[release/2.3] Forwarded Headers Middleware: Ignore XForwardedHeaders from Unknown Proxy (#61642)

Author: BrennanConroy

eng/PatchConfig.props

@@ -27,4 +27,9 @@ Later on, this will be checked using this condition:
     <PackagesInPatch>
     </PackagesInPatch>
   </PropertyGroup>
+  <PropertyGroup Condition=" '$(VersionPrefix)' == '2.3.3' ">
+    <PackagesInPatch>
+      Microsoft.AspNetCore.HttpOverrides;
+    </PackagesInPatch>
+  </PropertyGroup>
 </Project>

src/Middleware/HttpOverrides/src/ForwardedHeadersMiddleware.cs

@@ -227,16 +227,17 @@ public void ApplyForwarders(HttpContext context)
             for ( ; entriesConsumed < sets.Length; entriesConsumed++)
             {
                 var set = sets[entriesConsumed];
-                if (checkFor)
+
+                // For the first instance, allow remoteIp to be null for servers that don't support it natively.
+                if (currentValues.RemoteIpAndPort != null && checkKnownIps && !CheckKnownAddress(currentValues.RemoteIpAndPort.Address))
                 {
-                    // For the first instance, allow remoteIp to be null for servers that don't support it natively.
-                    if (currentValues.RemoteIpAndPort != null && checkKnownIps && !CheckKnownAddress(currentValues.RemoteIpAndPort.Address))
-                    {
-                        // Stop at the first unknown remote IP, but still apply changes processed so far.
-                        _logger.LogDebug(1, $"Unknown proxy: {currentValues.RemoteIpAndPort}");
-                        break;
-                    }
+                    // Stop at the first unknown remote IP, but still apply changes processed so far.
+                    _logger.LogDebug(1, $"Unknown proxy: {currentValues.RemoteIpAndPort}");
+                    break;
+                }
 
+                if (checkFor)
+                {
                     IPEndPoint parsedEndPoint;
                     if (IPEndPointParser.TryParse(set.IpAndPortText, out parsedEndPoint))
                     {

src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs

@@ -799,6 +799,63 @@ public async Task AllOptionsDisabledRequestDoesntChange()
             Assert.Equal("http", context.Request.Scheme);
         }
 
+        [Theory]
+        [InlineData(ForwardedHeaders.XForwardedFor, false)]
+        [InlineData(ForwardedHeaders.XForwardedFor, true)]
+        [InlineData(ForwardedHeaders.XForwardedHost, false)]
+        [InlineData(ForwardedHeaders.XForwardedHost, true)]
+        [InlineData(ForwardedHeaders.XForwardedProto, false)]
+        [InlineData(ForwardedHeaders.XForwardedProto, true)]
+        public async Task IgnoreXForwardedHeadersFromUnknownProxy(ForwardedHeaders forwardedHeaders, bool unknownProxy)
+        {
+            var builder = new WebHostBuilder()
+                .Configure(app =>
+                {
+                    var options = new ForwardedHeadersOptions
+                    {
+                        ForwardedHeaders = forwardedHeaders
+                    };
+                    if (!unknownProxy)
+                    {
+                        var proxy = IPAddress.Parse("10.0.0.1");
+                        options.KnownProxies.Add(proxy);
+                    }
+                    app.UseForwardedHeaders(options);
+                });
+            var server = new TestServer(builder);
+
+            var context = await server.SendAsync(c =>
+            {
+                c.Request.Headers["X-Forwarded-For"] = "11.111.111.11";
+                c.Request.Headers["X-Forwarded-Host"] = "testhost";
+                c.Request.Headers["X-Forwarded-Proto"] = "Protocol";
+                c.Connection.RemoteIpAddress = IPAddress.Parse("10.0.0.1");
+                c.Connection.RemotePort = 99;
+            });
+
+            if (unknownProxy)
+            {
+                Assert.Equal("10.0.0.1", context.Connection.RemoteIpAddress.ToString());
+                Assert.Equal("localhost", context.Request.Host.ToString());
+                Assert.Equal("http", context.Request.Scheme);
+            }
+            else
+            {
+                if (forwardedHeaders.HasFlag(ForwardedHeaders.XForwardedFor))
+                {
+                    Assert.Equal("11.111.111.11", context.Connection.RemoteIpAddress.ToString());
+                }
+                if (forwardedHeaders.HasFlag(ForwardedHeaders.XForwardedHost))
+                {
+                    Assert.Equal("testhost", context.Request.Host.ToString());
+                }
+                if (forwardedHeaders.HasFlag(ForwardedHeaders.XForwardedProto))
+                {
+                    Assert.Equal("Protocol", context.Request.Scheme);
+                }
+            }
+        }
+
         [Fact]
         public async Task PartiallyEnabledForwardsPartiallyChangesRequest()
         {