FunkyPeanut FunkyPeanut - 4 months ago 18
Javascript Question

Do Node and Express validate certain request fields?

I am questioning whether it is required to validate fields like

req.ip
or
req.path
server-side.

It boils down to the question: Is it possible for the client to set something like
.set('Remote-Addr', <Malicious JavaScript>)
and it successfully being propagated to my Node or Express middleware?

Thanks for helping!

Answer

There is no way to validate source IP, particular when proxies are involved. In the proxy case, a chain of IP addresses is supposed to be put in http headers, but that can certainly be faked so what express thinks is the original IP cannot be trusted. It is likely accurate, but not guaranteed accurate.

req.path is entirely local and does not involve any client headers and is not subject to any client spoofing. It just comes from the actual HTTP request URL that arrives at your server. The only way it wouldn't be the same as the actual request URL is if you were using a mount point for routers in which case the mount point part of the path will have been removed by express. Or perhaps if your own middleware attempted to mess with it.