Skip to content

Commit 2737ecb

Browse files
code-ashercode-asher
committed
Add debug log for origin check
Extracted host detection into a separate function to avoid multiple log lines on each return.
1 parent 78282a1 commit 2737ecb

File tree

1 file changed

+25
-11
lines changed

1 file changed

+25
-11
lines changed

src/node/http.ts

+25-11
Original file line numberDiff line numberDiff line change
@@ -349,35 +349,49 @@ export function authenticateOrigin(req: express.Request): boolean {
349349
try {
350350
origin = new URL(originRaw).host.trim().toLowerCase()
351351
} catch (error) {
352+
logger.debug(`unable to parse malformed origin "${originRaw}"; blocking request to ${req.originalUrl}`)
352353
return false // Malformed URL.
353354
}
354355

356+
// A missing host likely means the reverse proxy has not been configured to
357+
// forward the host which means we cannot perform the check. Emit a warning
358+
// so an admin can fix the issue.
359+
const host = getHost(req)
360+
if (!host) {
361+
logger.warn(`no host headers found; blocking request to ${req.originalUrl}`)
362+
return false
363+
}
364+
365+
if (host !== origin) {
366+
logger.debug(`host "${host}" does not match origin "${origin}"; blocking request to ${req.originalUrl}`)
367+
return false
368+
}
369+
return true
370+
}
371+
372+
/**
373+
* Get the host from headers.
374+
*/
375+
function getHost(req: express.Request): string | undefined {
355376
// Honor Forwarded if present.
377+
let host: string
356378
const forwardedRaw = getFirstHeader(req, "forwarded")
357379
if (forwardedRaw) {
358380
const parts = forwardedRaw.split(/[;,]/)
359381
for (let i = 0; i < parts.length; ++i) {
360382
const [key, value] = splitOnFirstEquals(parts[i])
361383
if (key.trim().toLowerCase() === "host" && value) {
362-
return origin === value.trim().toLowerCase()
384+
return value.trim().toLowerCase()
363385
}
364386
}
365387
}
366388

367389
// Honor X-Forwarded-Host if present.
368390
const xHost = getFirstHeader(req, "x-forwarded-host")
369391
if (xHost) {
370-
return origin === xHost.trim().toLowerCase()
392+
return xHost.trim().toLowerCase()
371393
}
372394

373-
// A missing host likely means the reverse proxy has not been configured to
374-
// forward the host which means we cannot perform the check. Emit a warning
375-
// so an admin can fix the issue.
376395
const host = getFirstHeader(req, "host")
377-
if (!host) {
378-
logger.warn(`no host headers found; blocking request to ${req.originalUrl}`)
379-
return false
380-
}
381-
382-
return origin === host.trim().toLowerCase()
396+
return host ? host.trim().toLowerCase() : undefined
383397
}

0 commit comments

Comments
 (0)