X-Forwarded-For#175
Draft
BayerC wants to merge 1 commit into
Draft
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #175 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 10 10
Lines 529 532 +3
=========================================
+ Hits 529 532 +3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Hey - I've found 2 issues, and left some high level feedback:
- Consider handling the common case where
X-Forwarded-Forcontains a comma-separated list of IPs (e.g., by splitting on,and taking the first non-empty value) instead of using the raw header string. - Depending on how
st.context.headersis populated, it may be safer to guard against it beingNone(e.g.,headers = getattr(st.context, 'headers', {})) to avoid runtime errors in non-HTTP or local contexts.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- Consider handling the common case where `X-Forwarded-For` contains a comma-separated list of IPs (e.g., by splitting on `,` and taking the first non-empty value) instead of using the raw header string.
- Depending on how `st.context.headers` is populated, it may be safer to guard against it being `None` (e.g., `headers = getattr(st.context, 'headers', {})`) to avoid runtime errors in non-HTTP or local contexts.
## Individual Comments
### Comment 1
<location path="src/open_cups/app.py" line_range="261" />
<code_context>
def run() -> None:
+ headers = st.context.headers
+ ip_address = headers.get("X-Forwarded-For", "Unknown")
+
+ st.write(f"Connecting from: {ip_address}")
</code_context>
<issue_to_address>
**suggestion:** Consider parsing `X-Forwarded-For` correctly when it contains a list of IPs.
Many proxies send `X-Forwarded-For` as `client-ip, proxy1, proxy2, ...`. Using it directly may log the whole chain instead of the client IP. If you want the originating client IP, split on `","` and use the first trimmed entry.
</issue_to_address>
### Comment 2
<location path="src/open_cups/app.py" line_range="263" />
<code_context>
+ headers = st.context.headers
+ ip_address = headers.get("X-Forwarded-For", "Unknown")
+
+ st.write(f"Connecting from: {ip_address}")
st_autorefresh(interval=AUTOREFRESH_INTERVAL_MS, key="data_refresh")
</code_context>
<issue_to_address>
**🚨 question (security):** Double-check whether exposing the client IP in the UI aligns with privacy/user expectations.
Depending on your context, this could be treated as sensitive information. If it’s mainly for diagnostics, consider hiding it behind a debug flag or limiting visibility to admin/privileged users.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
|
|
||
| def run() -> None: | ||
| headers = st.context.headers | ||
| ip_address = headers.get("X-Forwarded-For", "Unknown") |
Contributor
There was a problem hiding this comment.
suggestion: Consider parsing X-Forwarded-For correctly when it contains a list of IPs.
Many proxies send X-Forwarded-For as client-ip, proxy1, proxy2, .... Using it directly may log the whole chain instead of the client IP. If you want the originating client IP, split on "," and use the first trimmed entry.
| headers = st.context.headers | ||
| ip_address = headers.get("X-Forwarded-For", "Unknown") | ||
|
|
||
| st.write(f"Connecting from: {ip_address}") |
Contributor
There was a problem hiding this comment.
🚨 question (security): Double-check whether exposing the client IP in the UI aligns with privacy/user expectations.
Depending on your context, this could be treated as sensitive information. If it’s mainly for diagnostics, consider hiding it behind a debug flag or limiting visibility to admin/privileged users.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DO NOT MERGE
https://opencups-test-x-forwarded-for.streamlit.app/