Skip to content

🚨 Flash: [CRITICAL] Fix x-forwarded-for parsing injection vulnerability #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Shreyassp002 wants to merge 1 commit into from
Closed

🚨 Flash: [CRITICAL] Fix x-forwarded-for parsing injection vulnerability #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .jules/flash.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
## 2024-05-18 - Unsanitized X-Forwarded-For injection vulnerability
**Category:** Security
**Finding:** `x-forwarded-for` header values were passed directly into Supabase insert operations without sanitization or `.trim()`.
**Learning:** Proxy chains can prepend multiple IPs or inject spaces in the `x-forwarded-for` header. Passing this unsanitized directly to database queries could trigger DoS via massive insertion limits or injection vulnerabilities.
**Action:** Always extract the client IP securely using `(ip || "").split(",")[0].trim()`.
2 changes: 1 addition & 1 deletion src/app/api/v1/payment-links/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ export async function POST(req: NextRequest) {
method: 'POST',
status_code: 201,
request_body: body,
ip_address: clientIp.split(',')[0]
ip_address: clientIp.split(',')[0].trim()
// eslint-disable-next-line @typescript-eslint/no-explicit-any
}).then(({ error }: any) => {
if(error) console.error('Failed to log API call', error)
Expand Down
2 changes: 1 addition & 1 deletion src/lib/api/verify-api-key.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ export async function verifyApiKey(req: NextRequest) {
endpoint: req.nextUrl.pathname,
method: req.method,
status_code: 200, // Assumed success if we get here
ip_address: req.headers.get('x-forwarded-for') || 'unknown',
ip_address: (req.headers.get('x-forwarded-for') || 'unknown').split(',')[0].trim(),
user_agent: req.headers.get('user-agent') || 'unknown'
// eslint-disable-next-line @typescript-eslint/no-explicit-any
}).then(({ error }: any) => {
Expand Down
2 changes: 1 addition & 1 deletion src/providers.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ import type { AppKitNetwork } from '@reown/appkit/networks'
const queryClient = new QueryClient()

const alchemyKey = process.env.NEXT_PUBLIC_ALCHEMY_KEY
const projectId = process.env.NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID || ''
const projectId = process.env.NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID || 'fallback-id'
Copy link
Copy Markdown

@github-actions github-actions bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚑ Flash Review

πŸ› Bug: Defaulting projectId to a generic string 'fallback-id' if NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID is not set will likely cause WalletConnect to fail during initialization, preventing users from connecting their wallets. WalletConnect requires a valid project ID.

Fix: Ensure NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID is always configured in production. For development, consider throwing an explicit error if it's missing, or use a specific test ID provided by WalletConnect, rather than a generic string that will cause runtime failures.


// Testnet keywords to filter out
const TESTNET_KEYWORDS = [
Expand Down
Loading