Enforce invariant that the x-forwarded-for header length is not less …

…than the associated config setting on the node
MystenLabs · Nov 5, 2024 · 1c21039 · 1c21039
1 parent f8cd99d
commit 1c21039
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/crates/sui-core/src/authority_server.rs b/crates/sui-core/src/authority_server.rs
@@ -1225,6 +1225,19 @@ impl ValidatorService {
                                 return None;
                             }
                             let contents_len = header_contents.len();
+                            // Network topology should not be very dynamic, therefore if it changes and the above
+                            // invariant is violated, we should fail loudly so that the node config can be updated.
+                            assert!(
+                                contents_len >= *num_hops,
+                                "x-forwarded-for header value of {:?} contains {} values, but {} hops were specified. \
+                                Expected at least {} values. Please correctly set the `x-forwarded-for` value under \
+                                `client-id-source` in the node config.",
+                                header_contents,
+                                contents_len,
+                                num_hops,
+                                contents_len,
+                            );
+                            let contents_len = header_contents.len();
                             let Some(client_ip) = header_contents.get(contents_len - num_hops)
                             else {
                                 error!(