Manage invalid IP address in X-Forwarded-For header

WebApiThrottle.Tests/IpAddressUtilTests.cs

@@ -65,5 +65,13 @@ public void IsPrivateIpAddress_PublicIpAddressWithInitialSpace_ReturnsFalse()
 
             Assert.Equal(false, result);
         }
+
+        [Fact]
+        public void IsPrivateIpAddress_InvalidAddress_ReturnsTrue()
+        {
+            bool result = IpAddressUtil.IsPrivateIpAddress("INVALIDIP");
+
+            Assert.True(result);
+        }
     }
 }

WebApiThrottle/Net/IpAddressUtil.cs

@@ -46,6 +46,8 @@ public static bool ContainsIp(List<string> ipRules, string clientIp, out string
             return false;
         }
 
+        private static readonly IPAddress _defaultIPAddress = new IPAddress(new byte[] { 169, 254, 0, 0 });
+
         public static IPAddress ParseIp(string ipAddress)
         {
             ipAddress = ipAddress.Trim();
@@ -59,7 +61,10 @@ public static IPAddress ParseIp(string ipAddress)
                 ipAddress = ipAddress.Substring(0, portDelimiterPos);
             }
 
-            return IPAddress.Parse(ipAddress);
+            // If IPAddress can not be parsed, we return a default Link-local address.
+            // Sometimes, X-Forwarded-For headers have non valid IP Address
+            IPAddress address;
+            return (IPAddress.TryParse(ipAddress, out address) ? address : _defaultIPAddress);
         }
 
         public static bool IsPrivateIpAddress(string ipAddress)
@@ -97,4 +102,4 @@ public static bool IsPrivateIpAddress(string ipAddress)
             }
         }
     }
-}
+}