Skip to content

fix(wolf-rbac): use trusted client IP source for access_check#13329

Open
shreemaan-abhishek wants to merge 2 commits intoapache:masterfrom
shreemaan-abhishek:fix/wolf-rbac-x-real-ip-spoofing
Open

fix(wolf-rbac): use trusted client IP source for access_check#13329
shreemaan-abhishek wants to merge 2 commits intoapache:masterfrom
shreemaan-abhishek:fix/wolf-rbac-x-real-ip-spoofing

Conversation

@shreemaan-abhishek
Copy link
Copy Markdown
Contributor

@shreemaan-abhishek shreemaan-abhishek commented May 5, 2026

Description

The wolf-rbac plugin populates the clientIP parameter sent to wolf-server's /wolf/rbac/access_check endpoint by reading ctx.var.http_x_real_ip, the raw X-Real-IP request header. This bypasses nginx's real_ip module: even though APISIX configures real_ip_from = { "127.0.0.1", "unix:" } by default — meaning nginx correctly rejects X-Real-IP from untrusted sources when computing $remote_addr — the plugin reads the original header directly, so any external client can supply an arbitrary clientIP value.

This change replaces the raw-header read with core.request.get_remote_client_ip(ctx), which returns $remote_addr after real_ip processing. The new behavior is:

  • Behind a trusted proxy (listed in real_ip_from): forwards the real client IP from the trusted header — same behavior the previous code intended.
  • From untrusted sources: forwards the actual TCP peer address; the spoofed header is ignored, matching nginx's standard handling.

Which issue(s) this PR fixes:

Fixes #

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@shreemaan-abhishek
fix(wolf-rbac): use trusted client IP source for access_check
a3583cb 
The plugin previously read the raw `X-Real-IP` request header to populate
the `clientIP` parameter sent to wolf-server, falling back to
`core.request.get_ip` only if the header was absent. Reading the raw
header bypasses nginx's `real_ip` module, so any client could supply an
arbitrary value regardless of the configured `real_ip_from` trusted
proxy chain.

Switch to `core.request.get_remote_client_ip`, which returns
`$remote_addr` after `real_ip` processing — both correct when APISIX is
behind a trusted proxy and unspoofable from untrusted sources.
@dosubot dosubot Bot added size:XS This PR changes 0-9 lines, ignoring generated files. bug Something isn't working labels May 5, 2026
@shreemaan-abhishek
test(wolf-rbac): assert clientIP respects trusted-proxy chain
246846b 
Add regression coverage for the IP source change in wolf-rbac:

- Mock wolf-server now logs the `clientIP` query arg it receives, so
  tests can assert what the plugin forwarded.
- TEST 41: when the source is in `set_real_ip_from`, an `X-Real-IP`
  header is honored and forwarded to wolf-server.
- TEST 42: when the source is NOT in `set_real_ip_from`, a spoofed
  `X-Real-IP` is ignored and the actual peer address is forwarded.
@dosubot dosubot Bot added size:M This PR changes 30-99 lines, ignoring generated files. and removed size:XS This PR changes 0-9 lines, ignoring generated files. labels May 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shreemaan-abhishek