-
-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: openapi add client ip #84
Conversation
WalkthroughThe changes made to the Changes
Poem
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
- apollo-openapi/src/main/java/com/ctrip/framework/apollo/openapi/client/service/AbstractOpenApiService.java (3 hunks)
🧰 Additional context used
private void addClientIP(HttpUriRequest request) { | ||
ProtocolVersion protocolVersion = request.getProtocolVersion(); | ||
request.addHeader(HttpHeaders.FORWARDED, String.format("for=%s; proto=%s", Foundation.net().getHostAddress(), protocolVersion.getProtocol())); | ||
request.addHeader(HttpHeaders.X_FORWARDED_FOR, Foundation.net().getHostAddress()); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Avoid adding 'Forwarded' and 'X-Forwarded-For' headers from client code
Adding the Forwarded
and X-Forwarded-For
headers directly from the client side is not recommended. These headers are intended to be set by intermediary proxies to inform the server about the original client's IP address and protocol. When clients set these headers themselves, it can lead to security issues such as IP spoofing, as servers cannot trust the values provided.
Instead, servers typically derive the client's IP address from the network layer. If there's a need to pass client-specific information, consider using custom headers with appropriate validation on the server side.
Suggested change:
Remove the addClientIP
method and its invocation:
80
- addClientIP(request);
82
...
106
- private void addClientIP(HttpUriRequest request) {
- ProtocolVersion protocolVersion = request.getProtocolVersion();
- request.addHeader(HttpHeaders.FORWARDED, String.format("for=%s; proto=%s", Foundation.net().getHostAddress(), protocolVersion.getProtocol()));
- request.addHeader(HttpHeaders.X_FORWARDED_FOR, Foundation.net().getHostAddress());
- }
111
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
private void addClientIP(HttpUriRequest request) { | |
ProtocolVersion protocolVersion = request.getProtocolVersion(); | |
request.addHeader(HttpHeaders.FORWARDED, String.format("for=%s; proto=%s", Foundation.net().getHostAddress(), protocolVersion.getProtocol())); | |
request.addHeader(HttpHeaders.X_FORWARDED_FOR, Foundation.net().getHostAddress()); | |
} | |
private void addClientIP(HttpUriRequest request) { | |
// Method removed as per security recommendation | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also believe it's not a good practice to add these headers. BTW, why is this feature needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nobodyiam, the purpose of this feature appears to be to include the client's IP address in the HTTP requests made by the OpenAPI client. This might be intended for the server to perform tasks such as logging, auditing, or applying IP-based access controls based on the client's real IP.
However, as you've mentioned, adding the Forwarded
and X-Forwarded-For
headers directly from the client side is not recommended due to security concerns like IP spoofing. These headers are traditionally set by proxies or load balancers, and servers typically cannot trust these headers when they originate from clients.
It might be beneficial to discuss with the contributor to understand the specific use case they are trying to address. If there is a legitimate need to pass client-specific information, perhaps implementing a secure method such as using custom headers with proper authentication or tokens would be a better approach.
Please let me know if there's anything else I can assist with.
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 14 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
What's the purpose of this PR
Apollo openapi calls add client real IP information
Which issue(s) this PR fixes:
Fixes #
Brief changelog
XXXXX
Follow this checklist to help us incorporate your contribution quickly and easily:
mvn clean test
to make sure this pull request doesn't break anything.CHANGES
log.Summary by CodeRabbit