add trusted proxies

Author: 0xdu

code-secure-api/code-secure-api.sln.DotSettings.user

@@ -16,6 +16,7 @@
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AIdentityUser_00601_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2024_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F99c3d2e0c73c44a3ba4adfb05dce7a4612000_003F6b_003F8586a419_003FIdentityUser_00601_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AIError_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2024_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F96520fd986094506b111be52efa0680bd000_003F48_003F638f4741_003FIError_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AInternalRedmineApiWebClient_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2024_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003Fbcb13713decf44c2a04d14c05ebda1c53ec00_003Fa2_003F1beacdf3_003FInternalRedmineApiWebClient_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AIPAddress_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2024_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F0a489d3d54014e478fd83ef812b0128b3ca00_003Fd1_003Fe856bf33_003FIPAddress_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AIServiceScope_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2024_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F9efc724329ab415f9a4af6b465bba4d621800_003Fa7_003F0967fc6a_003FIServiceScope_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AIssue_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2024_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F405cf7b3ac594d93a66a6babf366c2313dc00_003F95_003Fa43ffe07_003FIssue_002Ecs_002Fz_003A2_002D1/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ALoggerExtensions_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2024_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003Faf4d3aff100447d99509a5a8d2ea755f23200_003Fca_003Fb81666be_003FLoggerExtensions_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>

code-secure-api/code-secure-api/Api/ApiServer.cs

@@ -1,3 +1,5 @@
+using System.Net;
+using System.Net.Sockets;
 using System.Text.Json.Serialization;
 using System.Text.RegularExpressions;
 using CodeSecure.Application;
@@ -10,6 +12,7 @@
 using Microsoft.AspNetCore.Mvc.ApplicationModels;
 using Scalar.AspNetCore;
 using Serilog;
+using IPNetwork = Microsoft.AspNetCore.HttpOverrides.IPNetwork;
 
 namespace CodeSecure.Api;
 
@@ -20,7 +23,9 @@ public static void Run(string[] args)
         var builder = WebApplication.CreateBuilder(args);
         builder.Services.Configure<ForwardedHeadersOptions>(options =>
         {
-            options.ForwardedHeaders = ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost;
+            options.ForwardedHeaders = ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost |
+                                       ForwardedHeaders.XForwardedFor;
+            options.AddTrustedProxies(Configuration.TrustedProxies);
         });
         builder.Host.UseSerilog((context, configuration) =>
             configuration.ReadFrom.Configuration(context.Configuration));
@@ -89,6 +94,54 @@ public static void Run(string[] args)
         app.LoadAuthenticationProviders();
         app.Run();
     }
+
+    private static void AddTrustedProxies(this ForwardedHeadersOptions options, string trustedProxies)
+    {
+        if (string.IsNullOrWhiteSpace(trustedProxies))
+            return;
+        var proxies = trustedProxies.Split(',', StringSplitOptions.RemoveEmptyEntries);
+
+        foreach (var proxy in proxies)
+        {
+            var trimmedProxy = proxy.Trim();
+            // Check if it's a CIDR block
+            if (trimmedProxy.Contains('/'))
+            {
+                if (TryParseIpNetwork(trimmedProxy, out var network, out var prefixLength))
+                {
+                    options.KnownNetworks.Add(new IPNetwork(network, prefixLength));
+                }
+            }
+            // Single IP address
+            else if (IPAddress.TryParse(trimmedProxy, out var ipAddress))
+            {
+                options.KnownProxies.Add(ipAddress);
+            }
+        }
+    }
+
+    private static bool TryParseIpNetwork(string cidr, out IPAddress network, out int prefixLength)
+    {
+        network = IPAddress.None;
+        prefixLength = 0;
+
+        var parts = cidr.Split('/');
+        if (parts.Length != 2)
+            return false;
+
+        if (!IPAddress.TryParse(parts[0], out network))
+            return false;
+
+        if (!int.TryParse(parts[1], out prefixLength))
+            return false;
+
+        // Validate prefix length based on address family
+        var maxPrefixLength = network.AddressFamily == AddressFamily.InterNetwork ? 32 : 128;
+        if (prefixLength < 0 || prefixLength > maxPrefixLength)
+            return false;
+
+        return true;
+    }
 }
 
 internal sealed partial class SlugifyParameterTransformer : IOutboundParameterTransformer

code-secure-api/code-secure-api/Application/AppConfig.cs

@@ -32,6 +32,9 @@ public class AppConfig
 
     [Option(Env = "FRONTEND_URL", Default = "")]
     public string FrontendUrl { get; set; } = string.Empty;
+    
+    [Option(Env = "TRUSTED_PROXIES", Default = "")]
+    public string TrustedProxies { get; set; } = string.Empty;
 
     [JsonIgnore] internal SecurityKey AccessTokenSecurityKey = null!;
     [JsonIgnore] internal SecurityKey RefreshTokenSecurityKey = null!;

code-secure-api/code-secure-api/Application/Configuration.cs

@@ -7,10 +7,11 @@ public static class Configuration
     private static readonly AppConfig Config = AppConfig.Load();
     public const string AppName = "CodeSecure";
     public static string FrontendUrl => Config.FrontendUrl;
+    public static string TrustedProxies => Config.TrustedProxies;
 
     public static string DbConnectionString =>
         $"Host={Config.DbServer};Database={Config.DbName};Username={Config.DbUsername};Password={Config.DbPassword}";
-
+    
     public static string SystemPassword => Config.SystemPassword;
     public static SecurityKey AccessTokenKey => Config.AccessTokenSecurityKey;
     public static SecurityKey RefreshTokenKey => Config.RefreshTokenSecurityKey;