fix: server functions x-forwarded-host possible multiple values (vercel#73701)

Netail · ijjk · web-flow · commit 41b743ad6f9e · 2025-01-03T11:19:31.000-08:00
## Summary The x-forwarded-host header can be an array (`string | string[] | undefined`), which used to be casted to `string | undefined`. So when comparing the origin vs the x-forwarded-host, it ends up comparing an array to a string. Resulting in the following error; ``` `x-forwarded-host` header with value `www.foo.bar, www.foo.bar` does not match `origin` header with value `www.foo.bar` from a forwarded Server Actions request. Aborting the action. ``` --------- Co-authored-by: JJ Kasper <jj@jjsweb.site>
diff --git a/packages/next/src/server/app-render/action-handler.test.ts b/packages/next/src/server/app-render/action-handler.test.ts
@@ -0,0 +1,59 @@
+import { parseHostHeader } from './action-handler'
+
+describe('parseHostHeader', () => {
+  it('should return correct host', () => {
+    expect(parseHostHeader({})).toBe(undefined)
+
+    expect(
+      parseHostHeader({
+        host: 'www.foo.com',
+      })
+    ).toEqual({ type: 'host', value: 'www.foo.com' })
+
+    expect(
+      parseHostHeader({
+        host: undefined,
+        'x-forwarded-host': 'www.foo.com',
+      })
+    ).toEqual({ type: 'x-forwarded-host', value: 'www.foo.com' })
+
+    expect(
+      parseHostHeader({
+        host: 'www.foo.com',
+        'x-forwarded-host': undefined,
+      })
+    ).toEqual({ type: 'host', value: 'www.foo.com' })
+  })
+
+  it('should return x-forwarded-host over host header', () => {
+    expect(
+      parseHostHeader({
+        host: 'www.foo.com',
+        'x-forwarded-host': 'www.bar.com',
+      })
+    ).toEqual({ type: 'x-forwarded-host', value: 'www.bar.com' })
+  })
+
+  it('should return correct x-forwarded-host when provided in array', () => {
+    expect(
+      parseHostHeader({
+        host: 'www.foo.com',
+        'x-forwarded-host': ['www.bar.com', 'www.baz.com'],
+      })
+    ).toEqual({ type: 'x-forwarded-host', value: 'www.bar.com' })
+
+    expect(
+      parseHostHeader({
+        host: 'www.foo.com',
+        'x-forwarded-host': [],
+      })
+    ).toEqual({ type: 'host', value: 'www.foo.com' })
+
+    expect(
+      parseHostHeader({
+        host: 'www.foo.com',
+        'x-forwarded-host': 'www.bar.com, www.baz.com',
+      })
+    ).toEqual({ type: 'x-forwarded-host', value: 'www.bar.com' })
+  })
+})
diff --git a/packages/next/src/server/app-render/action-handler.ts b/packages/next/src/server/app-render/action-handler.ts
@@ -1,4 +1,4 @@
-import type { IncomingHttpHeaders, OutgoingHttpHeaders } from 'http'
+import type { IncomingHttpHeaders, OutgoingHttpHeaders } from 'node:http'
 import type { SizeLimit } from '../../types'
 import type { RequestStore } from '../app-render/work-unit-async-storage.external'
 import type { AppRenderContext, GenerateFlight } from './app-render'
@@ -399,6 +399,28 @@ function limitUntrustedHeaderValueForLogs(value: string) {
   return value.length > 100 ? value.slice(0, 100) + '...' : value
 }
 
+export function parseHostHeader(headers: IncomingHttpHeaders) {
+  const forwardedHostHeader = headers['x-forwarded-host']
+  const forwardedHostHeaderValue =
+    forwardedHostHeader && Array.isArray(forwardedHostHeader)
+      ? forwardedHostHeader[0]
+      : forwardedHostHeader?.split(',')?.[0]?.trim()
+  const hostHeader = headers['host']
+  const host = forwardedHostHeaderValue
+    ? {
+        type: HostType.XForwardedHost,
+        value: forwardedHostHeaderValue,
+      }
+    : hostHeader
+      ? {
+          type: HostType.Host,
+          value: hostHeader,
+        }
+      : undefined
+
+  return host
+}
+
 type ServerModuleMap = Record<
   string,
   {
@@ -487,22 +509,7 @@ export async function handleAction({
     typeof req.headers['origin'] === 'string'
       ? new URL(req.headers['origin']).host
       : undefined
-
-  const forwardedHostHeader = req.headers['x-forwarded-host'] as
-    | string
-    | undefined
-  const hostHeader = req.headers['host']
-  const host: Host = forwardedHostHeader
-    ? {
-        type: HostType.XForwardedHost,
-        value: forwardedHostHeader,
-      }
-    : hostHeader
-      ? {
-          type: HostType.Host,
-          value: hostHeader,
-        }
-      : undefined
+  const host = parseHostHeader(req.headers)
 
   let warning: string | undefined = undefined
 
diff --git a/packages/next/src/server/base-http/index.ts b/packages/next/src/server/base-http/index.ts
@@ -67,14 +67,14 @@ export abstract class BaseNextResponse<Destination = any> {
   abstract appendHeader(name: string, value: string): this
 
   /**
-   * Get all vaues for a header as an array or undefined if no value is present
+   * Get all values for a header as an array or undefined if no value is present
    */
   abstract getHeaderValues(name: string): string[] | undefined
 
   abstract hasHeader(name: string): boolean
 
   /**
-   * Get vaues for a header concatenated using `,` or undefined if no value is present
+   * Get values for a header concatenated using `,` or undefined if no value is present
    */
   abstract getHeader(name: string): string | undefined
 
