Update "Forwarded: for" contribution

Closes gh-23582

Author: rstoyanchev

Diff for: spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java

@@ -17,14 +17,14 @@
 package org.springframework.web.filter;
 
 import java.io.IOException;
+import java.net.InetSocketAddress;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
 import java.util.function.Supplier;
-import java.util.regex.Pattern;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
@@ -33,9 +33,8 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpServletResponseWrapper;
 
-import org.springframework.http.HttpHeaders;
-import org.springframework.http.HttpRequest;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.server.ServerHttpRequest;
 import org.springframework.http.server.ServletServerHttpRequest;
 import org.springframework.lang.Nullable;
 import org.springframework.util.CollectionUtils;
@@ -220,10 +219,6 @@ public Enumeration<String> getHeaderNames() {
 	 */
 	private static class ForwardedHeaderExtractingRequest extends ForwardedHeaderRemovingRequest {
 
-		private static final String X_FORWARDED_FOR_HEADER = "X-Forwarded-For";
-		private static final String FORWARDED_HEADER = "Forwarded";
-		private static final Pattern FORWARDED_FOR_PATTERN = Pattern.compile("(?i:^[^,]*for=.+)");
-
 		@Nullable
 		private final String scheme;
 
@@ -235,46 +230,24 @@ private static class ForwardedHeaderExtractingRequest extends ForwardedHeaderRem
 		private final int port;
 
 		@Nullable
-		private final String remoteHost;
-
-		@Nullable
-		private final String remoteAddr;
-
-		private final int remotePort;
+		private final InetSocketAddress remoteAddress;
 
 		private final ForwardedPrefixExtractor forwardedPrefixExtractor;
 
 
-		ForwardedHeaderExtractingRequest(HttpServletRequest request, UrlPathHelper pathHelper) {
-			super(request);
+		ForwardedHeaderExtractingRequest(HttpServletRequest servletRequest, UrlPathHelper pathHelper) {
+			super(servletRequest);
 
-			HttpRequest httpRequest = new ServletServerHttpRequest(request);
-			UriComponents uriComponents = UriComponentsBuilder.fromHttpRequest(httpRequest).build();
+			ServerHttpRequest request = new ServletServerHttpRequest(servletRequest);
+			UriComponents uriComponents = UriComponentsBuilder.fromHttpRequest(request).build();
 			int port = uriComponents.getPort();
 
 			this.scheme = uriComponents.getScheme();
 			this.secure = "https".equals(this.scheme);
 			this.host = uriComponents.getHost();
 			this.port = (port == -1 ? (this.secure ? 443 : 80) : port);
 
-			HttpHeaders headers = httpRequest.getHeaders();
-			boolean hasForwardedFor = StringUtils.hasText(headers.getFirst(X_FORWARDED_FOR_HEADER)) ||
-					(StringUtils.hasText(headers.getFirst(FORWARDED_HEADER)) &&
-						FORWARDED_FOR_PATTERN.matcher(headers.getFirst(FORWARDED_HEADER)).matches());
-			if (hasForwardedFor) {
-				UriComponents remoteUriComponents = UriComponentsBuilder.newInstance()
-						.host(request.getRemoteHost())
-						.port(request.getRemotePort())
-						.adaptFromForwardedForHeader(headers)
-						.build();
-				this.remoteHost = remoteUriComponents.getHost();
-				this.remoteAddr = this.remoteHost;
-				this.remotePort = remoteUriComponents.getPort();
-			} else {
-				this.remoteHost = request.getRemoteHost();
-				this.remoteAddr = request.getRemoteAddr();
-				this.remotePort = request.getRemotePort();
-			}
+			this.remoteAddress = UriComponentsBuilder.parseForwardedFor(request, request.getRemoteAddress());
 
 			String baseUrl = this.scheme + "://" + this.host + (port == -1 ? "" : ":" + port);
 			Supplier<HttpServletRequest> delegateRequest = () -> (HttpServletRequest) getRequest();
@@ -322,18 +295,18 @@ public StringBuffer getRequestURL() {
 		@Override
 		@Nullable
 		public String getRemoteHost() {
-			return this.remoteHost;
+			return (this.remoteAddress != null ? this.remoteAddress.getHostString() : super.getRemoteHost());
 		}
 
 		@Override
 		@Nullable
 		public String getRemoteAddr() {
-			return this.remoteAddr;
+			return (this.remoteAddress != null ? this.remoteAddress.getHostString() : super.getRemoteAddr());
 		}
 
 		@Override
 		public int getRemotePort() {
-			return remotePort;
+			return (this.remoteAddress != null ? this.remoteAddress.getPort() : super.getRemotePort());
 		}
 	}
 

Diff for: spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java

@@ -22,15 +22,13 @@
 import java.util.Locale;
 import java.util.Set;
 import java.util.function.Function;
-import java.util.regex.Pattern;
 
 import org.springframework.context.ApplicationContext;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.lang.Nullable;
 import org.springframework.util.LinkedCaseInsensitiveMap;
 import org.springframework.util.StringUtils;
-import org.springframework.web.util.UriComponents;
 import org.springframework.web.util.UriComponentsBuilder;
 
 /**
@@ -53,9 +51,6 @@
  */
 public class ForwardedHeaderTransformer implements Function<ServerHttpRequest, ServerHttpRequest> {
 
-	private static final String X_FORWARDED_FOR_HEADER = "X-Forwarded-For";
-	private static final String FORWARDED_HEADER = "Forwarded";
-	private static final Pattern FORWARDED_FOR_PATTERN = Pattern.compile("(?i:^[^,]*for=.+)");
 	static final Set<String> FORWARDED_HEADER_NAMES =
 			Collections.newSetFromMap(new LinkedCaseInsensitiveMap<>(10, Locale.ENGLISH));
 
@@ -108,24 +103,8 @@ public ServerHttpRequest apply(ServerHttpRequest request) {
 					builder.contextPath(prefix);
 				}
 				InetSocketAddress remoteAddress = request.getRemoteAddress();
-				HttpHeaders headers = request.getHeaders();
-				boolean hasForwardedFor = StringUtils.hasText(headers.getFirst(X_FORWARDED_FOR_HEADER)) ||
-						(StringUtils.hasText(headers.getFirst(FORWARDED_HEADER)) &&
-								FORWARDED_FOR_PATTERN.matcher(headers.getFirst(FORWARDED_HEADER)).matches());
-				if (hasForwardedFor) {
-					String originalRemoteHost = ((remoteAddress != null) ? remoteAddress.getHostName() : null);
-					int originalRemotePort = ((remoteAddress != null) ? remoteAddress.getPort() : -1);
-					UriComponents remoteUriComponents = UriComponentsBuilder.newInstance()
-							.host(originalRemoteHost)
-							.port(originalRemotePort)
-							.adaptFromForwardedForHeader(headers)
-							.build();
-					String remoteHost = remoteUriComponents.getHost();
-					int remotePort = (remoteUriComponents.getPort() != -1 ? remoteUriComponents.getPort() : 0);
-					if (remoteHost != null) {
-						builder.remoteAddress(InetSocketAddress.createUnresolved(remoteHost, remotePort));
-					}
-				} else {
+				remoteAddress = UriComponentsBuilder.parseForwardedFor(request, remoteAddress);
+				if (remoteAddress != null) {
 					builder.remoteAddress(remoteAddress);
 				}
 			}

Diff for: spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java

@@ -16,6 +16,7 @@
 
 package org.springframework.web.util;
 
+import java.net.InetSocketAddress;
 import java.net.URI;
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
@@ -97,13 +98,13 @@ public class UriComponentsBuilder implements UriBuilder, Cloneable {
 			"^" + HTTP_PATTERN + "(//(" + USERINFO_PATTERN + "@)?" + HOST_PATTERN + "(:" + PORT_PATTERN + ")?" + ")?" +
 					PATH_PATTERN + "(\\?" + LAST_PATTERN + ")?");
 
-	private static final Pattern FORWARDED_HOST_PATTERN = Pattern.compile("(?i:host)=\"?([^;,\"]+)\"?");
+	private static final String FORWARDED_VALUE = "\"?([^;,\"]+)\"?";
 
-	private static final Pattern FORWARDED_PROTO_PATTERN = Pattern.compile("(?i:proto)=\"?([^;,\"]+)\"?");
+	private static final Pattern FORWARDED_HOST_PATTERN = Pattern.compile("(?i:host)=" + FORWARDED_VALUE);
 
-	private static final Pattern FORWARDED_FOR_PATTERN = Pattern.compile("(?i:for)=\"?([^;,\"]+)\"?");
+	private static final Pattern FORWARDED_PROTO_PATTERN = Pattern.compile("(?i:proto)=" + FORWARDED_VALUE);
 
-	private static final String FORWARDED_FOR_NUMERIC_PORT_PATTERN = "^(\\d{1,5})$";
+	private static final Pattern FORWARDED_FOR_PATTERN = Pattern.compile("(?i:for)=" + FORWARDED_VALUE);
 
 	private static final Object[] EMPTY_VALUES = new Object[0];
 
@@ -308,11 +309,54 @@ public static UriComponentsBuilder fromHttpUrl(String httpUrl) {
 	 * @param request the source request
 	 * @return the URI components of the URI
 	 * @since 4.1.5
+	 * @see #parseForwardedFor(HttpRequest, InetSocketAddress)
 	 */
 	public static UriComponentsBuilder fromHttpRequest(HttpRequest request) {
 		return fromUri(request.getURI()).adaptFromForwardedHeaders(request.getHeaders());
 	}
 
+	/**
+	 * Parse the first "Forwarded: for=..." or "X-Forwarded-For" header value to
+	 * an {@code InetSocketAddress} representing the address of the client.
+	 * @param request a request with headers that may contain forwarded headers
+	 * @param remoteAddress the current remoteAddress
+	 * @return an {@code InetSocketAddress} with the extracted host and port, or
+	 * {@code null} if the headers are not present.
+	 * @since 5.3
+	 * @see <a href="https://tools.ietf.org/html/rfc7239#section-5.2">RFC 7239, Section 5.2</a>
+	 */
+	@Nullable
+	public static InetSocketAddress parseForwardedFor(
+			HttpRequest request, @Nullable InetSocketAddress remoteAddress) {
+
+		int port = (remoteAddress != null ?
+				remoteAddress.getPort() : "https".equals(request.getURI().getScheme()) ? 443 : 80);
+
+		String forwardedHeader = request.getHeaders().getFirst("Forwarded");
+		if (StringUtils.hasText(forwardedHeader)) {
+			String forwardedToUse = StringUtils.tokenizeToStringArray(forwardedHeader, ",")[0];
+			Matcher matcher = FORWARDED_FOR_PATTERN.matcher(forwardedToUse);
+			if (matcher.find()) {
+				String value = matcher.group(1).trim();
+				String host = value;
+				int portSeparatorIdx = value.lastIndexOf(':');
+				if (portSeparatorIdx > value.lastIndexOf(']')) {
+					host = value.substring(0, portSeparatorIdx);
+					port = Integer.parseInt(value.substring(portSeparatorIdx + 1));
+				}
+				return new InetSocketAddress(host, port);
+			}
+		}
+
+		String forHeader = request.getHeaders().getFirst("X-Forwarded-For");
+		if (StringUtils.hasText(forHeader)) {
+			String host = StringUtils.tokenizeToStringArray(forHeader, ",")[0];
+			return new InetSocketAddress(host, port);
+		}
+
+		return null;
+	}
+
 	/**
 	 * Create an instance by parsing the "Origin" header of an HTTP request.
 	 * @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454</a>
@@ -727,33 +771,6 @@ public UriComponentsBuilder uriVariables(Map<String, Object> uriVariables) {
 		return this;
 	}
 
-	/**
-	 * Adapt this builders's host+port from the "for" parameter of the "Forwarded"
-	 * header or from "X-Forwarded-For" if "Forwarded" is not found. If neither
-	 * "Forwarded" nor "X-Forwarded-For" is found no changes are made to the
-	 * builder.
-	 * @param headers the HTTP headers to consider
-	 * @return this UriComponentsBuilder
-	 */
-	public UriComponentsBuilder adaptFromForwardedForHeader(HttpHeaders headers) {
-		String forwardedHeader = headers.getFirst("Forwarded");
-		if (StringUtils.hasText(forwardedHeader)) {
-			String forwardedToUse = StringUtils.tokenizeToStringArray(forwardedHeader, ",")[0];
-			Matcher matcher = FORWARDED_FOR_PATTERN.matcher(forwardedToUse);
-			if (matcher.find()) {
-				adaptForwardedForHost(matcher.group(1).trim());
-			}
-		}
-		else {
-			String forHeader = headers.getFirst("X-Forwarded-For");
-			if (StringUtils.hasText(forHeader)) {
-				String forwardedForToUse = StringUtils.tokenizeToStringArray(forHeader, ",")[0];
-				host(forwardedForToUse);
-			}
-		}
-		return this;
-	}
-
 	/**
 	 * Adapt this builder's scheme+host+port from the given headers, specifically
 	 * "Forwarded" (<a href="https://tools.ietf.org/html/rfc7239">RFC 7239</a>,
@@ -828,36 +845,18 @@ private boolean isForwardedSslOn(HttpHeaders headers) {
 		return StringUtils.hasText(forwardedSsl) && forwardedSsl.equalsIgnoreCase("on");
 	}
 
-	private void adaptForwardedHost(String hostToUse) {
-		int portSeparatorIdx = hostToUse.lastIndexOf(':');
-		if (portSeparatorIdx > hostToUse.lastIndexOf(']')) {
-			host(hostToUse.substring(0, portSeparatorIdx));
-			port(Integer.parseInt(hostToUse.substring(portSeparatorIdx + 1)));
+	private void adaptForwardedHost(String rawValue) {
+		int portSeparatorIdx = rawValue.lastIndexOf(':');
+		if (portSeparatorIdx > rawValue.lastIndexOf(']')) {
+			host(rawValue.substring(0, portSeparatorIdx));
+			port(Integer.parseInt(rawValue.substring(portSeparatorIdx + 1)));
 		}
 		else {
-			host(hostToUse);
+			host(rawValue);
 			port(null);
 		}
 	}
 
-	private void adaptForwardedForHost(String hostToUse) {
-		String hostName = hostToUse;
-		int portSeparatorIdx = hostToUse.lastIndexOf(':');
-		if (portSeparatorIdx > hostToUse.lastIndexOf(']')) {
-			String hostPort = hostToUse.substring(portSeparatorIdx + 1);
-			// check if port is not obfuscated
-			if (hostPort.matches(FORWARDED_FOR_NUMERIC_PORT_PATTERN)) {
-				port(Integer.parseInt(hostPort));
-			}
-			hostName = hostToUse.substring(0, portSeparatorIdx);
-		}
-		if (hostName.matches(HOST_IPV6_PATTERN)) {
-			host(hostName.substring(hostName.indexOf('[') + 1, hostName.indexOf(']')));
-		} else {
-			host(hostName);
-		}
-	}
-
 	private void resetHierarchicalComponents() {
 		this.userInfo = null;
 		this.host = null;