platform/tenant-registry
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(audit): strip IPv6 brackets before INET insert
ci / image (pull_request) Has been skipped
Details
ci / shared (pull_request) Successful in 8s
Details
ci / test (pull_request) Successful in 2m7s
Details

Browse Source 
When a client connects over IPv6 loopback, net/http's RemoteAddr is
'[::1]:port'. The previous clientIP() returned '[::1]' (brackets and
all) which Postgres's INET type rejects with
'invalid input syntax for type inet: "[::1]" (SQLSTATE 22P02)'.

Live local-smoke caught this — every state-changing endpoint emitted
the audit event, the INSERT rolled back, and a warning landed in the
log. The user-facing operation succeeded so the caller never noticed,
but audit_log stayed empty.

Fix:
  - Use net.SplitHostPort which returns IPv6 hosts without brackets.
  - Add stripBrackets() as a belt-and-braces for X-Forwarded-For
    headers that wrap the IP themselves (some proxies do).

Refs: M4.2
This commit is contained in:
Sharang Parnerkar
2026-05-19 17:05:20 +02:00
parent 9138731eea
commit a83088e7e6
1 changed files with 13 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/server/helpers.go
+13 -11
View File
@@ -4,6 +4,7 @@ import (
"encoding/json"
"errors"
"log/slog"
"net"
"net/http"
"strings"
"time"
@@ -87,22 +88,23 @@ func (s *statusRecorder) WriteHeader(c int) {
func clientIP(r *http.Request) string {
if fwd := r.Header.Get("X-Forwarded-For"); fwd != "" {
if i := strings.IndexByte(fwd, ','); i > 0 {
return strings.TrimSpace(fwd[:i])
return stripBrackets(strings.TrimSpace(fwd[:i]))
}
return strings.TrimSpace(fwd)
return stripBrackets(strings.TrimSpace(fwd))
}
if host, _, ok := splitHostPort(r.RemoteAddr); ok {
if host, _, err := net.SplitHostPort(r.RemoteAddr); err == nil {
// net.SplitHostPort returns IPv6 without brackets already.
return host
}
return r.RemoteAddr
return stripBrackets(r.RemoteAddr)
}
// splitHostPort is a port-tolerant version of net.SplitHostPort that doesn't
// error on missing port.
func splitHostPort(s string) (string, string, bool) {
i := strings.LastIndexByte(s, ':')
if i < 0 {
return s, "", false
// stripBrackets removes the `[...]` wrapping IPv6 hosts pick up from
// net/http's RemoteAddr in some Go versions, since Postgres `inet` rejects
// `[::1]` but accepts `::1`.
func stripBrackets(s string) string {
if len(s) >= 2 && s[0] == '[' && s[len(s)-1] == ']' {
return s[1 : len(s)-1]
}
return s[:i], s[i+1:], true
return s
}