shreemaan-abhishek opened a new pull request, #13339: URL: https://github.com/apache/apisix/pull/13339
### Description The chaitin-waf plugin populates the `client_ip` field sent to the Chaitin WAF backend by reading `ctx.var.http_x_forwarded_for` directly when `config.real_client_ip = true` (the default). This bypasses nginx's `real_ip` module: any external client can supply an arbitrary `X-Forwarded-For` header and have it forwarded verbatim to the WAF, making attribution and policy decisions on that field attacker-controllable. This change replaces the raw-header read with `core.request.get_remote_client_ip(ctx)` (which returns `$remote_addr` after `real_ip` processing) when `real_client_ip` is enabled, and `core.request.get_ip(ctx)` (direct TCP peer, ignoring realip rewrites) when disabled. The toggle's intent is preserved: - `real_client_ip = true` (default): forwards the realip-resolved client IP — the forwarded header is honored only when the request comes from a trusted proxy listed in `set_real_ip_from`. Spoofed headers from untrusted sources are ignored. - `real_client_ip = false`: forwards the actual TCP peer address. This applies the same fix shape used for wolf-rbac in #13329. An `info`-level log line records the chosen `client_ip` for auditability and to anchor the regression tests. #### Which issue(s) this PR fixes: Fixes # ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [ ] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
