Merge d02b7391f00946e0390ae5c3d684dd343f30a49b into 9914178584e42458ff7d23891463a880f58c9d86

fix(context): ClientIP handling for multiple X-Forwarded-For header values (#4472 )
* Fix ClientIP calculation by concatenating all RemoteIPHeaders values * test: used http.MethodGet instead constants and fix lints * lint error fixed * Refactor ClientIP X-Forwarded-For tests --------- Co-authored-by: Bo-Yi Wu <appleboy.tw@gmail.com>
2026-01-11 09:06:56 +08:00 · 2026-01-02 16:16:33 +08:00 · 2026-01-02 10:15:27 +08:00 · 2025-12-23 16:09:33 +03:30
3 changed files with 126 additions and 1 deletions
--- a/binding/plain_test.go
+++ b/binding/plain_test.go
@ -0,0 +1,93 @@
+// Copyright 2025 Gin Core Team. All rights reserved.
+// Use of this source code is governed by a MIT style
+// license that can be found in the LICENSE file.
+
+package binding
+
+import (
+	"bytes"
+	"errors"
+	"io"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+// errReadCloser simulates a ReadCloser whose Read returns a fixed error.
+type errReadCloser struct{ err error }
+
+func (e *errReadCloser) Read(p []byte) (int, error) { return 0, e.err }
+func (e *errReadCloser) Close() error               { return nil }
+
+func TestDecodePlain_String_Success(t *testing.T) {
+	t.Parallel()
+	var s string
+	if err := (plainBinding{}).BindBody([]byte("hello world"), &s); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if s != "hello world" {
+		t.Fatalf("expected %q, got %q", "hello world", s)
+	}
+}
+
+func TestDecodePlain_ByteSlice_Success(t *testing.T) {
+	t.Parallel()
+	in := []byte{1, 2, 3, 4}
+	var b []byte
+	if err := (plainBinding{}).BindBody(in, &b); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if !bytes.Equal(b, in) {
+		t.Fatalf("expected %v, got %v", in, b)
+	}
+}
+
+func TestPlainBind_UsesHTTPRequestBody(t *testing.T) {
+	t.Parallel()
+	var s string
+	req := &http.Request{Body: io.NopCloser(bytes.NewReader([]byte("reqbody")))}
+	if err := (plainBinding{}).Bind(req, &s); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if s != "reqbody" {
+		t.Fatalf("expected %q, got %q", "reqbody", s)
+	}
+}
+
+func TestDecodePlain_NilObj_NoPanic(t *testing.T) {
+	// Passing nil obj should be a no-op and return nil error.
+	if err := (plainBinding{}).BindBody([]byte("x"), nil); err != nil {
+		t.Fatalf("expected nil error for nil obj, got %v", err)
+	}
+
+	// Passing a nil pointer (e.g., *string == nil) should also return nil error.
+	var ps *string = nil
+	if err := (plainBinding{}).BindBody([]byte("x"), ps); err != nil {
+		t.Fatalf("expected nil error for nil pointer obj, got %v", err)
+	}
+}
+
+func TestDecodePlain_UnsupportedType_Error(t *testing.T) {
+	var x int
+	err := (plainBinding{}).BindBody([]byte("x"), &x)
+	if err == nil {
+		t.Fatalf("expected error for unsupported type, got nil")
+	}
+	if !strings.Contains(err.Error(), "unknown type") {
+		t.Fatalf("expected error to contain 'unknown type', got %v", err)
+	}
+}
+
+func TestPlainBind_ReadError(t *testing.T) {
+	t.Parallel()
+	sentinel := errors.New("read fail")
+	req := &http.Request{Body: &errReadCloser{err: sentinel}}
+	var s string
+	err := (plainBinding{}).Bind(req, &s)
+	if err == nil {
+		t.Fatalf("expected read error, got nil")
+	}
+	if err != sentinel {
+		t.Fatalf("expected sentinel error %v, got %v", sentinel, err)
+	}
+}
--- a/context.go
+++ b/context.go
@ -989,7 +989,8 @@ func (c *Context) ClientIP() string {

 	if trusted && c.engine.ForwardedByClientIP && c.engine.RemoteIPHeaders != nil {
 		for _, headerName := range c.engine.RemoteIPHeaders {
-			ip, valid := c.engine.validateHeader(c.requestHeader(headerName))
+			headerValue := strings.Join(c.Request.Header.Values(headerName), ",")
+			ip, valid := c.engine.validateHeader(headerValue)
 			if valid {
 				return ip
 			}
--- a/context_test.go
+++ b/context_test.go
@ -1143,6 +1143,37 @@ func TestContextRenderNoContentIndentedJSON(t *testing.T) {
 	assert.Equal(t, "application/json; charset=utf-8", w.Header().Get("Content-Type"))
 }

+func TestContextClientIPWithMultipleHeaders(t *testing.T) {
+	c, _ := CreateTestContext(httptest.NewRecorder())
+	c.Request, _ = http.NewRequest(http.MethodGet, "/test", nil)
+
+	// Multiple X-Forwarded-For headers
+	c.Request.Header.Add("X-Forwarded-For", "1.2.3.4, "+localhostIP)
+	c.Request.Header.Add("X-Forwarded-For", "5.6.7.8")
+	c.Request.RemoteAddr = localhostIP + ":1234"
+
+	c.engine.ForwardedByClientIP = true
+	c.engine.RemoteIPHeaders = []string{"X-Forwarded-For"}
+	_ = c.engine.SetTrustedProxies([]string{localhostIP})
+
+	// Should return 5.6.7.8 (last non-trusted IP)
+	assert.Equal(t, "5.6.7.8", c.ClientIP())
+}
+
+func TestContextClientIPWithSingleHeader(t *testing.T) {
+	c, _ := CreateTestContext(httptest.NewRecorder())
+	c.Request, _ = http.NewRequest(http.MethodGet, "/test", nil)
+	c.Request.Header.Set("X-Forwarded-For", "1.2.3.4, "+localhostIP)
+	c.Request.RemoteAddr = localhostIP + ":1234"
+
+	c.engine.ForwardedByClientIP = true
+	c.engine.RemoteIPHeaders = []string{"X-Forwarded-For"}
+	_ = c.engine.SetTrustedProxies([]string{localhostIP})
+
+	// Should return 1.2.3.4
+	assert.Equal(t, "1.2.3.4", c.ClientIP())
+}
+
 // Tests that the response is serialized as Secure JSON
 // and Content-Type is set to application/json
 func TestContextRenderSecureJSON(t *testing.T) {
Author	SHA1	Message	Date
Milad	c78bbdb565	Merge d02b7391f00946e0390ae5c3d684dd343f30a49b into 9914178584e42458ff7d23891463a880f58c9d86	2026-01-02 16:16:33 +08:00
Nurysso	9914178584	fix(context): ClientIP handling for multiple X-Forwarded-For header values (#4472 ) * Fix ClientIP calculation by concatenating all RemoteIPHeaders values * test: used http.MethodGet instead constants and fix lints * lint error fixed * Refactor ClientIP X-Forwarded-For tests --------- Co-authored-by: Bo-Yi Wu <appleboy.tw@gmail.com>	2026-01-02 10:15:27 +08:00
Miladev95	d02b7391f0	add plain binding tests	2025-12-23 16:09:33 +03:30