From 2d5c62e77b834eaaf23ef64bff02f108e54555ec Mon Sep 17 00:00:00 2001
From: Sebastian Sdorra <sebastian.sdorra@cloudogu.com>
Date: Mon, 3 Aug 2020 13:36:23 +0200
Subject: [PATCH] throws an exception if createForwardedBaseUrl is used with a
 non forwarded request

---
 .../src/main/java/sonia/scm/util/HttpUtil.java    | 15 ++++++++++-----
 .../test/java/sonia/scm/util/HttpUtilTest.java    |  8 +++++++-
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/scm-core/src/main/java/sonia/scm/util/HttpUtil.java b/scm-core/src/main/java/sonia/scm/util/HttpUtil.java
index 88adc2a24c..7056911a20 100644
--- a/scm-core/src/main/java/sonia/scm/util/HttpUtil.java
+++ b/scm-core/src/main/java/sonia/scm/util/HttpUtil.java
@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.util;
 
 //~--- non-JDK imports --------------------------------------------------------
@@ -925,11 +925,16 @@ public final class HttpUtil
   @VisibleForTesting
   static String createForwardedBaseUrl(HttpServletRequest request)
   {
-    String proto = getHeader(request, HEADER_X_FORWARDED_PROTO,
-                     request.getScheme());
+    String fhost = getHeader(request, HEADER_X_FORWARDED_HOST, null);
+    if (fhost == null) {
+      throw new IllegalStateException(
+        String.format("request has no %s header and does not look like it is forwarded", HEADER_X_FORWARDED_HOST)
+      );
+    }
+
+    String proto = getHeader(request, HEADER_X_FORWARDED_PROTO, request.getScheme());
     String host;
-    String fhost = getHeader(request, HEADER_X_FORWARDED_HOST,
-                     request.getScheme());
+
     String port = request.getHeader(HEADER_X_FORWARDED_PORT);
     int s = fhost.indexOf(SEPARATOR_PORT);
 
diff --git a/scm-core/src/test/java/sonia/scm/util/HttpUtilTest.java b/scm-core/src/test/java/sonia/scm/util/HttpUtilTest.java
index 162033c7ca..40aa184145 100644
--- a/scm-core/src/test/java/sonia/scm/util/HttpUtilTest.java
+++ b/scm-core/src/test/java/sonia/scm/util/HttpUtilTest.java
@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.util;
 
 //~--- non-JDK imports --------------------------------------------------------
@@ -234,6 +234,12 @@ public class HttpUtilTest
       HttpUtil.createForwardedBaseUrl(request));
   }
 
+  @Test(expected = IllegalStateException.class)
+  public void shouldTrowIllegalStateExceptionWithoutForwardedHostHeader() {
+    HttpServletRequest request = mock(HttpServletRequest.class);
+    HttpUtil.createForwardedBaseUrl(request);
+  }
+
   /**
    * Method description
    *