Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CloudFlare can unexpectedly block REST API requests #3527

Closed
thenets opened this Issue Nov 17, 2017 · 12 comments

Comments

Projects
7 participants
@thenets
Copy link

commented Nov 17, 2017

Issue Overview

Don't save when my list item has parentheses.

Steps to Reproduce

  1. Open the editor
  2. Create an list block
  3. Try to save
  4. Error raise (Can not save)

Expected Behavior

Should save.

Versions

Wordpress 4.9
Gutenberg 1.7.0

@youknowriad

This comment has been minimized.

Copy link
Contributor

commented Nov 20, 2017

Not able to reproduce, can you add more details? Do you see a failing request? Are you able to get the response of the request...?

@thenets

This comment has been minimized.

Copy link
Author

commented Nov 20, 2017

I'll check the Apache log later. The Firefox don't return any error log msg.

@thenets

This comment has been minimized.

Copy link
Author

commented Nov 20, 2017

There's no log error on Firefox console or Apache. Can I enable some debug mode on Wordpress?
I'm using the CloudFlare as my proxy. Should it be related to this bug?

@youknowriad

This comment has been minimized.

Copy link
Contributor

commented Nov 20, 2017

I'm using the CloudFlare as my proxy. Should it be related to this bug?

Yes, I think it's related. Can you take a look at this issue, there's a workaround there #2704 (even if it seems CloudFlare is not blocking the API anymore)

@thenets

This comment has been minimized.

Copy link
Author

commented Nov 20, 2017

Thanks a lot, @youknowriad!
CloudFlare was the problem. I disable the security request to API and now it's working:

image

@thenets thenets closed this Nov 20, 2017

@thenets thenets changed the title [bug] Don't save when my list item has parentheses [bug] Don't save when my list item has parentheses (CloudFlare) Nov 20, 2017

@thenets

This comment has been minimized.

Copy link
Author

commented Nov 28, 2017

Talking with CloudFlare support and later analyzing the "request" content I found the problem with API request. The CloudFlare firewall identifies the Gutenberg request as a possible SQL Injection attack.

The way the requests is made looks like an SQL Injection can be done. Maybe is better encode and strip special chars before sending to Wordpress API.

@thenets thenets reopened this Nov 28, 2017

@jaswrks

This comment has been minimized.

Copy link
Contributor

commented Nov 29, 2017

I had a similar problem just this morning in Gutenberg v1.8.0. Setting a background or text color on the block seems to push CloudFlare over the edge. Here's the full JSON export of the triggers that caused this. See: https://gist.github.com/jaswrks/e1985e071502099b53aac01f33b97b27

Inbound Anomaly Score Exceeded (Total Score: 66, SQLi=11, XSS=25)

@swarchen

This comment has been minimized.

Copy link

commented Dec 12, 2017

I have a similar problem just like @jaswrks . While updating the table or button elements of gutenberg editor. I will get 403 forbidden from cloudflare with

2017-12-12 12 13 33

ID Description Group  
981176 Inbound Anomaly Score Exceeded (Total Score: 69, SQLi=10, XSS=30): Last Matched Message: IE XSS Filters - Attack Detected. OWASP Inbound Blocking Filter
950109 Multiple URL Encoding Detected OWASP Protocol Violations Filter
950901 SQL Injection Attack: SQL Tautology Detected. OWASP SQL Injection Attacks Filter
960024 Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters OWASP SQL Injection Attacks Filter
960032 Method is not allowed by policy OWASP HTTP Policy Filter
973300 Possible XSS Attack Detected - HTML Tag Handler OWASP XSS Attacks Filter
973304 XSS Attack Detected OWASP XSS Attacks Filter
973306 XSS Attack Detected OWASP XSS Attacks Filter
973332 IE XSS Filters - Attack Detected. OWASP XSS Attacks Filter
973333 IE XSS Filters - Attack Detected. OWASP XSS Attacks Filter
973338 XSS Filter - Category 3: Javascript URI Vector OWASP XSS Attacks Filter
981133 Prequalify PM OWASP Generic Attacks Filter
981136 Check simple XSS patterns OWASP XSS Attacks Filter
981231 SQL Comment Sequence Detected. OWASP SQL Injection Attacks Filter
981243 Detects classic SQL injection probings 2/2 OWASP SQL Injection Attacks Filter
981245 Detects basic SQL authentication bypass attempts 2/3 OWASP SQL Injection Attacks Filter
981246 Detects basic SQL authentication bypass attempts 3/3 OWASP SQL Injection Attacks Filter
981257 Detects MySQL comment-/space-obfuscated injections and backtick termination OWASP SQL Injection Attacks Filter
@youknowriad

This comment has been minimized.

Copy link
Contributor

commented Dec 28, 2017

I'm afraid we can't do anything about this on our side. The REST API should allow storing any post content string and this is not a security issue IMO.

@jaswrks

This comment has been minimized.

Copy link
Contributor

commented Jan 2, 2018

I wonder if anyone working on the REST API has been in contact with the OWASP team that works on the core ruleset, which is used by Mod Security and many web application firewalls, including CloudFlare. Referencing: https://coreruleset.org/

There's a file in the core ruleset with several WordPress exceptions, and it helps to avoid things like this. However, I don't see that any of the existing rules deal with raw HTML content being POSTd to JSON API endpoints. That seems like a problem.

If we have someone who has a contact at CloudFlare or with the OWASP core ruleset team, it would be awesome if they could inquire about adding JSON API exceptions. That may improve this situation, over time, across many hosts that use the core ruleset, including at CloudFlare.

@danielbachhuber

This comment has been minimized.

Copy link
Member

commented Apr 11, 2018

For now, we should solve this problem with documentation. I've captured the CloudFlare issue to #4646

@danielbachhuber danielbachhuber changed the title [bug] Don't save when my list item has parentheses (CloudFlare) CloudFlare can unexpectedly block REST API requests Apr 14, 2018

@danielbachhuber danielbachhuber added this to Known Conflicts in Third-Party Compatibility Apr 14, 2018

@zackkatz

This comment has been minimized.

Copy link

commented Mar 11, 2019

I had to whitelist my IP address to get this working. The rule that was triggered for me was Rule 981176.

ID Description Group  
981176 Inbound Anomaly Score Exceeded (Total Score: 66, SQLi=14, XSS=25): Last Matched Message: XSS Attack Detected OWASP Inbound Blocking Filter
950901 SQL Injection Attack: SQL Tautology Detected. OWASP SQL Injection Attacks Filter
960024 Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters OWASP Generic Attacks Filter
973300 Possible XSS Attack Detected - HTML Tag Handler OWASP XSS Attacks Filter
973304 XSS Attack Detected OWASP XSS Attacks Filter
973306 XSS Attack Detected OWASP XSS Attacks Filter
973333 IE XSS Filters - Attack Detected. OWASP XSS Attacks Filter
973338 XSS Filter - Category 3: Javascript URI Vector OWASP XSS Attacks Filter
981018 End XSS pattern check OWASP XSS Attacks Filter
981133 Prequalify PM OWASP Generic Attacks Filter
981231 SQL Comment Sequence Detected. OWASP SQL Injection Attacks Filter
981243 Detects classic SQL injection probings 2/2 OWASP SQL Injection Attacks Filter
981245 Detects basic SQL authentication bypass attempts 2/3 OWASP SQL Injection Attacks Filter
981246 Detects basic SQL authentication bypass attempts 3/3 OWASP SQL Injection Attacks Filter
981248 Detects chained SQL injection attempts 1/2 OWASP SQL Injection Attacks Filter
981257 Detects MySQL comment-/space-obfuscated injections and backtick termination OWASP SQL Injection Attacks Filter
981306 SQL dual OWASP SQL Injection Attacks Filter
981307 SQL where OWASP SQL Injection Attacks Filter
2000001 Skip LFI Rules OWASP Slr Et Lfi Attacks Filter
2000003 Skip RFI Rules OWASP Slr Et RFI Attacks Filter
2000004 Skip SQLi Rules OWASP Slr Et SQLi Attacks Filter
2000005 Skip WordPress Rules OWASP Slr Et WordPress Attacks Filter
2000006 Skip XSS Rules OWASP Slr Et XSS Attacks Filter
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.