infrastructure/extensions-website
4
8
Fork 10
Code Issues 20 Pull Requests 2 Projects Releases Wiki Activity

Cloudflare OWASP ruleset: false positive on descriptions with shell snippets #124

New Issue
Closed
opened 2024-05-11 12:46:24 +02:00 by Isamu Mogi · 6 comments
Isamu Mogi commented 2024-05-11 12:46:24 +02:00
Copy Link

When I tried to upload the extension's icon and featured image, Cloudflare blocked it.

Windows 11 Pro 22H2 22621.3527
Microsoft Edge 124.0.2478.97 (公式ビルド) (64 ビット)

Please refer to the attached video for network communication logs, etc.

When I tried to upload the extension's icon and featured image, Cloudflare blocked it. Windows 11 Pro 22H2 22621.3527 Microsoft Edge 124.0.2478.97 (公式ビルド) (64 ビット) Please refer to the attached video for network communication logs, etc. <video src="https://projects.blender.org/attachments/764f1d74-0430-4f88-80f4-89c90d3e2336" controls width="600" />
icon.png
22 KiB
upload-failure.mp4
2.1 MiB
featured.png
450 KiB
icon.png featured.png
Isamu Mogi changed title from CloudFlare blocks icon and featured image uploads to Cloudflare blocks icon and featured image uploads 2024-05-11 18:08:49 +02:00
Isamu Mogi commented 2024-05-11 22:06:44 +02:00
Author
Copy Link

By specifying an all-white image, the upload was successful. But I want to upload a meaningful image instead of this.

By specifying an all-white image, the upload was successful. But I want to upload a meaningful image instead of this. <img src="/attachments/0d75c729-f5c0-4c49-a040-874f1dcf01ef" width="300">
featured2.png
10 KiB
screenshot.png
952 KiB
icon2.png
866 B
featured2.png icon2.png
Oleg-Komarov commented 2024-05-13 10:17:49 +02:00
Owner
Copy Link

Thank you for a detailed report!

I've checked the CloudFlare (CF) ray-id in the logs, the request was blocked due to a total sum of CF managed rule flags:
image

I have also checked if these rules are being triggered for other users, but in the last 72h only urls related to vrm and vrm-extension were affected.

Some of the triggered rules seem to refer to the shell commands present in the extension's description, but the fact that you could submit a different image with the same description makes me think that there may be something particular about the image binary payload.

Overall, I would prefer if we kept the CF rules in place, since I don't see them affecting other users.

May I ask you to try and re-upload the images after re-exporting them, possibly with a different image editor to change the binary payload? If you get blocked again, could you kindly share the ray-id?

Thank you for a detailed report! I've checked the CloudFlare (CF) ray-id in the logs, the request was blocked due to a total sum of CF managed rule flags: ![image](/attachments/521d32a2-ae54-4fab-8ab0-1f42eb4c093e) I have also checked if these rules are being triggered for other users, but in the last 72h only urls related to `vrm` and `vrm-extension` were affected. Some of the triggered rules seem to refer to the shell commands present in the extension's description, but the fact that you could submit a different image with the same description makes me think that there may be something particular about the image binary payload. Overall, I would prefer if we kept the CF rules in place, since I don't see them affecting other users. May I ask you to try and re-upload the images after re-exporting them, possibly with a different image editor to change the binary payload? If you get blocked again, could you kindly share the ray-id?
image.png
154 KiB
Isamu Mogi commented 2024-05-13 11:36:06 +02:00
Author
Copy Link

Thank you for your detailed investigation. I created an icon using 4 different editors and uploaded it, and the results are shown below. please confirm.

Image Editor File Cloudflare Ray ID
windows 11 mspaint 8831a0ee6c78f5c0
windows 11 krita 8831a1e9fa84f5c0
wsl ubuntu 22.04 imagemagick 8831a290cd08f5c0
wsl ubuntu 22.04 zopflipng 8831a3404b10f5c0
Thank you for your detailed investigation. I created an icon using 4 different editors and uploaded it, and the results are shown below. please confirm. | Image Editor | File | Cloudflare Ray ID | | --- | --- | --- | | windows 11 mspaint | [<img src="/attachments/0cd37c54-e9bb-4b6c-9b5f-b96590a0f91a" width="64">](/attachments/0cd37c54-e9bb-4b6c-9b5f-b96590a0f91a) | 8831a0ee6c78f5c0 | | windows 11 krita | [<img src="/attachments/2f2a6302-bb7b-44ec-82c8-166584c4fe27" width="64">](/attachments/2f2a6302-bb7b-44ec-82c8-166584c4fe27) | 8831a1e9fa84f5c0 | | wsl ubuntu 22.04 imagemagick | [<img src="/attachments/e222f412-652b-4bcf-9441-7bd1cccd9c9e" width="64">](/attachments/e222f412-652b-4bcf-9441-7bd1cccd9c9e) | 8831a290cd08f5c0 | | wsl ubuntu 22.04 zopflipng | [<img src="/attachments/337035e2-4af1-4584-9124-db63bb52cd62" width="64">](/attachments/337035e2-4af1-4584-9124-db63bb52cd62) | 8831a3404b10f5c0 |
icon_ubuntu_zopflipng.png
21 KiB
icon_windows_mspaint.png
39 KiB
icon_windows_krita.png
29 KiB
icon_ubuntu_imagemagick.png
32 KiB
Isamu Mogi commented 2024-05-13 11:47:53 +02:00
Author
Copy Link

By deleting the shell command listed in the extension details, I was able to successfully upload the image.

Thank you very much!

For research purposes, I've attached the description text of the extension that I originally posted.

By deleting the shell command listed in the extension details, I was able to successfully upload the image. Thank you very much! For research purposes, I've attached [the description text of the extension that I originally posted](/attachments/9dcda775-00f2-4507-a702-78916776391d).
cloudflare_blocked_description.txt
3.5 KiB
Oleg-Komarov commented 2024-05-13 11:57:03 +02:00
Owner
Copy Link

Yes, I can see these ray ids in the logs, except for the first one.

Thank you for your patience!
I think that you (and other users) should be able to submit snippets with shell commands in the description, and these false positives in blocking are rather annoying.
I'll see if a more reasonable configuration is possible without disabling these rules entirely.

Yes, I can see these ray ids in the logs, except for the first one. Thank you for your patience! I think that you (and other users) should be able to submit snippets with shell commands in the description, and these false positives in blocking are rather annoying. I'll see if a more reasonable configuration is possible without disabling these rules entirely.
👍 1
Oleg-Komarov changed title from Cloudflare blocks icon and featured image uploads to Cloudflare OWASP ruleset: false positive on descriptions with shell snippets 2024-05-13 11:58:26 +02:00
Pablo Vazquez added the
Type
Report
 label 2024-05-27 12:50:16 +02:00
Oleg-Komarov commented 2024-07-19 19:11:12 +02:00
Owner
Copy Link

Just verified that the same combination of input (description text + any image) still leads to a blocked request.

I've tweaked the rules a little, but it wasn't enough, then I experimented with the description text, removing some parts, but keeping the shell snippets, and I managed to submit a form with a tweaked text and an image.

Also it appears that submitting a simple description (no markup) and images first, then editing the description should work, because it doesn't require to submit binary payloads and extensive markup in a single POST, and it helps to keep the cumulative WAF score lower, avoiding the block.

I will close this issue for now, since it's unlikely we will do more about this, unless more people complain.

Just verified that the same combination of input (description text + any image) still leads to a blocked request. I've tweaked the rules a little, but it wasn't enough, then I experimented with the description text, removing some parts, but keeping the shell snippets, and I managed to submit a form with a tweaked text and an image. Also it appears that submitting a simple description (no markup) and images first, then editing the description should work, because it doesn't require to submit binary payloads and extensive markup in a single POST, and it helps to keep the cumulative WAF score lower, avoiding the block. I will close this issue for now, since it's unlikely we will do more about this, unless more people complain.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
Priority
Critical
The priority is critical

  
Priority
High
The priority is high

  
Priority
Low
The priority is low

  
Priority
Normal
The priority is medium

  
Reviewed
Confirmed
Issue has been confirmed

  
Reviewed
Duplicate
This issue or pull request already exists

  
Reviewed
Invalid
Invalid issue

  
Reviewed
Won't Fix
This issue won't be fixed

  
Status
Abandoned
Somebody has started to work on this but abandoned work

  
Status
Blocked
Something is blocking this issue or pull request

  
Status
Need More Info
Feedback is required to reproduce issue or to continue work

  
Type
Breaking
Breaking change that won't be backward compatible

  
Type
Documentation
Documentation changes

  
Type
Enhancement
Improve existing functionality

  
Type
Feature
New functionality

  
Type
Report
Something is not working

  
Type
Security
This is security issue

  
Type
Suggestion
New ideas and proposals

  
Type
Testing
Issue or pull request related to testing

No Label
Priority
Critical
Priority
High
Priority
Low
Priority
Normal
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
Type
Breaking
Type
Documentation
Type
Enhancement
Type
Feature
Type
Report
Type
Security
Type
Suggestion
Type
Testing
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: infrastructure/extensions-website#124
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?