: 'NaN', input: Number.NaN },
+      { label: 'Infinity', input: Number.POSITIVE_INFINITY },
+      { label: '-Infinity', input: Number.NEGATIVE_INFINITY },
+      { label: '-1 (negative)', input: -1 },
+      { label: '1.5 (non-integer)', input: 1.5 },
+    ].forEach(({ label, input }) => {
+      it(`returns 0 and warns for ${label}`, function () {
+        const { logger, warnings } = makeLog();
+        expect(resolveTrustProxyHops(input, logger)).to.equal(0);
+        expect(warnings).to.have.length(1);
+        expect(warnings[0]).to.match(/TRUST_PROXY/);
+      });
+    });
+  });
+
+  describe('non-integer string inputs fall back to 0 with a warning', function () {
+    [
+      'true',
+      'false',
+      'loopback',
+      'linklocal',
+      '10.0.0.1',
+      '1.5',
+      '+2',
+      '-1',
+      '2 hops',
+      'two',
+    ].forEach((input) => {
+      it(`returns 0 and warns for "${input}"`, function () {
+        const { logger, warnings } = makeLog();
+        expect(resolveTrustProxyHops(input, logger)).to.equal(0);
+        expect(warnings).to.have.length(1);
+        expect(warnings[0]).to.match(/TRUST_PROXY/);
+        expect(warnings[0]).to.include(input);
+      });
+    });
+  });
+
+  describe('unsupported types fall back to 0 with a warning', function () {
+    [
+      { label: 'array', input: [1, 2, 3] },
+      { label: 'object', input: { hops: 1 } },
+      { label: 'function', input: () => 1 },
+    ].forEach(({ label, input }) => {
+      it(`returns 0 and warns for ${label}`, function () {
+        const { logger, warnings } = makeLog();
+        expect(resolveTrustProxyHops(input, logger)).to.equal(0);
+        expect(warnings).to.have.length(1);
+        expect(warnings[0]).to.match(/TRUST_PROXY/);
+      });
+    });
+  });
+
+  describe('default logger argument', function () {
+    // Every other case explicitly injects a stub logger. This case covers
+    // the production call-site shape (no second argument) so the default
+    // logger path is exercised at least once. We do not assert against
+    // the real logger's output because that would couple this spec to
+    // winston transport behaviour; we only assert the resolved value.
+    it('returns the correct integer without throwing when no logger is supplied', function () {
+      expect(resolveTrustProxyHops(2)).to.equal(2);
+      expect(resolveTrustProxyHops(0)).to.equal(0);
+    });
+
+    it('falls back to 0 without throwing when no logger is supplied (invalid input)', function () {
+      // The real logger should be invoked here; we accept whatever side
+      // effects winston produces and only check the return value.
+      expect(resolveTrustProxyHops(true)).to.equal(0);
+      expect(resolveTrustProxyHops('loopback')).to.equal(0);
+    });
+  });
+
+  describe('regression coverage for the parseInt() bug', function () {
+    // The previous implementation was:
+    //   const trustProxy = parseInt(getConfig().APP.TRUST_PROXY ?? 0, 10);
+    // which produced NaN for all of these inputs.
+    const regressions = [true, false, 'true', 'false', 'loopback'];
+
+    regressions.forEach((input) => {
+      it(`does not produce NaN for legacy regression input ${JSON.stringify(input)}`, function () {
+        const { logger } = makeLog();
+        const result = resolveTrustProxyHops(input, logger);
+        expect(result).to.be.a('number');
+        expect(Number.isNaN(result), 'must not be NaN').to.equal(false);
+        expect(Number.isFinite(result), 'must be finite').to.equal(true);
+      });
+    });
+  });
+});
