molecule-ai/molecule-core
52
0
Fork 2
Code Issues 184 Pull Requests 14 Actions 2 Packages Projects Releases Wiki Activity

test(ratelimit): make XFF bypass vulnerability test deterministic (issue #179) #3073

Merged
devops-engineer merged 1 commits from fix/ratelimit-xff-bypass-test-179 into main 2026-06-19 11:38:19 +00:00
Conversation 3 Commits 1 Files Changed 1
+14 -8
1 changed files with 14 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
workspace-server/internal/middleware/ratelimit_test.go
+14 -8
View File
@@ -45,9 +45,12 @@ func TestRateLimit_HeadersPresentOnAllowedRequest(t *testing.T) {
}
}
// TestRateLimit_XFF_BypassDocumented shows that WITHOUT SetTrustedProxies(nil)
// a spoofed X-Forwarded-For header can rotate an attacker's effective IP and
// bypass per-IP rate limiting (documents the issue #179 vulnerability).
// TestRateLimit_XFF_BypassDocumented shows that when the test router is
// configured to trust the source proxy, a spoofed X-Forwarded-For header can
// rotate an attacker's effective IP and bypass per-IP rate limiting
// (documents the issue #179 vulnerability). Modern Gin defaults to trusting
// NO proxies, so we explicitly trust the test RemoteAddr to reproduce the
// pre-fix behavior; without this trust the bypass is correctly blocked.
func TestRateLimit_XFF_BypassDocumented(t *testing.T) {
gin.SetMode(gin.TestMode)
ctx, cancel := context.WithCancel(context.Background())
@@ -55,8 +58,11 @@ func TestRateLimit_XFF_BypassDocumented(t *testing.T) {
rl := NewRateLimiter(2, 5*time.Second, ctx)
r := gin.New()
// Intentionally NOT calling r.SetTrustedProxies(nil) — replicates the
// pre-fix behaviour where Gin trusts all proxies by default.
// Replicate the pre-fix trust model: the request source (10.0.0.1) is
// treated as a trusted proxy, so c.ClientIP() reads X-Forwarded-For.
if err := r.SetTrustedProxies([]string{"10.0.0.1/32"}); err != nil {
t.Fatalf("SetTrustedProxies: %v", err)
}
r.Use(rl.Middleware())
r.GET("/x", func(c *gin.Context) { c.String(http.StatusOK, "ok") })
@@ -80,8 +86,8 @@ func TestRateLimit_XFF_BypassDocumented(t *testing.T) {
t.Fatalf("3rd request (no XFF): want 429, got %d", w.Code)
}
}
// With default proxy trust, spoofing X-Forwarded-For rotates the effective
// IP → new bucket → bypass succeeds (returns 200).
// With trusted proxy config, spoofing X-Forwarded-For rotates the
// effective IP → new bucket → bypass succeeds (returns 200).
{
req := httptest.NewRequest(http.MethodGet, "/x", nil)
req.RemoteAddr = "10.0.0.1:1234"
@@ -89,7 +95,7 @@ func TestRateLimit_XFF_BypassDocumented(t *testing.T) {
w := httptest.NewRecorder()
r.ServeHTTP(w, req)
if w.Code != http.StatusOK {
t.Skipf("bypass no longer works without trusted-proxy config (Gin version changed?): got %d", w.Code)
t.Errorf("XFF bypass did not work under trusted-proxy config: want 200, got %d", w.Code)
}
}
}