From 36dd3b974dcf40bf0844cb3eb98b6f68254096dd Mon Sep 17 00:00:00 2001
From: Sean Rankine <sean.rankine@me.com>
Date: Mon, 12 Dec 2022 17:29:05 +0000
Subject: [PATCH] Remove rack_strip_client_ip middleware

This removes middleware that strips the Client-IP header from requests
to prevent Rails from raising a "IpSpoofAttackError" exception. Removing
this because it isn't needed, we are stripping the Client-IP header at
the CDN level which should prevent this expection being raised anyway.
If this header is being set else were in the request path, we should fix
that instead of blindly stripping the header altogether.

There is also a bug in the middleware, where it prevents previous
middleware from receiving information from following middleware in the
'env' variable. This is because it creates a copy of env, which isn't
returned to the calling middleware. This prevents middleware such as the
prometheus exporter from generating correct metrics stats.

https://github.com/alext/rack_strip_client_ip

---

Details of the bug:

Instead of editing the same env object it creates a copy using the
"reject" method. This new copy is passed on to subsequent middleware,
which means any changes to 'env' isn't available to previous middleware.

https://github.com/alext/rack_strip_client_ip/blob/98029a661616b5a1091e6b822aed5b498a4e5d42/lib/rack_strip_client_ip/middleware.rb#LL14
---
 Gemfile      | 1 -
 Gemfile.lock | 2 --
 2 files changed, 3 deletions(-)

diff --git a/Gemfile b/Gemfile
index 3ba093199..233da4946 100644
--- a/Gemfile
+++ b/Gemfile
@@ -11,7 +11,6 @@ gem "govuk_personalisation"
 gem "govuk_publishing_components"
 gem "nokogiri"
 gem "plek"
-gem "rack_strip_client_ip"
 gem "redis"
 gem "sassc-rails"
 gem "sprockets-rails"
diff --git a/Gemfile.lock b/Gemfile.lock
index 318812c0a..b59f208ec 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -206,7 +206,6 @@ GEM
       rack
     rack-test (2.0.2)
       rack (>= 1.3)
-    rack_strip_client_ip (0.0.2)
     rails (7.0.4)
       actioncable (= 7.0.4)
       actionmailbox (= 7.0.4)
@@ -362,7 +361,6 @@ DEPENDENCIES
   nokogiri
   plek
   pry
-  rack_strip_client_ip
   rails (= 7.0.4)
   redis
   rubocop-govuk