Skip to content

fix(proxy): enable trust proxy for Traefik compatibility#77

Merged
palhamel merged 5 commits into
mainfrom
fix/codeql-alerts
Jun 26, 2026
Merged

fix(proxy): enable trust proxy for Traefik compatibility#77
palhamel merged 5 commits into
mainfrom
fix/codeql-alerts

Conversation

@palhamel

Copy link
Copy Markdown
Owner

Summary

  • Adds app.set('trust proxy', 1) to Express app so express-rate-limit correctly reads client IPs from X-Forwarded-For headers set by Traefik
  • Fixes ERR_ERL_UNEXPECTED_X_FORWARDED_FOR validation error causing 500 crashes on all requests behind Traefik reverse proxy

Root cause

Traefik sets X-Forwarded-For on all proxied requests. Without trust proxy, express-rate-limit detects this as a misconfiguration and throws a ValidationError, which hits the global error handler and returns 500.

Test plan

  • Merge and auto-deploy to Coolify
  • Test contact form on kodfika.se/about — should return 200 and deliver Discord notification

palhamel added 5 commits May 20, 2026 10:12
- sanitize.ts: remove while loop on HTML tag regex (polynomial-redos)
- sanitize.ts: loop on*= handler strip until stable (incomplete-multi-char-sanitization)
- validate.ts: guard email regex with length > 254 check (polynomial-redos)
- app.ts: replace /*/g instead of first-only * in CORS wildcard (incomplete-sanitization)
- slack.test.ts: use exact field format instead of includes() for URL assertion (incomplete-url-substring-sanitization)
/<[^>]*>/g requires backtracking on inputs like '<aaaa' (no closing '>'),
making it O(n²) in the worst case. Replace with /<[^>]*/g (no trailing '>'
required) which greedily consumes without backtracking, then strip remaining
'>' separately. Fixes both CodeQL polynomial-redos and incomplete-multi-char-
sanitization alerts on sanitize.ts.
…CodeQL

Both /<[^>]*>/g and /<[^>]*/g are flagged by CodeQL as polynomial-redos
on inputs with many '<' chars and no '>'. Replace with an explicit loop
that walks the string character by character, tracking whether we are
inside a tag. No regex involved — O(n), no backtracking possible, and
CodeQL cannot flag incomplete sanitization since '<' is structurally
excluded from the output.
…lert

The index-based for loop over str.length was flagged as js/loop-bound-injection
since str.length is user-controlled. Switch to for-of which iterates via the
iterator protocol without accessing .length.
Adds app.set('trust proxy', 1) so express-rate-limit correctly reads
client IPs from X-Forwarded-For headers set by Traefik, preventing
ERR_ERL_UNEXPECTED_X_FORWARDED_FOR validation errors and 500 crashes.
@palhamel palhamel merged commit 47e2ec5 into main Jun 26, 2026
4 checks passed
@palhamel palhamel deleted the fix/codeql-alerts branch June 26, 2026 12:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant