Rescue from IpSpoofAttackError when using remote IP

Some proxies seem to be setting the Client-IP HTTP header to 127.0.0.1. Rails checks that Client-IP is contained in X-Forwarded-For and raises the error. We decided to rescue in this individual case rather than adding a middleware to strip Client-IP (http://writeheavy.com/2011/07/31/when-its-ok-to-turn-of-rails-ip-spoof-checking.html#well_thats_stupid_can_we_turn_it_off) so that we don't introduce unexpected behaviour. If we start to do anything more with request.remote_ip, then we should look at doing so. See http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection for an in-depth look at this issue.
author: Gareth Rees <gareth@mysociety.org> 2014-04-14 10:03:10 +0100
committer: Gareth Rees <gareth@mysociety.org> 2014-04-14 14:58:56 +0100
commit: 8d3b3044fb4a606b76a03abbb71064bcb4875704 (patch)
tree: 53f1345b498e7b75c25ac7d8fabf6ba16928cb97 /spec/integration/ip_spoofing_spec.rb
parent: d1f2d56834688c5b449ac8c50b67dff0672ca074 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/spec/integration/ip_spoofing_spec.rb b/spec/integration/ip_spoofing_spec.rb
new file mode 100644
index 000000000..073f71ad6
--- /dev/null
+++ b/spec/integration/ip_spoofing_spec.rb
@@ -0,0 +1,11 @@
+require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
+
+describe 'when getting a country message' do
+
+    it 'should not raise an IP spoofing error when given mismatched headers' do
+        get '/country_message', nil, { 'HTTP_X_FORWARDED_FOR' => '1.2.3.4',
+                                       'HTTP_CLIENT_IP' => '5.5.5.5' }
+        response.status.should == 200
+    end
+
+end
author	Gareth Rees <gareth@mysociety.org>	2014-04-14 10:03:10 +0100
committer	Gareth Rees <gareth@mysociety.org>	2014-04-14 14:58:56 +0100
commit	8d3b3044fb4a606b76a03abbb71064bcb4875704 (patch)
tree	53f1345b498e7b75c25ac7d8fabf6ba16928cb97 /spec/integration/ip_spoofing_spec.rb
parent	d1f2d56834688c5b449ac8c50b67dff0672ca074 (diff)