test(lib): add a test for the X-Forwarded-For middleware

Previously the X-Forwarded-For middleware could return two commas in a row. This is a regression test to make sure that doesn't happen again. Imports a patch previously exclusive to Botstopper. Signed-off-by: Xe Iaso <me@xeiaso.net>
chore: release v1.21.3
2026-04-12 19:48:44 +00:00 · 2025-07-25 10:46:30 -04:00 · 2025-07-25 10:30:44 -04:00 · 2025-07-25 14:25:04 +00:00
6 changed files with 54 additions and 5 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-1.21.2
+1.21.3
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -13,18 +13,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 <!-- This changes the project to: -->
-## v1.21.2: Minfilia Warde - Echo 2
+## v1.21.3: Minfilia Warde - Echo 3
 ### Fixes
 #### Fixes a problem with nonstandard URLs and redirects
 Fixes [GHSA-jhjj-2g64-px7c](https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c).
 This could allow an attacker to craft an Anubis pass-challenge URL that forces a redirect to nonstandard URLs, such as the `javascript:` scheme which executes arbitrary JavaScript code in a browser context when the user clicks the "Try again" button.
 This has been fixed by disallowing any URLs without the scheme `http` or `https`.
 Additionally, the "Try again" button has been fixed to completely ignore the user-supplied redirect location. It now redirects to the home page (`/`).
 ## v1.21.2: Minfilia Warde - Echo 2
 This contained an incomplete fix for [GHSA-jhjj-2g64-px7c](https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c). Do not use this version.
 ## v1.21.1: Minfilia Warde - Echo 1
 - Expired records are now properly removed from bbolt databases ([#848](https://github.com/TecharoHQ/anubis/pull/848)).
--- a/lib/anubis_test.go
+++ b/lib/anubis_test.go
@@ -926,3 +926,42 @@ func TestPassChallengeXSS(t *testing.T) {
 		}
 	})
 }
 func TestXForwardedForNoDoubleComma(t *testing.T) {
 	var h http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("X-Forwarded-For", r.Header.Get("X-Forwarded-For"))
 		fmt.Fprintln(w, "OK")
 	})
 	h = internal.XForwardedForToXRealIP(h)
 	h = internal.XForwardedForUpdate(false, h)
 	pol := loadPolicies(t, "testdata/permissive.yaml", 4)
 	srv := spawnAnubis(t, Options{
 		Next:   h,
 		Policy: pol,
 	})
 	ts := httptest.NewServer(srv)
 	t.Cleanup(ts.Close)
 	req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 	req.Header.Set("X-Real-Ip", "10.0.0.1")
 	resp, err := ts.Client().Do(req)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if resp.StatusCode != http.StatusOK {
 		t.Errorf("response status is wrong, wanted %d but got: %s", http.StatusOK, resp.Status)
 	}
 	if xff := resp.Header.Get("X-Forwarded-For"); strings.HasPrefix(xff, ",,") {
 		t.Errorf("X-Forwarded-For has two leading commas: %q", xff)
 	}
 }
--- a/lib/testdata/permissive.yaml
+++ b/lib/testdata/permissive.yaml
@@ -0,0 +1,4 @@
 bots:
  - import: (data)/common/allow-private-addresses.yaml
 dnsbl: false
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "@techaro/anubis",
-  "version": "1.21.2",
+  "version": "1.21.3",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@techaro/anubis",
-      "version": "1.21.2",
+      "version": "1.21.3",
      "license": "ISC",
      "devDependencies": {
        "cssnano": "^7.1.0",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@techaro/anubis",
-  "version": "1.21.2",
+  "version": "1.21.3",
  "description": "",
  "main": "index.js",
  "scripts": {