Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remix-express/server throws error on IPv6 host or X-Forwarded-Host #9346

Open
a47ae opened this issue Apr 30, 2024 · 3 comments
Open

remix-express/server throws error on IPv6 host or X-Forwarded-Host #9346

a47ae opened this issue Apr 30, 2024 · 3 comments
Labels
adapter:express bug:unverified

Comments

@a47ae
Copy link

a47ae commented Apr 30, 2024

Reproduction

The remix-express/server tries to parse the port number from either the host or the X-Forwarded-Host header remix-express/server.ts#L92. In the case that one of them is an IPv6 address the code incorrectly identifies part of the ip address as port because it splits at colons and IPv6 addresses can contain colons.

I created an example here: https://stackblitz.com/edit/remix-run-remix-edjlfm?file=app%2Froutes%2F_index.tsx
The button fetches the current site but adds a custom X-Forwarded-Host header to emulate a server environment. One should see that the request fails and the server logs an Invalid URL error.

We noticed this error with our remix application behind a reverse proxy which does health checks using the internal IPv6 address.

System Info

stackblitz fork, latest packages

"@remix-run/node": "*",
"@remix-run/react": "*",
"@remix-run/serve": "*"


### Used Package Manager

npm

### Expected Behavior

The express server does work even if host or `X-Forwarded-Host` header is an IPv6 address.

### Actual Behavior

The express server throws an error because an invalid url is constructed.
@ngbrown
Copy link
Contributor

ngbrown commented Apr 30, 2024
edited

Just a note on IPv6 request formatting in browsers... A correctly formatted Host header with an IPv6 address would have the address in square brackets. e.g. for localhost on port 3000:

Host: [::1]:3000

I would assume a correct X-Forwarded-Host would be the same.

As in a browser doesn't even make a request on this: http://::1:3000. Instead in needs to be formatted like this: http://[::1]:3000/ or http://[0:0:0:0:0:0:0:1]:3000/.

@a47ae
Copy link
Author

a47ae commented Apr 30, 2024

Hey @ngbrown I am not sure how the host header is passed, but it could be possible that it is passed with square brackets. This would still result in the described error, but then it should be possible to extract the port from the header because we know when the IP part ends and the port part starts. I try to get some information how it is passed in the live system.

@ngbrown
Copy link
Contributor

ngbrown commented Apr 30, 2024

@a47ae no worries. I had seen that your example still failed with square brackets, but I wanted to call it out so the tests and implementation didn't get written incorrectly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
adapter:express bug:unverified
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ngbrown @brophdawg11 @a47ae