zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-06-10 10:13:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): replace spoofable X-Forwarded-For with getRemoteAddr in rate limiter

Browse Source 
X-Forwarded-For is client-controlled and trivially bypassable for rate
limiting. Replaced with HttpServletRequest.getRemoteAddr() which uses
the container-provided remote address. Added note about configuring
quarkus.http.proxy.proxy-address-forwarding for trusted proxy setups.
This commit is contained in:
AlexisLeDain
2026-04-09 16:07:46 +02:00
parent 893eca0369
commit 8f65048bc3
3 changed files with 35 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
docs/ja-JP/skills/quarkus-security/SKILL.md
View File

@@ -286,14 +286,20 @@ quarkus.vault.authentication.kubernetes.role=my-role
## レート制限
**セキュリティ注意**: `X-Forwarded-For`を直接使用しないでください — クライアントが偽装できます。
サーブレットリクエストの実際のリモートアドレス、または認証済みIDを使用してください。
```java
@ApplicationScoped
public class RateLimitFilter implements ContainerRequestFilter {
private final Map<String, RateLimiter> limiters = new ConcurrentHashMap<>();
@Inject
HttpServletRequest servletRequest;
@Override
public void filter(ContainerRequestContext requestContext) {
String clientId = getClientIdentifier(requestContext);
String clientId = getClientIdentifier();
RateLimiter limiter = limiters.computeIfAbsent(clientId,
k -> RateLimiter.create(100.0)); // 1秒あたり100リクエスト
@@ -306,9 +312,10 @@ public class RateLimitFilter implements ContainerRequestFilter {
}
}
private String getClientIdentifier(ContainerRequestContext ctx) {
// IP、APIキー、またはユーザーIDを使用
return ctx.getHeaderString("X-Forwarded-For");
private String getClientIdentifier() {
// コンテナ提供のリモートアドレスを使用X-Forwarded-Forではない
// 信頼できるプロキシの背後にある場合はquarkus.http.proxy.proxy-address-forwarding=trueを設定。
return servletRequest.getRemoteAddr();
}
}
```

15
docs/tr/skills/quarkus-security/SKILL.md
View File

@@ -333,14 +333,20 @@ public class SecretService {
## Rate Limiting (Hız Sınırlama)
**Güvenlik Notu**: `X-Forwarded-For` doğrudan kullanmayın — istemciler bunu taklit edebilir.
Servlet request'ten gerçek uzak adresi veya kimliği doğrulanmış bir kimlik (API anahtarı, JWT subject) kullanın.
```java
@ApplicationScoped
public class RateLimitFilter implements ContainerRequestFilter {
private final Map<String, RateLimiter> limiters = new ConcurrentHashMap<>();
@Inject
HttpServletRequest servletRequest;
@Override
public void filter(ContainerRequestContext requestContext) {
String clientId = getClientIdentifier(requestContext);
String clientId = getClientIdentifier();
RateLimiter limiter = limiters.computeIfAbsent(clientId,
k -> RateLimiter.create(100.0)); // Saniyede 100 istek
@@ -353,9 +359,10 @@ public class RateLimitFilter implements ContainerRequestFilter {
}
}
private String getClientIdentifier(ContainerRequestContext ctx) {
// IP, API anahtarı veya kullanıcı ID'si kullanın
return ctx.getHeaderString("X-Forwarded-For");
private String getClientIdentifier() {
// Konteyner tarafından sağlanan uzak adresi kullanın (X-Forwarded-For değil).
// Güvenilir proxy arkasındaysanız quarkus.http.proxy.proxy-address-forwarding=true ayarlayın.
return servletRequest.getRemoteAddr();
}
}
```

17
skills/quarkus-security/SKILL.md
View File

@@ -333,14 +333,21 @@ public class SecretService {
## Rate Limiting
**Security Note**: Never use `X-Forwarded-For` directly — clients can spoof it.
Use the actual remote address from the servlet request, or an authenticated
identity (API key, JWT subject) when available.
```java
@ApplicationScoped
public class RateLimitFilter implements ContainerRequestFilter {
private final Map<String, RateLimiter> limiters = new ConcurrentHashMap<>();
@Inject
HttpServletRequest servletRequest;
@Override
public void filter(ContainerRequestContext requestContext) {
String clientId = getClientIdentifier(requestContext);
String clientId = getClientIdentifier();
RateLimiter limiter = limiters.computeIfAbsent(clientId,
k -> RateLimiter.create(100.0)); // 100 requests per second
@@ -353,9 +360,11 @@ public class RateLimitFilter implements ContainerRequestFilter {
}
}
private String getClientIdentifier(ContainerRequestContext ctx) {
// Use IP, API key, or user ID
return ctx.getHeaderString("X-Forwarded-For");
private String getClientIdentifier() {
// Use the container-provided remote address (not X-Forwarded-For).
// If behind a trusted proxy, configure quarkus.http.proxy.proxy-address-forwarding=true
// so getRemoteAddr() returns the real client IP.
return servletRequest.getRemoteAddr();
}
}
```