Merge commit from fork

EdamAme-x · web-flow · commit 41adbf56e252 · 2026-02-23T16:12:44.000+09:00
* fix(aws-lambda): use last X-Forwarded-For IP in ALB adapter

ALB appends the real client IP to the end of the X-Forwarded-For header.
Taking the first value allows attackers to spoof their IP by prepending
a trusted address, bypassing ipRestriction middleware.

Use the last IP instead, which is the one appended by ALB.

* refactor(test): use it.each for ALB x-forwarded-for tests

Consolidate two similar ALB tests into a parameterized it.each to
improve readability and make each test case clearly distinguishable.
diff --git a/src/adapter/aws-lambda/conninfo.test.ts b/src/adapter/aws-lambda/conninfo.test.ts
@@ -71,27 +71,36 @@ describe('getConnInfo', () => {
   })
 
   describe('ALB', () => {
-    it('Should return the client IP from x-forwarded-for header', () => {
-      const ip = '192.0.2.50'
-      const req = new Request('http://localhost/', {
-        headers: {
-          'x-forwarded-for': `${ip}, 10.0.0.1`,
-        },
-      })
-      const c = new Context(req, {
-        env: {
-          requestContext: {
-            elb: {
-              targetGroupArn: 'arn:aws:elasticloadbalancing:...',
+    it.each([
+      {
+        description: 'ALB appends real client IP',
+        xff: '10.0.0.1, 192.0.2.50',
+        expected: '192.0.2.50',
+      },
+      {
+        description: 'attacker-controlled first IP',
+        xff: '127.0.0.1, 192.168.1.100',
+        expected: '192.168.1.100',
+      },
+    ])(
+      'Should return the last IP from x-forwarded-for ($description)',
+      ({ xff, expected }) => {
+        const req = new Request('http://localhost/', {
+          headers: { 'x-forwarded-for': xff },
+        })
+        const c = new Context(req, {
+          env: {
+            requestContext: {
+              elb: {
+                targetGroupArn: 'arn:aws:elasticloadbalancing:...',
+              },
             },
           },
-        },
-      })
-
-      const info = getConnInfo(c)
-
-      expect(info.remote.address).toBe(ip)
-    })
+        })
+        const info = getConnInfo(c)
+        expect(info.remote.address).toBe(expected)
+      }
+    )
 
     it('Should return undefined when no x-forwarded-for header', () => {
       const c = new Context(new Request('http://localhost/'), {
diff --git a/src/adapter/aws-lambda/conninfo.ts b/src/adapter/aws-lambda/conninfo.ts
@@ -59,8 +59,9 @@ export const getConnInfo: GetConnInfo = (c: Context<Env>) => {
   else {
     const xff = c.req.header('x-forwarded-for')
     if (xff) {
-      // First IP is the client
-      address = xff.split(',')[0].trim()
+      const ips = xff.split(',')
+      // ALB appends the real client IP to the end of the header
+      address = ips[ips.length - 1].trim()
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -59,8 +59,9 @@ export const getConnInfo: GetConnInfo = (c: Context<Env>) => {`
`59`	`59`	`else {`
`60`	`60`	`const xff = c.req.header('x-forwarded-for')`
`61`	`61`	`if (xff) {`
`62`		`- // First IP is the client`
`63`		`- address = xff.split(',')[0].trim()`
	`62`	`+ const ips = xff.split(',')`
	`63`	`+ // ALB appends the real client IP to the end of the header`
	`64`	`+ address = ips[ips.length - 1].trim()`
`64`	`65`	`}`
`65`	`66`	`}`
`66`	`67`