From dc419e28c066ff8cea1eddee2fb060cbcf91464c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcel=20M=C3=A4rtens?= <marcel.cochem@googlemail.com>
Date: Sun, 17 Mar 2024 13:41:56 +0100
Subject: [PATCH] Disallow /ui when any Forwarded header is detected

---
 server-cli/src/web/ui/mod.rs | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/server-cli/src/web/ui/mod.rs b/server-cli/src/web/ui/mod.rs
index a1e8790f43..3117968c3e 100644
--- a/server-cli/src/web/ui/mod.rs
+++ b/server-cli/src/web/ui/mod.rs
@@ -1,6 +1,6 @@
 use axum::{
     extract::{ConnectInfo, State},
-    http::{header::SET_COOKIE, HeaderValue},
+    http::{header::SET_COOKIE, HeaderMap, HeaderValue},
     response::{Html, IntoResponse},
     routing::get,
     Router,
@@ -22,14 +22,19 @@ pub fn router(secret_token: String) -> Router {
 
 async fn ui(
     ConnectInfo(addr): ConnectInfo<SocketAddr>,
+    headers: HeaderMap,
     State(token): State<UiApiToken>,
 ) -> impl IntoResponse {
-    if !addr.ip().is_loopback() {
+    const X_FORWARDED_FOR: &'_ str = "X-Forwarded-For";
+    if !addr.ip().is_loopback()
+        || headers.contains_key(axum::http::header::FORWARDED)
+        || headers.contains_key(X_FORWARDED_FOR)
+    {
         return Html(
             r#"<!DOCTYPE html>
 <html>
 <body>
-Ui is only accessible from 127.0.0.1
+Ui is only accessible from 127.0.0.1. Usage of proxies is forbidden.
 </body>
 </html>
         "#