Fix/x forwarded for rate limit bypass by anshika1179 · Pull Request #2138 · JhaSourav07/commitpulse

anshika1179 · 2026-05-31T14:26:48Z

Description

Fixes #1975

This PR addresses the rate-limiting bypass vulnerability caused by trusting user-controlled X-Forwarded-For and X-Real-IP headers.

Modifications implemented:

Centralized Secure IP Resolution: Created utils/getClientIp.ts to securely resolve true client IPs.
Trusted Proxy Verification: Implemented standard CIDR range and explicit trusted proxy list checking in utils/trustedProxy.ts. It parses X-Forwarded-For from right to left, stopping at the first untrusted intermediate proxy.
Spoof Attempt Detection: Automatically detects and securely logs header spoofing attempts (e.g., when the client-supplied IP chain contradicts secure properties).
Hardened Middleware & Endpoints: Centralized IP extraction in the middleware rate limiter and the /api/track-user endpoint.
Comprehensive Test Suite: Added utils/getClientIp.test.ts unit tests and fully updated middleware.test.ts to align with the trusted proxy model.

Pillar

🎨 Pillar 1 — New Theme Design
📐 Pillar 2 — Geometric SVG Improvement
🕐 Pillar 3 — Timezone Logic Optimization
🛠️ Other (Bug fix, refactoring, docs)

Visual Preview

(N/A - Security backend/middleware hardening change. Complete test suite verification has been performed locally).

Checklist before requesting a review:

I have read the CONTRIBUTING.md file.
I have tested these changes locally (localhost:3000/api/streak?user=YOUR_USERNAME).
I have run npm run format and npm run lint locally and resolved all errors (CI will fail otherwise).
My commits follow the Conventional Commits format (e.g., feat(themes): ..., fix(calculate): ...).
I have updated README.md if I added a new theme or URL parameter.
I have started the repo.
I have made sure that i have only one commit to merge in this PR.
The SVG output matches the CommitPulse "premium quality" aesthetic standard (no raw elements, smooth animations, correct fonts).
(Recommended) I joined the CommitPulse Discord community for contributor discussions, mentorship, and faster PR support.

vercel · 2026-05-31T14:26:51Z

@anshika1179 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

github-actions · 2026-05-31T14:28:04Z

🚨 Hey @anshika1179, the CI Pipeline is failing on this PR and it has been marked as status:blocked.

Please fix the issues before this can be reviewed. Here's how:

1. Run checks locally before pushing:

npm run format:check   # Check Prettier formatting
npm run lint           # Run ESLint
npm run typecheck      # TypeScript type check
npm run test           # Run unit tests (Vitest)
npm run build          # Verify production build passes

2. Auto-fix common issues:

npm run format         # Auto-fix formatting with Prettier
npm run lint -- --fix  # Auto-fix lint errors where possible

3. Check the full failure log here:
👉 View CI Run

Once you push a fix and the CI passes, the status:blocked label will be removed automatically. 💪

Aamod007

Thanks for the PR. The code changes for trusted proxy verification look solid and address a critical rate-limit bypass vector.

However, this PR includes massive unintended churn in \package-lock.json\ (2783 additions, 645 deletions). Our \package-lock.json\ is highly volatile and we strictly avoid accidental commits of reformatted lock files.

Please revert the \package-lock.json\ file so that only the source code files are included in this PR. Once that is done, I will be happy to approve it!

github-actions · 2026-05-31T21:16:48Z

⚠️ Hey @anshika1179, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease