Skip to content

Commit a5ef4be

Browse files
code-ashercode-asher
committed
Add debug log for origin check
Extracted host detection into a separate function to avoid multiple log lines on each return.
1 parent 78282a1 commit a5ef4be

File tree

1 file changed

+24
-11
lines changed

1 file changed

+24
-11
lines changed

src/node/http.ts

+24-11
Original file line numberDiff line numberDiff line change
@@ -349,35 +349,48 @@ export function authenticateOrigin(req: express.Request): boolean {
349349
try {
350350
origin = new URL(originRaw).host.trim().toLowerCase()
351351
} catch (error) {
352+
logger.debug(`unable to parse malformed origin "${originRaw}"; blocking request to ${req.originalUrl}`)
352353
return false // Malformed URL.
353354
}
354355

356+
// A missing host likely means the reverse proxy has not been configured to
357+
// forward the host which means we cannot perform the check. Emit a warning
358+
// so an admin can fix the issue.
359+
const host = getHost(req)
360+
if (typeof host === "undefined") {
361+
logger.warn(`no host headers found; blocking request to ${req.originalUrl}`)
362+
return false
363+
}
364+
365+
if (host !== origin) {
366+
logger.debug(`host "${host}" does not match origin "${origin}"; blocking request to ${req.originalUrl}`)
367+
return false
368+
}
369+
return true
370+
}
371+
372+
/**
373+
* Get the host from headers.
374+
*/
375+
function getHost(req: express.Request): string | undefined {
355376
// Honor Forwarded if present.
356377
const forwardedRaw = getFirstHeader(req, "forwarded")
357378
if (forwardedRaw) {
358379
const parts = forwardedRaw.split(/[;,]/)
359380
for (let i = 0; i < parts.length; ++i) {
360381
const [key, value] = splitOnFirstEquals(parts[i])
361382
if (key.trim().toLowerCase() === "host" && value) {
362-
return origin === value.trim().toLowerCase()
383+
return value.trim().toLowerCase()
363384
}
364385
}
365386
}
366387

367388
// Honor X-Forwarded-Host if present.
368389
const xHost = getFirstHeader(req, "x-forwarded-host")
369390
if (xHost) {
370-
return origin === xHost.trim().toLowerCase()
391+
return xHost.trim().toLowerCase()
371392
}
372393

373-
// A missing host likely means the reverse proxy has not been configured to
374-
// forward the host which means we cannot perform the check. Emit a warning
375-
// so an admin can fix the issue.
376394
const host = getFirstHeader(req, "host")
377-
if (!host) {
378-
logger.warn(`no host headers found; blocking request to ${req.originalUrl}`)
379-
return false
380-
}
381-
382-
return origin === host.trim().toLowerCase()
395+
return host ? host.trim().toLowerCase() : undefined
383396
}

0 commit comments

Comments
 (0)