feature #58154 [HttpFoundation] Add PRIVATE_SUBNETS as a shortcut for private IP address ranges to Request::setTrustedProxies() (nicolas-grekas)

nicolas-grekas · nicolas-grekas · commit 4a7a68e52a1b · 2024-09-03T14:56:41.000+02:00
This PR was merged into the 7.2 branch. Discussion ---------- [HttpFoundation] Add `PRIVATE_SUBNETS` as a shortcut for private IP address ranges to `Request::setTrustedProxies()` | Q | A | ------------- | --- | Branch? | 7.2 | Bug fix? | no | New feature? | no | Deprecations? | no | Issues | - | License | MIT Let's save some memory allocations and callbacks when we can. Tweaks #33574 and #52924 Commits ------- 6bd4b4a [HttpFoundation] Add `PRIVATE_SUBNETS` as a shortcut for private IP address ranges to `Request::setTrustedProxies()`
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -111,10 +111,10 @@ public function getConfigTreeBuilder(): TreeBuilder
                     ->beforeNormalization()->ifString()->then(fn ($v) => [$v])->end()
                     ->prototype('scalar')->end()
                 ->end()
-                ->scalarNode('trusted_proxies')
+                ->variableNode('trusted_proxies')
                     ->beforeNormalization()
-                        ->ifTrue(fn ($v) => 'private_ranges' === $v)
-                        ->then(fn ($v) => implode(',', IpUtils::PRIVATE_SUBNETS))
+                        ->ifTrue(fn ($v) => 'private_ranges' === $v || 'PRIVATE_SUBNETS' === $v)
+                        ->then(fn () => IpUtils::PRIVATE_SUBNETS)
                     ->end()
                 ->end()
                 ->arrayNode('trusted_headers')
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTestCase.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTestCase.php
@@ -2354,7 +2354,7 @@ public function testTrustedProxiesWithPrivateRanges()
     {
         $container = $this->createContainerFromFile('trusted_proxies_private_ranges');
 
-        $this->assertSame(IpUtils::PRIVATE_SUBNETS, array_map('trim', explode(',', $container->getParameter('kernel.trusted_proxies'))));
+        $this->assertSame(IpUtils::PRIVATE_SUBNETS, $container->getParameter('kernel.trusted_proxies'));
     }
 
     public function testWebhook()
diff --git a/src/Symfony/Component/HttpFoundation/CHANGELOG.md b/src/Symfony/Component/HttpFoundation/CHANGELOG.md
@@ -6,6 +6,7 @@ CHANGELOG
 
  * Add optional `$requests` parameter to `RequestStack::__construct()`
  * Add optional `$v4Bytes` and `$v6Bytes` parameters to `IpUtils::anonymize()`
+ * Add `PRIVATE_SUBNETS` as a shortcut for private IP address ranges to `Request::setTrustedProxies()`
 
 7.1
 ---
diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
@@ -520,20 +520,26 @@ public function overrideGlobals(): void
      *
      * You should only list the reverse proxies that you manage directly.
      *
-     * @param array $proxies          A list of trusted proxies, the string 'REMOTE_ADDR' will be replaced with $_SERVER['REMOTE_ADDR']
-     * @param int   $trustedHeaderSet A bit field of Request::HEADER_*, to set which headers to trust from your proxies
+     * @param array                          $proxies          A list of trusted proxies, the string 'REMOTE_ADDR' will be replaced with $_SERVER['REMOTE_ADDR'] and 'PRIVATE_SUBNETS' by IpUtils::PRIVATE_SUBNETS
+     * @param int-mask-of<Request::HEADER_*> $trustedHeaderSet A bit field to set which headers to trust from your proxies
      */
     public static function setTrustedProxies(array $proxies, int $trustedHeaderSet): void
     {
-        self::$trustedProxies = array_reduce($proxies, function ($proxies, $proxy) {
-            if ('REMOTE_ADDR' !== $proxy) {
-                $proxies[] = $proxy;
-            } elseif (isset($_SERVER['REMOTE_ADDR'])) {
-                $proxies[] = $_SERVER['REMOTE_ADDR'];
+        if (false !== $i = array_search('REMOTE_ADDR', $proxies, true)) {
+            if (isset($_SERVER['REMOTE_ADDR'])) {
+                $proxies[$i] = $_SERVER['REMOTE_ADDR'];
+            } else {
+                unset($proxies[$i]);
+                $proxies = array_values($proxies);
             }
+        }
+
+        if (false !== ($i = array_search('PRIVATE_SUBNETS', $proxies, true)) || false !== ($i = array_search('private_ranges', $proxies, true))) {
+            unset($proxies[$i]);
+            $proxies = array_merge($proxies, IpUtils::PRIVATE_SUBNETS);
+        }
 
-            return $proxies;
-        }, []);
+        self::$trustedProxies = $proxies;
         self::$trustedHeaderSet = $trustedHeaderSet;
     }
 
diff --git a/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php b/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
@@ -16,6 +16,7 @@
 use Symfony\Component\HttpFoundation\Exception\JsonException;
 use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
 use Symfony\Component\HttpFoundation\InputBag;
+use Symfony\Component\HttpFoundation\IpUtils;
 use Symfony\Component\HttpFoundation\ParameterBag;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Session\Session;
@@ -2564,6 +2565,26 @@ public function testTrustedProxiesRemoteAddr($serverRemoteAddr, $trustedProxies,
         $this->assertSame($result, Request::getTrustedProxies());
     }
 
+    public static function trustedProxiesRemoteAddr()
+    {
+        return [
+            ['1.1.1.1', ['REMOTE_ADDR'], ['1.1.1.1']],
+            ['1.1.1.1', ['REMOTE_ADDR', '2.2.2.2'], ['1.1.1.1', '2.2.2.2']],
+            [null, ['REMOTE_ADDR'], []],
+            [null, ['REMOTE_ADDR', '2.2.2.2'], ['2.2.2.2']],
+        ];
+    }
+
+    /**
+     * @testWith ["PRIVATE_SUBNETS"]
+     *           ["private_ranges"]
+     */
+    public function testTrustedProxiesPrivateSubnets(string $key)
+    {
+        Request::setTrustedProxies([$key], Request::HEADER_X_FORWARDED_FOR);
+        $this->assertSame(IpUtils::PRIVATE_SUBNETS, Request::getTrustedProxies());
+    }
+
     public function testTrustedValuesCache()
     {
         $request = Request::create('http://example.com/');
@@ -2581,16 +2602,6 @@ public function testTrustedValuesCache()
         $this->assertFalse($request->isSecure());
     }
 
-    public static function trustedProxiesRemoteAddr()
-    {
-        return [
-            ['1.1.1.1', ['REMOTE_ADDR'], ['1.1.1.1']],
-            ['1.1.1.1', ['REMOTE_ADDR', '2.2.2.2'], ['1.1.1.1', '2.2.2.2']],
-            [null, ['REMOTE_ADDR'], []],
-            [null, ['REMOTE_ADDR', '2.2.2.2'], ['2.2.2.2']],
-        ];
-    }
-
     /**
      * @dataProvider preferSafeContentData
      */

Original file line number	Diff line number	Diff line change
`@@ -2354,7 +2354,7 @@ public function testTrustedProxiesWithPrivateRanges()`
`2354`	`2354`	`{`
`2355`	`2355`	`$container = $this->createContainerFromFile('trusted_proxies_private_ranges');`
`2356`	`2356`
`2357`		`- $this->assertSame(IpUtils::PRIVATE_SUBNETS, array_map('trim', explode(',', $container->getParameter('kernel.trusted_proxies'))));`
	`2357`	`+ $this->assertSame(IpUtils::PRIVATE_SUBNETS, $container->getParameter('kernel.trusted_proxies'));`
`2358`	`2358`	`}`
`2359`	`2359`
`2360`	`2360`	`public function testWebhook()`