test: export + unit-test resolveTrustProxy (#61) #105

Closed
opened 2026-06-21 05:05:39 +03:00 by Ghost · 0 comments

PR #101 (commit 52159135, closes #61) added resolveTrustProxy() — apps/server/src/main.ts:22 — the fix against X-Forwarded-For spoofing (safe default loopback, linklocal, uniquelocal instead of trust-all).

Gap: untested and not exported, so it cannot be tested as-is. A regression (e.g. parsing false as the string/int fallback, or losing the safe default → true) would silently re-open the XFF spoofing hole the /mcp + share-AI per-IP limiters depend on.

Needed: export resolveTrustProxy (or move to a small helper module) and unit-test each branch: ''/undefined → 'loopback, linklocal, uniquelocal'; 'true' → true; 'false' → false; '2' → 2; '10.0.0.0/8' → passthrough; non-numeric/-1 → passthrough string.

Found in code review of PR #101.

PR #101 (commit 52159135, closes #61) added `resolveTrustProxy()` — apps/server/src/main.ts:22 — the fix against X-Forwarded-For spoofing (safe default `loopback, linklocal, uniquelocal` instead of trust-all). **Gap:** untested **and not exported**, so it cannot be tested as-is. A regression (e.g. parsing `false` as the string/int fallback, or losing the safe default → `true`) would silently re-open the XFF spoofing hole the /mcp + share-AI per-IP limiters depend on. **Needed:** export `resolveTrustProxy` (or move to a small helper module) and unit-test each branch: `''`/undefined → `'loopback, linklocal, uniquelocal'`; `'true'` → true; `'false'` → false; `'2'` → 2; `'10.0.0.0/8'` → passthrough; non-numeric/` -1 ` → passthrough string. _Found in code review of PR #101._
Ghost added the testsecurity labels 2026-06-21 05:05:39 +03:00
Ghost closed this issue 2026-06-21 14:10:36 +03:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: vvzvlad/gitmost#105