fix(security): replace spoofable X-Forwarded-For with getRemoteAddr in rate limiter

X-Forwarded-For is client-controlled and trivially bypassable for rate limiting. Replaced with HttpServletRequest.getRemoteAddr() which uses the container-provided remote address. Added note about configuring quarkus.http.proxy.proxy-address-forwarding for trusted proxy setups.
2026-06-11 02:33:10 +08:00 · 2026-04-09 16:07:46 +02:00
parent 893eca0369
commit 8f65048bc3
3 changed files with 35 additions and 12 deletions
--- a/docs/tr/skills/quarkus-security/SKILL.md
+++ b/docs/tr/skills/quarkus-security/SKILL.md
@@ -333,14 +333,20 @@ public class SecretService {

 ## Rate Limiting (Hız Sınırlama)

+**Güvenlik Notu**: `X-Forwarded-For` doğrudan kullanmayın — istemciler bunu taklit edebilir.
+Servlet request'ten gerçek uzak adresi veya kimliği doğrulanmış bir kimlik (API anahtarı, JWT subject) kullanın.
+
 ```java
@ApplicationScoped
 public class RateLimitFilter implements ContainerRequestFilter {
  private final Map<String, RateLimiter> limiters = new ConcurrentHashMap<>();

+  @Inject
+  HttpServletRequest servletRequest;
+
  @Override
  public void filter(ContainerRequestContext requestContext) {
-    String clientId = getClientIdentifier(requestContext);
+    String clientId = getClientIdentifier();
    RateLimiter limiter = limiters.computeIfAbsent(clientId, 
        k -> RateLimiter.create(100.0)); // Saniyede 100 istek

@@ -353,9 +359,10 @@ public class RateLimitFilter implements ContainerRequestFilter {
    }
  }

-  private String getClientIdentifier(ContainerRequestContext ctx) {
-    // IP, API anahtarı veya kullanıcı ID'si kullanın
-    return ctx.getHeaderString("X-Forwarded-For");
+  private String getClientIdentifier() {
+    // Konteyner tarafından sağlanan uzak adresi kullanın (X-Forwarded-For değil).
+    // Güvenilir proxy arkasındaysanız quarkus.http.proxy.proxy-address-forwarding=true ayarlayın.
+    return servletRequest.getRemoteAddr();
  }
 }
 ```