fix: miniflare now sets the "Host" header to match the upstream URL #4630
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
🦋 Changeset detectedLatest commit: 66ea286 The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
petebacondarwin
added
bug
|
A wrangler prerelease is available for testing. You can install this latest build in your project with: npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7396783059/npm-package-wrangler-4630You can reference the automatically updated head of this PR with: npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/prs/7396783059/npm-package-wrangler-4630Or you can use npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7396783059/npm-package-wrangler-4630 dev path/to/script.jsAdditional artifacts:npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7396783059/npm-package-miniflare-4630npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7396783059/npm-package-cloudflare-pages-shared-4630npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7396783059/npm-package-create-cloudflare-4630 --no-auto-updateNote that these links will no longer work once the GitHub Actions artifact expires.
| Please ensure constraints are pinned, and |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #4630 +/- ##
==========================================
+ Coverage 75.58% 75.67% +0.08%
==========================================
Files 243 243
Lines 13084 13087 +3
Branches 3368 3368
==========================================
+ Hits 9890 9903 +13
+ Misses 3194 3184 -10
|
RamIdeas
reviewed
Dec 20, 2023
RamIdeas
reviewed
Dec 20, 2023
petebacondarwin
force-pushed
the
miniflare-upstream-host
branch
6 times, most recently
from
86029d3
to
b3337e9
Compare
RamIdeas
approved these changes
Dec 20, 2023
mrbbot
approved these changes
Dec 20, 2023
| @@ -33,15 +34,39 @@ function getUserRequest( | |||
| request: Request<unknown, IncomingRequestCfProperties>, | |||
| env: Env | |||
| ) { | |||
| // The original URL is a header that is passed by Miniflare to the user worker | |||
| // in case the request was rewritten on its way to the user worker. | |||
There was a problem hiding this comment.
Could you update this comment to clarify that ORIGINAL_URL is also set when calling Miniflare#dispatchFetch(...) with the passed URL?
There was a problem hiding this comment.
I updated the comment, but I am not 100% it is what you wanted.
| CoreHeaders.PROXY_SHARED_SECRET | ||
| ); | ||
| if (proxySharedSecret) { | ||
| if (proxySharedSecret === env[CoreBindings.TEXT_PROXY_SHARED_SECRET]) { |
There was a problem hiding this comment.
Unlikely to be a problem, but really this should be crypto.subtle.timingSafeEqual() to prevent timing attacks. This would require the shared secret to be an encoding of some uniformly distributed byte array (e.g. random hex string).
There was a problem hiding this comment.
Updated to use this approach.
petebacondarwin
force-pushed
the
miniflare-upstream-host
branch
from
5797645
to
d98e0f8
Compare
mrbbot
reviewed
Jan 3, 2024
…ating host from original URL header
…local mode Some full-stack frameworks, such as Next.js, check that the Host header for a server side action request matches the host where the application is expected to run. In `wrangler dev` we have a Proxy Worker in between the browser and the actual User Worker. This Proxy Worker is forwarding on the request from the browser, but then the actual User Worker is running on a different host:port combination than that which the browser thinks it should be on. This was causing the framework to think the request is malicious and blocking it. Now we update the request's Host header to that passed from the Proxy Worker in a custom `MF-Original-Url` header, but only do this if the request also contains a shared secret between the Proxy Worker and User Worker, which is passed via the `MF-Proxy-Shared-Secret` header. This last feature is to prevent a malicious website from faking the Host header in a request directly to the User Worker. Fixes cloudflare/next-on-pages#588
This avoids prop drilling.
This helps to avoid an attacker guessing the secret via the timing of the comparison.
petebacondarwin
force-pushed
the
miniflare-upstream-host
branch
from
d98e0f8
to
66ea286
Compare
Merged
dario-piotrowicz
added a commit
to dario-piotrowicz/next-on-pages
that referenced
this pull request
Jan 8, 2024
notes: - this is needed so that we can add e2e tests for server actions: cloudflare/workers-sdk#4630 - we the commit also updates node from 18 to 20 in e2e github acitons testing, this is necessary for using the latest wrangler release, see: cloudflare/workers-sdk#4563 (comment)
dario-piotrowicz
added a commit
to dario-piotrowicz/next-on-pages
that referenced
this pull request
Jan 14, 2024
notes: - this is needed so that we can add e2e tests for server actions: cloudflare/workers-sdk#4630 - we the commit also updates node from 18 to 20 in e2e github acitons testing, this is necessary for using the latest wrangler release, see: cloudflare/workers-sdk#4563 (comment)
dario-piotrowicz
added a commit
to dario-piotrowicz/next-on-pages
that referenced
this pull request
Jan 14, 2024
notes: - this is needed so that we can add e2e tests for server actions: cloudflare/workers-sdk#4630 - we the commit also updates node from 18 to 20 in e2e github acitons testing, this is necessary for using the latest wrangler release, see: cloudflare/workers-sdk#4563 (comment)
dario-piotrowicz
added a commit
to dario-piotrowicz/next-on-pages
that referenced
this pull request
Jan 16, 2024
notes: - this is needed so that we can add e2e tests for server actions: cloudflare/workers-sdk#4630 - we the commit also updates node from 18 to 20 in e2e github acitons testing, this is necessary for using the latest wrangler release, see: cloudflare/workers-sdk#4563 (comment)
dario-piotrowicz
added a commit
to cloudflare/next-on-pages
that referenced
this pull request
Jan 22, 2024
* add vitest.config.ts file with retry for better tests stability * add new e2e features to test wasm * avoid inconsistent kebab-case * use latest wrangler release notes: - this is needed so that we can add e2e tests for server actions: cloudflare/workers-sdk#4630 - we the commit also updates node from 18 to 20 in e2e github acitons testing, this is necessary for using the latest wrangler release, see: cloudflare/workers-sdk#4563 (comment) * add app server-actions e2e test * remove unnecessary existsSync assertion in processVercelOutput unit tests
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #4643
Fixes cloudflare/next-on-pages#588
It is good to review this PR commit by commit.
What this PR solves / how to test:
Some full-stack frameworks, such as Next.js, check that the Host header for a server
side action request matches the host where the application is expected to run.
In
wrangler devwe have a Proxy Worker in between the browser and the actual User Worker.This Proxy Worker is forwarding on the request from the browser, but then the actual User
Worker is running on a different host:port combination than that which the browser thinks
it should be on. This was causing the framework to think the request is malicious and blocking
it.
Now we update the request's Host header to that passed from the Proxy Worker in a custom
MF-Original-Urlheader, but only do this if the request also contains a shared secret between the Proxy Worker
and User Worker, which is passed via the
MF-Proxy-Shared-Secretheader. This last feature is toprevent a malicious website from faking the Host header in a request directly to the User Worker.
The
worker-appfixture has been updated to check that this is working as expected.Author has addressed the following: