Compare commits

...

3 Commits

Author SHA1 Message Date
Kasidej
5727bf02f9
Merge b9d6964b7e2bc3e12e1d06443073d7a114073b3e into b2b489dbf4826c2c630717a77fd5e42774625410 2026-01-18 14:22:35 +08:00
WeidiDeng
b2b489dbf4
chore(context): always trust xff headers from unix socket (#3359)
Co-authored-by: Bo-Yi Wu <appleboy.tw@gmail.com>
2026-01-18 12:56:22 +08:00
Kasidej
b9d6964b7e fix(context): update context.Value method to properly support any key type 2026-01-06 17:42:45 +00:00
2 changed files with 36 additions and 11 deletions

View File

@ -978,14 +978,27 @@ func (c *Context) ClientIP() string {
}
}
// It also checks if the remoteIP is a trusted proxy or not.
// In order to perform this validation, it will see if the IP is contained within at least one of the CIDR blocks
// defined by Engine.SetTrustedProxies()
remoteIP := net.ParseIP(c.RemoteIP())
if remoteIP == nil {
return ""
var (
trusted bool
remoteIP net.IP
)
// If gin is listening a unix socket, always trust it.
localAddr, ok := c.Request.Context().Value(http.LocalAddrContextKey).(net.Addr)
if ok && strings.HasPrefix(localAddr.Network(), "unix") {
trusted = true
}
// Fallback
if !trusted {
// It also checks if the remoteIP is a trusted proxy or not.
// In order to perform this validation, it will see if the IP is contained within at least one of the CIDR blocks
// defined by Engine.SetTrustedProxies()
remoteIP = net.ParseIP(c.RemoteIP())
if remoteIP == nil {
return ""
}
trusted = c.engine.isTrustedProxy(remoteIP)
}
trusted := c.engine.isTrustedProxy(remoteIP)
if trusted && c.engine.ForwardedByClientIP && c.engine.RemoteIPHeaders != nil {
for _, headerName := range c.engine.RemoteIPHeaders {
@ -1436,10 +1449,8 @@ func (c *Context) Value(key any) any {
if key == ContextKey {
return c
}
if keyAsString, ok := key.(string); ok {
if val, exists := c.Get(keyAsString); exists {
return val
}
if val, exists := c.Get(key); exists {
return val
}
if !c.hasRequestContext() {
return nil

View File

@ -1915,6 +1915,16 @@ func TestContextClientIP(t *testing.T) {
c.engine.trustedCIDRs, _ = c.engine.prepareTrustedCIDRs()
resetContextForClientIPTests(c)
// unix address
addr := &net.UnixAddr{Net: "unix", Name: "@"}
c.Request = c.Request.WithContext(context.WithValue(c.Request.Context(), http.LocalAddrContextKey, addr))
c.Request.RemoteAddr = addr.String()
assert.Equal(t, "20.20.20.20", c.ClientIP())
// reset
c.Request = c.Request.WithContext(context.Background())
resetContextForClientIPTests(c)
// Legacy tests (validating that the defaults don't break the
// (insecure!) old behaviour)
assert.Equal(t, "20.20.20.20", c.ClientIP())
@ -2859,6 +2869,10 @@ func TestContextGolangContext(t *testing.T) {
c.Set("foo", "bar")
assert.Equal(t, "bar", c.Value("foo"))
assert.Nil(t, c.Value(1))
type contextKey struct{}
c.Set(contextKey{}, "value")
assert.Equal(t, "value", c.Value(contextKey{}))
}
func TestWebsocketsRequired(t *testing.T) {