Skip to content

fix!: only trust x-forwarded-host from configured trusted proxies (#26204) (conflicts)#26299

Merged
f0ssel merged 3 commits into
release/2.33from
backport/26204-to-2.33
Jun 11, 2026
Merged

fix!: only trust x-forwarded-host from configured trusted proxies (#26204) (conflicts)#26299
f0ssel merged 3 commits into
release/2.33from
backport/26204-to-2.33

Conversation

@github-actions

@github-actions github-actions Bot commented Jun 11, 2026

Copy link
Copy Markdown

Backport of #26204

Original PR: #26204 — fix!: only trust x-forwarded-host from configured trusted proxies
Merge commit: b5ef700
Requested by: @f0ssel

Warning

The automatic cherry-pick had conflicts.
Please resolve manually by cherry-picking the original merge commit:

git fetch origin backport/26204-to-2.33
git checkout backport/26204-to-2.33
git reset --hard origin/release/2.33
git cherry-pick -x -m1 b5ef700dd65fd369430b015b77818301b62021f9
# resolve conflicts, then push

@github-actions
Cherry-pick of #26204 requires manual resolution
0113617 
The automatic cherry-pick of b5ef700 to release/2.33 had conflicts.
Please cherry-pick manually:

    git cherry-pick -x -m1 b5ef700
@github-actions github-actions Bot requested a review from f0ssel June 11, 2026 19:51
f0ssel and others added 2 commits June 11, 2026 20:26
@f0ssel
Merge remote-tracking branch 'origin/release/2.33' into backport/2620…
6a4e80b 
…4-to-2.33
@geokat @f0ssel
fix!: only trust x-forwarded-host from configured trusted proxies (#2…
c885219 
…6204)

Subdomain app routing derived the app identity from
httpapi.RequestHost, which returned the client-supplied
X-Forwarded-Host header verbatim. No middleware validated or stripped
that header, so a request from an untrusted peer could forge it. Since
the application_connect cookie is scoped to the wildcard apps domain,
JavaScript in a share=authenticated app could fetch() with a forged
X-Forwarded-Host pointing at a victim's owner-only app; coderd routed
and authorized the request as the victim and returned the private app
response same-origin to the attacker.

Replace RequestHost with httpmw.EffectiveHost, which honors
X-Forwarded-Host only when the original socket peer is a configured
trusted origin, otherwise falling back to the received Host header.
This ties host trust to the same RealIPConfig model already used for
X-Forwarded-For and -Proto. Wire it into HandleSubdomain for both
coderd and wsproxy, and log both the effective host and the raw
received_host.

Add coverage: EffectiveHost unit tests assert the trust decision uses
the socket peer rather than the spoofable forwarded client IP, and a
HandleSubdomain test confirms a forged X-Forwarded-Host from an
untrusted peer never reaches token resolution.

Refs: https://linear.app/codercom/issue/PLAT-259
(cherry picked from commit b5ef700)
@f0ssel f0ssel merged commit fa46906 into release/2.33 Jun 11, 2026
27 checks passed
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 11, 2026
@f0ssel f0ssel deleted the backport/26204-to-2.33 branch June 11, 2026 20:52
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@f0ssel f0ssel f0ssel approved these changes

Assignees

@f0ssel f0ssel

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@f0ssel @geokat