diff --git a/lib/request.js b/lib/request.js index 7881d4c60..069d5b43a 100644 --- a/lib/request.js +++ b/lib/request.js @@ -433,6 +433,15 @@ module.exports = { const val = this.get('X-Forwarded-For'); return proxy && val ? val.split(/\s*,\s*/) + .map(host => { + let normalizedHost = host; + if (net.isIPv6(host)) { + normalizedHost = `[${host}]`; + } + + return parse(`http://${normalizedHost}`).hostname; + }) + .filter(ip => !!ip) : []; }, diff --git a/test/request/ips.js b/test/request/ips.js index 8e0a5f0c7..65478f09d 100644 --- a/test/request/ips.js +++ b/test/request/ips.js @@ -23,5 +23,23 @@ describe('req.ips', () => { assert.deepEqual(req.ips, ['127.0.0.1', '127.0.0.2']); }); }); + + describe('and contains IPv4', () => { + it('should not return port', () => { + const req = request(); + req.app.proxy = true; + req.header['x-forwarded-for'] = '127.0.0.1:80,127.0.0.2'; + assert.deepEqual(req.ips, ['127.0.0.1', '127.0.0.2']); + }); + }); + + describe('and contains IPv6', () => { + it('should parse correctly', () => { + const req = request(); + req.app.proxy = true; + req.header['x-forwarded-for'] = '::1'; + assert.deepEqual(req.ips, ['::1']); + }); + }); }); });