fix: use getClientIp in webhook endpoint to prevent IP spoofing (#6014)#6047
fix: use getClientIp in webhook endpoint to prevent IP spoofing (#6014)#6047atul-upadhyay-7 wants to merge 6 commits into
Conversation
|
@atul-upadhyay-7 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel. A member of the Team first needs to authorize it. |
github-actions
Bot
added
status:blocked
Aamod-Dev
added
level:intermediate
Aamod-Dev
left a comment
Aamod-Dev
left a comment
There was a problem hiding this comment.
This is a solid security fix — swapping the raw
eq.headers.get('x-forwarded-for')\ in \�pp/api/webhook/route.ts:38\ for the proper \getClientIp(req)\ helper, with comprehensive test mocks in
oute.test.ts\ for unique IPs per test case. Unfortunately this PR has \status:blocked\ (failing CI), so I can't approve it yet. Get those CI checks green and I'll be happy to approve!
Aamod-Dev
left a comment
Aamod-Dev
left a comment
There was a problem hiding this comment.
Review
This PR cannot be approved in its current state due to blocking issues (status:blocked label, merge conflicts, needs-rebase label, and/or failing CI checks). Please resolve the blocking issues and re-request review.
Once unblocked, I'm happy to re-review! 💚
github-actions
Bot
removed
the
status:blocked
📦 Next.js Bundle Size Report (Gzipped Sizes)✨ No significant bundle size changes detected. 📊 Summary of Totals
|
2 participants
Summary
This PR fixes a security vulnerability where the webhook endpoint reads the client IP directly from x-forwarded-for instead of using the secure getClientIp() helper, making rate limiting trivially bypassable.
Changes
Added getClientIp import ():
Replaced direct header reading with getClientIp() ():
Updated tests ():
Security Benefits
Issue
Fixes #6014
Testing