Skip to content

Commit

Permalink
Remove rack_strip_client_ip middleware
Browse files Browse the repository at this point in the history
This removes middleware that strips the Client-IP header from requests
to prevent Rails from raising a "IpSpoofAttackError" exception. Removing
this because it isn't needed, we are stripping the Client-IP header at
the CDN level which should prevent this expection being raised anyway.
If this header is being set else were in the request path, we should fix
that instead of blindly stripping the header altogether.

There is also a bug in the middleware, where it prevents previous
middleware from receiving information from following middleware in the
'env' variable. This is because it creates a copy of env, which isn't
returned to the calling middleware. This prevents middleware such as the
prometheus exporter from generating correct metrics stats.

https://github.com/alext/rack_strip_client_ip

---

Details of the bug:

Instead of editing the same env object it creates a copy using the
"reject" method. This new copy is passed on to subsequent middleware,
which means any changes to 'env' isn't available to previous middleware.

https://github.com/alext/rack_strip_client_ip/blob/98029a661616b5a1091e6b822aed5b498a4e5d42/lib/rack_strip_client_ip/middleware.rb#LL14
  • Loading branch information
theseanything committed Dec 12, 2022
1 parent 9788306 commit 36dd3b9
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 3 deletions.
1 change: 0 additions & 1 deletion Gemfile
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ gem "govuk_personalisation"
gem "govuk_publishing_components"
gem "nokogiri"
gem "plek"
gem "rack_strip_client_ip"
gem "redis"
gem "sassc-rails"
gem "sprockets-rails"
Expand Down
2 changes: 0 additions & 2 deletions Gemfile.lock
Original file line number Diff line number Diff line change
Expand Up @@ -206,7 +206,6 @@ GEM
rack
rack-test (2.0.2)
rack (>= 1.3)
rack_strip_client_ip (0.0.2)
rails (7.0.4)
actioncable (= 7.0.4)
actionmailbox (= 7.0.4)
Expand Down Expand Up @@ -362,7 +361,6 @@ DEPENDENCIES
nokogiri
plek
pry
rack_strip_client_ip
rails (= 7.0.4)
redis
rubocop-govuk
Expand Down

0 comments on commit 36dd3b9

Please sign in to comment.