remix icon indicating copy to clipboard operation
remix copied to clipboard

Published 20 hours ago verified publisher icon remix-run

remix-express/server throws error on IPv6 host or X-Forwarded-Host

Open a47ae opened this issue 1 year ago • 3 comments

Reproduction

The remix-express/server tries to parse the port number from either the host or the X-Forwarded-Host header remix-express/server.ts#L92. In the case that one of them is an IPv6 address the code incorrectly identifies part of the ip address as port because it splits at colons and IPv6 addresses can contain colons.

I created an example here: https://stackblitz.com/edit/remix-run-remix-edjlfm?file=app%2Froutes%2F_index.tsx The button fetches the current site but adds a custom X-Forwarded-Host header to emulate a server environment. One should see that the request fails and the server logs an Invalid URL error.

We noticed this error with our remix application behind a reverse proxy which does health checks using the internal IPv6 address.

System Info

stackblitz fork, latest packages

"@remix-run/node": "*",
"@remix-run/react": "*",
"@remix-run/serve": "*"



### Used Package Manager

npm

### Expected Behavior

The express server does work even if host or `X-Forwarded-Host` header is an IPv6 address.

### Actual Behavior

The express server throws an error because an invalid url is constructed.

a47ae avatar Apr 30 '24 10:04 a47ae

Just a note on IPv6 request formatting in browsers... A correctly formatted Host header with an IPv6 address would have the address in square brackets. e.g. for localhost on port 3000:

Host: [::1]:3000

I would assume a correct X-Forwarded-Host would be the same.

As in a browser doesn't even make a request on this: http://::1:3000. Instead in needs to be formatted like this: http://[::1]:3000/ or http://[0:0:0:0:0:0:0:1]:3000/.

ngbrown avatar Apr 30 '24 14:04 ngbrown

Hey @ngbrown I am not sure how the host header is passed, but it could be possible that it is passed with square brackets. This would still result in the described error, but then it should be possible to extract the port from the header because we know when the IP part ends and the port part starts. I try to get some information how it is passed in the live system.

a47ae avatar Apr 30 '24 15:04 a47ae

@a47ae no worries. I had seen that your example still failed with square brackets, but I wanted to call it out so the tests and implementation didn't get written incorrectly.

ngbrown avatar Apr 30 '24 15:04 ngbrown