Merge pull request #499 from benoitf/OPENVSX-498

fix: X-Forwarded-Host header can be array or comma separated list

Author: amvanbaren

server/src/main/java/org/eclipse/openvsx/util/UrlUtil.java

@@ -12,6 +12,9 @@
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
 
+import java.util.ArrayList;
+import java.util.Collections;
+
 import javax.servlet.http.HttpServletRequest;
 
 import org.apache.commons.lang3.ArrayUtils;
@@ -159,11 +162,19 @@ protected static String getBaseUrl(HttpServletRequest request) {
         // Use the host and port from the X-Forwarded-Host header if present
         String host;
         int port;
-        var forwardedHost = request.getHeader("X-Forwarded-Host");
-        if (forwardedHost == null) {
+        var forwardedHostHeadersEnumeration = request.getHeaders("X-Forwarded-Host");
+        if (forwardedHostHeadersEnumeration == null || !forwardedHostHeadersEnumeration.hasMoreElements()) {
             host = request.getServerName();
             port = request.getServerPort();
         } else {
+            // take the first one
+            var forwardedHost = forwardedHostHeadersEnumeration.nextElement();
+
+            // if it's comma separated, take the first one
+            var forwardedHosts = forwardedHost.split(",");
+            if (forwardedHosts.length > 1) {
+                forwardedHost = forwardedHosts[0];
+            }
             int colonIndex = forwardedHost.lastIndexOf(':');
             if (colonIndex > 0) {
                 host = forwardedHost.substring(0, colonIndex);

server/src/test/java/org/eclipse/openvsx/util/UrlUtilTest.java

@@ -12,6 +12,9 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.doReturn;
 
+import java.util.ArrayList;
+import java.util.Collections;
+
 import javax.servlet.http.HttpServletRequest;
 
 import org.junit.jupiter.api.AfterEach;
@@ -100,9 +103,49 @@ public void testWithXForwarded() throws Exception {
 
         // XForwarded content
         doReturn("https").when(request).getHeader("X-Forwarded-Proto");
-        doReturn("open-vsx.org").when(request).getHeader("X-Forwarded-Host");
+        var items = new ArrayList<String>();
+        items.add("open-vsx.org");
+        doReturn(Collections.enumeration(items)).when(request).getHeaders("X-Forwarded-Host");
         doReturn("/openvsx").when(request).getHeader("X-Forwarded-Prefix");
         assertThat(UrlUtil.getBaseUrl(request)).isEqualTo("https://open-vsx.org/openvsx/");
-    }    
+    } 
+
+    // Check base URL is using array X-Forwarded-Host headers
+    @Test
+    public void testWithXForwardedHostArray() throws Exception {
+        // basic request
+        doReturn("http").when(request).getScheme();
+        doReturn("localhost").when(request).getServerName();
+        doReturn(8080).when(request).getServerPort();
+        doReturn("/").when(request).getContextPath();
+
+        // XForwarded content
+        doReturn("https").when(request).getHeader("X-Forwarded-Proto");
+        var items = new ArrayList<String>();
+        items.add("open-vsx.org");
+        items.add("foo.com");
+        items.add("bar.com");
+        doReturn(Collections.enumeration(items)).when(request).getHeaders("X-Forwarded-Host");
+        doReturn("/openvsx").when(request).getHeader("X-Forwarded-Prefix");
+        assertThat(UrlUtil.getBaseUrl(request)).isEqualTo("https://open-vsx.org/openvsx/");
+    }
+
+    // Check base URL is using comma separated X-Forwarded-Host headers
+    @Test
+    public void testWithXForwardedHostCommaSeparated() throws Exception {
+        // basic request
+        doReturn("http").when(request).getScheme();
+        doReturn("localhost").when(request).getServerName();
+        doReturn(8080).when(request).getServerPort();
+        doReturn("/").when(request).getContextPath();
+
+        // XForwarded content
+        doReturn("https").when(request).getHeader("X-Forwarded-Proto");
+        var items = new ArrayList<String>();
+        items.add("open-vsx.org, foo.com, bar.com");
+        doReturn(Collections.enumeration(items)).when(request).getHeaders("X-Forwarded-Host");
+        doReturn("/openvsx").when(request).getHeader("X-Forwarded-Prefix");
+        assertThat(UrlUtil.getBaseUrl(request)).isEqualTo("https://open-vsx.org/openvsx/");
+    }
 
 }