← Back to PRs

#8752: fix: add CIDR notation support for trustedProxies config

by revenuestack open 2026-02-04 10:38 View on GitHub →
gateway stale
## Summary Add CIDR notation support for `trustedProxies` configuration to enable subnet-based proxy trust. ## Problem The `trustedProxies` config only supported individual IP addresses. Users behind reverse proxies with dynamic IPs or load balancers need to trust entire subnets (e.g., `10.0.0.0/8`, `172.16.0.0/12`). ## Solution - Added `ip-cidr` package for CIDR range checking - Enhanced `isTrustedProxy()` function to detect and match CIDR notation - Maintains backward compatibility with individual IP addresses Fixes #8026 <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR extends `trustedProxies` handling in `src/gateway/net.ts` to support CIDR notation by adding IPv4 parsing and subnet matching (exact IPs still supported). It also adds a dedicated `isTrustedProxyAddress` test suite covering common CIDR ranges (/8, /16, /24, /32, /0), whitespace, invalid CIDRs, and IPv4-mapped IPv6 *inputs*. Notable issue: configured proxy entries are only trimmed (not normalized), so `trustedProxies` values using IPv4-mapped IPv6 forms like `::ffff:192.168.0.0/16` won’t match even though the input IP is normalized. Consider normalizing the config entry (at least the base IP portion) before CIDR evaluation. <h3>Confidence Score: 3/5</h3> - Generally safe to merge, but there is a real edge-case mismatch for IPv4-mapped IPv6 CIDR entries in config. - Core CIDR matching logic and tests for common IPv4 ranges look correct, but proxy entries aren’t normalized before CIDR parsing, which can cause false negatives for `::ffff:`-prefixed CIDRs (and similar normalization-sensitive inputs). - src/gateway/net.ts (normalization of trustedProxies entries) <!-- greptile_other_comments_section --> <!-- /greptile_comment -->

Most Similar PRs