host parse (#13309)

jacob-ebey · web-flow · commit 6fdb79b73cb0 · 2025-03-26T14:16:32.000-07:00
diff --git a/.changeset/honest-mangos-sneeze.md b/.changeset/honest-mangos-sneeze.md
@@ -0,0 +1,5 @@
+---
+"@react-router/express": patch
+---
+
+Better validation of `x-forwarded-host` header to preent potential security issues.
diff --git a/packages/react-router-express/__tests__/server-test.ts b/packages/react-router-express/__tests__/server-test.ts
@@ -217,4 +217,28 @@ describe("express createRemixRequest", () => {
     );
     expect(remixRequest.headers.get("host")).toBe("localhost:3000");
   });
+
+  it("validates parsed port", async () => {
+    let expressRequest = createRequest({
+      url: "/foo/bar",
+      method: "GET",
+      protocol: "http",
+      hostname: "localhost",
+      headers: {
+        "Cache-Control": "max-age=300, s-maxage=3600",
+        Host: "localhost:3000",
+        "x-forwarded-host": ":/spoofed"
+      },
+    });
+    let expressResponse = createResponse();
+
+    let remixRequest = createRemixRequest(expressRequest, expressResponse);
+
+    expect(remixRequest.method).toBe("GET");
+    expect(remixRequest.headers.get("cache-control")).toBe(
+      "max-age=300, s-maxage=3600"
+    );
+    expect(remixRequest.headers.get("host")).toBe("localhost:3000");
+    expect(remixRequest.url).toBe("http://localhost:3000/foo/bar");
+  });
 });
diff --git a/packages/react-router-express/server.ts b/packages/react-router-express/server.ts
@@ -98,9 +98,15 @@ export function createRemixRequest(
 ): Request {
   // req.hostname doesn't include port information so grab that from
   // `X-Forwarded-Host` or `Host`
-  let [, hostnamePort] = req.get("X-Forwarded-Host")?.split(":") ?? [];
-  let [, hostPort] = req.get("host")?.split(":") ?? [];
-  let port = hostnamePort || hostPort;
+  let [, hostnamePortStr] = req.get("X-Forwarded-Host")?.split(":") ?? [];
+  let [, hostPortStr] = req.get("host")?.split(":") ?? [];
+  let hostnamePort = Number.parseInt(hostnamePortStr, 10);
+  let hostPort = Number.parseInt(hostPortStr, 10);
+  let port = Number.isSafeInteger(hostnamePort)
+    ? hostnamePort
+    : Number.isSafeInteger(hostPort)
+    ? hostPort
+    : "";
   // Use req.hostname here as it respects the "trust proxy" setting
   let resolvedHost = `${req.hostname}${port ? `:${port}` : ""}`;
   // Use `req.originalUrl` so Remix is aware of the full path
