Security vulnerability: `Forwarded` does not pick the rightmost `for` entry, even in `SecureClientIp`

[demurgos]

The current impl to extract the ip from the Forwarded header is the following:

impl MultiIpHeader for Forwarded {
    const HEADER: &'static str = "Forwarded";

    fn ips_from_header_value(header_value: &str) -> Vec<IpAddr> {
        use forwarded_header_value::{ForwardedHeaderValue, Identifier};

        let Ok(fv) = ForwardedHeaderValue::from_forwarded(header_value) else {
            return Vec::new();
        };
        fv.iter()
            .filter_map(|fs| fs.forwarded_for.as_ref())
            .filter_map(|ff| match ff {
                Identifier::SocketAddr(a) => Some(a.ip()),
                Identifier::IpAddr(ip) => Some(*ip),
                _ => None,
            })
            .collect()
    }
}

The first filter_map call is right, it's just there to extract the for entries. The second filter map however is problematic. It drops values that are not recognized by this lib! This means that if the header is Forwarded: for="1.2.3.4",for="_obfuscated" then this lib will pick the wrong value.

This is especially problematic since the for entry in the Forwarded RFC (RFC7239) recommends proxies to use an obfuscated entry instead of an address by default. If a reverse proxy follows the spec and uses an obfuscated entry, this lib will extract a client-controlled value!

If there is no way to extract the client ip securely but the handlers requires it, the extractor should reject the request instead of passing potentially insecure data.

I did not review the other handlers, but I recommend checking them for similar issues.

[imbolc]

Thank you, the concern seems valid. How deep you into the specs and this crate code, would you provide a PR or a description of the fix implementation?

At first glance it seems that MultiIpHeader::ips_from_header_value must return Vec of enum { Valid(IpAddr), Invalid(String), Obfuscated(String) } and the secure extractor reject everything except the valid IP.

[demurgos]

Allowing MultiHeader to return non-ip values is indeed the right solution probably.

I had a look across existing libs in the ecosytem for IP retrieval and found this issue, but I probably won't have time to fix it. There are more places where this lib is eagerly dropping values (e.g. in maybe_rightmost_ip).

I ultimately decided to implement my own extractor instead of relying on any third party lib. This let's me reduce complexity and risk while providing better integration with my proxy config.

[imbolc]

Ended up removing the "insecure part" completely, maybe now you like it more :) Thank you for the report 🙏