Merge a14cf7c08dc37b7f9308248928aa3b16307f3c2f into b2b489dbf4826c2c630717a77fd5e42774625410

chore(context): always trust xff headers from unix socket (#3359 )
Co-authored-by: Bo-Yi Wu <appleboy.tw@gmail.com>
2026-06-13 00:59:29 +08:00 · 2026-01-18 14:22:35 +08:00 · 2026-01-18 12:56:22 +08:00 · 2025-11-08 22:06:23 +08:00 · 2025-11-08 13:35:02 +08:00
4 changed files with 55 additions and 26 deletions
--- a/context.go
+++ b/context.go
@ -978,14 +978,27 @@ func (c *Context) ClientIP() string {
 		}
 	}

-	// It also checks if the remoteIP is a trusted proxy or not.
-	// In order to perform this validation, it will see if the IP is contained within at least one of the CIDR blocks
-	// defined by Engine.SetTrustedProxies()
-	remoteIP := net.ParseIP(c.RemoteIP())
-	if remoteIP == nil {
-		return ""
+	var (
+		trusted  bool
+		remoteIP net.IP
+	)
+	// If gin is listening a unix socket, always trust it.
+	localAddr, ok := c.Request.Context().Value(http.LocalAddrContextKey).(net.Addr)
+	if ok && strings.HasPrefix(localAddr.Network(), "unix") {
+		trusted = true
+	}
+
+	// Fallback
+	if !trusted {
+		// It also checks if the remoteIP is a trusted proxy or not.
+		// In order to perform this validation, it will see if the IP is contained within at least one of the CIDR blocks
+		// defined by Engine.SetTrustedProxies()
+		remoteIP = net.ParseIP(c.RemoteIP())
+		if remoteIP == nil {
+			return ""
+		}
+		trusted = c.engine.isTrustedProxy(remoteIP)
 	}
-	trusted := c.engine.isTrustedProxy(remoteIP)

 	if trusted && c.engine.ForwardedByClientIP && c.engine.RemoteIPHeaders != nil {
 		for _, headerName := range c.engine.RemoteIPHeaders {
@ -1166,13 +1179,10 @@ func (c *Context) SecureJSON(code int, obj any) {
 // JSONP serializes the given struct as JSON into the response body.
 // It adds padding to response body to request data from a server residing in a different domain than the client.
 // It also sets the Content-Type as "application/javascript".
+//
+// When the callback parameter is empty, it behaves equivalently to Context.JSON.
 func (c *Context) JSONP(code int, obj any) {
-	callback := c.DefaultQuery("callback", "")
-	if callback == "" {
-		c.Render(code, render.JSON{Data: obj})
-		return
-	}
-	c.Render(code, render.JsonpJSON{Callback: callback, Data: obj})
+	c.Render(code, render.JsonpJSON{Callback: c.Query("callback"), Data: obj})
 }

 // JSON serializes the given struct as JSON into the response body.
--- a/context_test.go
+++ b/context_test.go
@ -1915,6 +1915,16 @@ func TestContextClientIP(t *testing.T) {
 	c.engine.trustedCIDRs, _ = c.engine.prepareTrustedCIDRs()
 	resetContextForClientIPTests(c)

+	// unix address
+	addr := &net.UnixAddr{Net: "unix", Name: "@"}
+	c.Request = c.Request.WithContext(context.WithValue(c.Request.Context(), http.LocalAddrContextKey, addr))
+	c.Request.RemoteAddr = addr.String()
+	assert.Equal(t, "20.20.20.20", c.ClientIP())
+
+	// reset
+	c.Request = c.Request.WithContext(context.Background())
+	resetContextForClientIPTests(c)
+
 	// Legacy tests (validating that the defaults don't break the
 	// (insecure!) old behaviour)
 	assert.Equal(t, "20.20.20.20", c.ClientIP())
--- a/render/json.go
+++ b/render/json.go
@ -115,14 +115,14 @@ func (r SecureJSON) WriteContentType(w http.ResponseWriter) {

 // Render (JsonpJSON) marshals the given interface object and writes it and its callback with custom ContentType.
 func (r JsonpJSON) Render(w http.ResponseWriter) (err error) {
-	r.WriteContentType(w)
-	ret, err := json.API.Marshal(r.Data)
-	if err != nil {
-		return err
+	if r.Callback == "" {
+		return WriteJSON(w, r.Data)
 	}

-	if r.Callback == "" {
-		_, err = w.Write(ret)
+	r.WriteContentType(w)
+
+	ret, err := json.API.Marshal(r.Data)
+	if err != nil {
 		return err
 	}

--- a/render/render_test.go
+++ b/render/render_test.go
@ -183,19 +183,28 @@ func TestRenderJsonpJSONError(t *testing.T) {
 	assert.Equal(t, `write "`+`);`+`" error`, err.Error())
 }

-func TestRenderJsonpJSONError2(t *testing.T) {
+func TestRenderJsonpJSONWithEmptyCallback(t *testing.T) {
 	w := httptest.NewRecorder()
 	data := map[string]any{
 		"foo": "bar",
+		"num": 42,
+		"nested": map[string]any{
+			"key": "value",
+		},
 	}
-	(JsonpJSON{"", data}).WriteContentType(w)
-	assert.Equal(t, "application/javascript; charset=utf-8", w.Header().Get("Content-Type"))

-	e := (JsonpJSON{"", data}).Render(w)
-	require.NoError(t, e)
+	err := (JsonpJSON{Callback: "", Data: data}).Render(w)

-	assert.JSONEq(t, "{\"foo\":\"bar\"}", w.Body.String())
-	assert.Equal(t, "application/javascript; charset=utf-8", w.Header().Get("Content-Type"))
+	require.NoError(t, err)
+
+	// Verify Content-Type is set to jsonContentType when callback is empty
+	assert.Equal(t, "application/json; charset=utf-8", w.Header().Get("Content-Type"))
+
+	renderData, err := json.API.Marshal(data)
+	require.NoError(t, err)
+
+	// Verify body contains correct JSON data
+	assert.JSONEq(t, string(renderData), w.Body.String())
 }

 func TestRenderJsonpJSONFail(t *testing.T) {
Author	SHA1	Message	Date
Name	db063d5a25	Merge a14cf7c08dc37b7f9308248928aa3b16307f3c2f into b2b489dbf4826c2c630717a77fd5e42774625410	2026-01-18 14:22:35 +08:00
WeidiDeng	b2b489dbf4	chore(context): always trust xff headers from unix socket (#3359 ) Co-authored-by: Bo-Yi Wu <appleboy.tw@gmail.com>	2026-01-18 12:56:22 +08:00
1911860538	a14cf7c08d	refactor(render): use WriteJSON when JsonpJson.Callback is empty	2025-11-08 22:06:23 +08:00
1911860538	b7afe5a6af	fix(render): improve JsonpJSON content type handling and simplify Context.JSONP	2025-11-08 13:35:02 +08:00