Express: Q: Why is hop count always 0?

Created on 17 Sep 2020  路  3Comments  路  Source: expressjs/express

The protocol getter returns the value of the X-Forward-Proto header if the connection is to be trusted. For that, it considers the value passed to trust proxy (if given). The trust proxy value can be a number to represent the max trusted hop count. However in the current code, the number is ignored because in the protocol getter, it always passes a hardcoded 0 for the actual hop count here:

if (!trust(this.connection.remoteAddress, 0)) {

Why is hop count always 0 here? Isn't it dangerous to tell administrators that this setting will check against hop count, while it actually does not?

question
Source
picture Domiii

Most helpful comment

If you truly believe there is something security related, please follow the report procedure outlined at https://github.com/expressjs/express/blob/master/Security.md

picture dougwilson on 17 Sep 2020
1 👍1

All 3 comments

The socket address is always hop count 0. The first proxy would be count 1 and so on, but the function is called giving the value of the 0th hop in your example (the socket address).

dougwilson picture dougwilson on 17 Sep 2020
👍1

If you truly believe there is something security related, please follow the report procedure outlined at https://github.com/expressjs/express/blob/master/Security.md

dougwilson picture dougwilson on 17 Sep 2020
1 👍1

Thank you for the clarification!

Domiii picture Domiii on 18 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dmaks9 picture dmaks9  路  3Comments
AndrewEQ picture AndrewEQ  路  4Comments
wxs77577 picture wxs77577  路  3Comments
extensionsapp picture extensionsapp  路  3Comments
Sunriselegacy picture Sunriselegacy  路  3Comments