chore: bump vm2 from 3.9.17 to 3.9.19 (#6216 )

Bumps [vm2](https://github.com/patriksimek/vm2) from 3.9.17 to 3.9.19. - [Release notes](https://github.com/patriksimek/vm2/releases) - [Changelog](https://github.com/patriksimek/vm2/blob/master/CHANGELOG.md) - [Commits](https://github.com/patriksimek/vm2/compare/3.9.17...3.9.19) --- updated-dependencies: - dependency-name: vm2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Support X-Forwarded-Host with multiple hosts
2026-04-13 21:32:52 -05:00 · 2023-05-17 12:38:38 -08:00 · 2023-05-17 11:51:05 -08:00
3 changed files with 10 additions and 5 deletions
--- a/src/node/http.ts
+++ b/src/node/http.ts
@@ -386,10 +386,14 @@ function getHost(req: express.Request): string | undefined {
    }
  }

-  // Honor X-Forwarded-Host if present.
+  // Honor X-Forwarded-Host if present.  Some reverse proxies will set multiple
+  // comma-separated hosts.
  const xHost = getFirstHeader(req, "x-forwarded-host")
  if (xHost) {
-    return xHost.trim().toLowerCase()
+    const firstXHost = xHost.split(",")[0]
+    if (firstXHost) {
+      return firstXHost.trim().toLowerCase()
+    }
  }

  const host = getFirstHeader(req, "host")
--- a/test/unit/node/http.test.ts
+++ b/test/unit/node/http.test.ts
@@ -58,6 +58,7 @@ describe("http", () => {
      ;[
        ["host", test.host],
        ["x-forwarded-host", test.host],
+        ["x-forwarded-host", `${test.host}, ${test.host}`],
        ["forwarded", `for=127.0.0.1, host=${test.host}, proto=http`],
        ["forwarded", `for=127.0.0.1;proto=http;host=${test.host}`],
        ["forwarded", `proto=http;host=${test.host}, for=127.0.0.1`],
--- a/yarn.lock
+++ b/yarn.lock
@@ -3774,9 +3774,9 @@ vfile@^4.0.0:
    vfile-message "^2.0.0"

 vm2@^3.9.11, vm2@^3.9.3:
-  version "3.9.17"
-  resolved "https://registry.yarnpkg.com/vm2/-/vm2-3.9.17.tgz#251b165ff8a0e034942b5181057305e39570aeab"
-  integrity sha512-AqwtCnZ/ERcX+AVj9vUsphY56YANXxRuqMb7GsDtAr0m0PcQX3u0Aj3KWiXM0YAHy7i6JEeHrwOnwXbGYgRpAw==
+  version "3.9.19"
+  resolved "https://registry.yarnpkg.com/vm2/-/vm2-3.9.19.tgz#be1e1d7a106122c6c492b4d51c2e8b93d3ed6a4a"
+  integrity sha512-J637XF0DHDMV57R6JyVsTak7nIL8gy5KH4r1HiwWLf/4GBbb5MKL5y7LpmF4A8E2nR6XmzpmMFQ7V7ppPTmUQg==
  dependencies:
    acorn "^8.7.0"
    acorn-walk "^8.2.0"