AspNetCoreRateLimit icon indicating copy to clipboard operation
AspNetCoreRateLimit copied to clipboard

Published 20 hours ago verified publisher icon stefanprodan

Invalid IPs are causing exceptions

Open rwb196884 opened this issue 2 years ago • 1 comments

A request with

X-Forwarded-For    : '{${print(9347655345-4954366)}}'

caused

An invalid IP address was specified.
   at System.Net.IPAddressParser.Parse(ReadOnlySpan`1 ipSpan, Boolean tryParse)
   at System.Net.IPAddress.Parse(String ipString)
   at AspNetCoreRateLimit.IpAddressUtil.ParseIp(String ipAddress) in C:\Users\User\Documents\Github\AspNetCoreRateLimit\src\AspNetCoreRateLimit\Net\IpAddressUtil.cs:line 83
   at AspNetCoreRateLimit.IpHeaderResolveContributor.ResolveIp(HttpContext httpContext) in C:\Users\User\Documents\Github\AspNetCoreRateLimit\src\AspNetCoreRateLimit\Resolvers\IpHeaderResolveContributor.cs:line 19
   at AspNetCoreRateLimit.RateLimitMiddleware`1.ResolveIdentityAsync(HttpContext httpContext) in C:\Users\User\Documents\Github\AspNetCoreRateLimit\src\AspNetCoreRateLimit\Middleware\RateLimitMiddleware.cs:line 149
   at AspNetCoreRateLimit.RateLimitMiddleware`1.Invoke(HttpContext context) in C:\Users\User\Documents\Github\AspNetCoreRateLimit\src\AspNetCoreRateLimit\Middleware\RateLimitMiddleware.cs:line 41
   at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)
...

rwb196884 avatar Jan 27 '23 20:01 rwb196884

Here's a workaround.

    public class XForwardedForCheckerMiddleware
    {
        private readonly RequestDelegate _next;

        public XForwardedForCheckerMiddleware(RequestDelegate next)
        {
            _next = next;
        }

        public async Task InvokeAsync(HttpContext context, ILogger<XForwardedForCheckerMiddleware> logger)
        {
            if (context.Request.Headers.ContainsKey("X-Forwarded-For"))
            {
                string xff = context.Request.Headers["X-Forwarded-For"];
                if (!string.IsNullOrEmpty(xff))
                {
                    if (xff.Split(',').Any(z => !IPAddress.TryParse(z.Trim(), out IPAddress _)))
                    {
                        context.Response.StatusCode = 400; // Bad request.
                        logger.LogWarning("Request rejected (400) because of invalid IP address in header X-Forwarded-For.");
                        return;
                    }
                }
            }
            await _next.Invoke(context);
        }
    }

Hopefully we can switch to net7 soon; that's likely to be less unreliable.

rwb196884 avatar Feb 22 '23 10:02 rwb196884