A recent change began returning x-composio-client-ip or x-real-ip verbatim, allowing attacker-controlled header values to influence banned-IP checks, API-key IP allowlists, and the global per-IP rate limiter.
This PR restores defensive validation and header-priority semantics so malformed or spoofed header values cannot become rate-limit/authorization keys.
Description
Reintroduced strict normalization/validation via normalizeClientIp and IPv4/IPv6 validators in apps/apollo/src/server/context/utils/get_client_ip.ts so only syntactically valid IPs are accepted.
Updated getClientIpFromHeaders to use the validated chain: accept x-composio-client-ip only when the proxy secret matches and the forwarded IP validates, then fall through to cf-connecting-ip, true-client-ip, x-vercel-forwarded-for, x-forwarded-for, and finally validated x-real-ip.
Restored Cloudflare/Vercel header constants in apps/apollo/src/server/constants/header.ts and expanded unit tests in apps/apollo/src/server/context/utils/__tests__/get_client_ip.unit.test.ts to cover normalization, trusted-proxy behavior, fallback header priority, and rejection of invalid header values.
Retained timing-safe secret comparison via timingSafeEquals and preserved the existing unknown-IP sentinel UNKNOWN_CLIENT_IP semantics.
Testing
Built the shared library with pnpm --filter @composio/lib build which completed successfully.
Ran the targeted oxfmt/oxlint check for the changed files with cd apps/apollo && pnpm exec oxlint ... and the changed-file lint run passed.
Attempted to run the Apollo unit test file with pnpm --filter @composio/apollo exec vitest run src/server/context/utils/__tests__/get_client_ip.unit.test.ts but execution was blocked by local bootstrap issues (missing Doppler/env and generated Prisma client).
Attempted PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING=1 pnpm --filter @composio/db db:generate to generate Prisma artifacts but that failed due to Prisma engine download returning HTTP 403; these infra issues prevented full CI-style unit test execution in this environment.
@kaavee315checks…codex/propose-fix-for-client-ip-spoofing-vulnerability → master3 files · +422 −15updated 3d ago