mirror of
https://github.com/withastro/astro.git
synced 2025-12-05 18:56:38 -06:00
dafbb1ba29
* Restrict X-Forwarded-Proto and X-Forwarded-Port * Fix X-Forwarded header security vulnerabilities - Sanitize hostnames to reject paths and prevent path injection - Validate X-Forwarded-Proto, X-Forwarded-Host, X-Forwarded-Port headers - Add strict rejection for invalid hostnames (those with path separators) - Implement single sanitizeHost() function in App class, used by both validateForwardedHeaders() and node.ts - Add comprehensive security tests for header validation * Fix path injection and port matching bugs in header validation - Reject both forward and backward slashes in hostnames using single regex - Fix allowedDomains port matching by validating full hostname:port combo instead of just hostname - Add test for X-Forwarded-Host with embedded port in allowedDomains pattern * changeset and build * fix: validate X-Forwarded headers with port pattern matching Fixes protocol validation to accept http/https when allowedDomains exist but lack protocol patterns. Restructures port/host validation to validate port first, then include it when validating host against patterns. Properly extracts hostname without port to avoid duplication when combining with X-Forwarded-Port. * Update .changeset/secure-headers.md Co-authored-by: Florian Lefebvre <contact@florian-lefebvre.dev> --------- Co-authored-by: Florian Lefebvre <contact@florian-lefebvre.dev>