Skip to content

[miniflare] Fix /cdn-cgi/* host validation incorrectly accepting subdomains of exact configured routes#13912

Merged
petebacondarwin merged 1 commit into
mainfrom
fix/miniflare-cdn-cgi-exact-vs-wildcard
May 20, 2026
Merged

[miniflare] Fix /cdn-cgi/* host validation incorrectly accepting subdomains of exact configured routes#13912
petebacondarwin merged 1 commit into
mainfrom
fix/miniflare-cdn-cgi-exact-vs-wildcard

Conversation

@petebacondarwin

@petebacondarwin petebacondarwin commented May 13, 2026

Copy link
Copy Markdown
Contributor

Miniflare's /cdn-cgi/* host/origin validator was treating exact configured routes the same as wildcard configured routes. A request whose Host or Origin hostname was a subdomain of an exact configured route (e.g. sub.my-custom-site.com for a my-custom-site.com/* route) was therefore incorrectly accepted on /cdn-cgi/* endpoints, including the local explorer API. The same applied to the configured upstream hostname.

The validator in packages/miniflare/src/workers/core/entry.worker.ts now keeps exact and wildcard hosts in separate buckets. Exact configured routes and the configured upstream hostname must match the request hostname exactly. Subdomain matching is only applied to wildcard routes such as *.example.com/*. Localhost hostnames continue to be allowed as before.

This also covers wrangler dev and local development through @cloudflare/vite-plugin, both of which use Miniflare under the hood.


  • Tests
    • Tests included/updated
    • Automated tests not possible - manual testing has been completed as follows:
    • Additional testing not necessary because:
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because: this is an internal change to /cdn-cgi/* host validation in Miniflare; there is no public API or user-facing configuration change.

Open in Devin Review

@changeset-bot

changeset-bot Bot commented May 13, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 057dc05

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages
Name Type
miniflare Patch
wrangler Patch
@cloudflare/vite-plugin Patch
@cloudflare/pages-shared Patch
@cloudflare/vitest-pool-workers Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-project-automation github-project-automation Bot moved this to Untriaged in workers-sdk May 13, 2026
@workers-devprod workers-devprod requested review from a team and emily-shen and removed request for a team May 13, 2026 14:49
@workers-devprod

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • @cloudflare/wrangler
Show detailed file reviewers
  • .changeset/fix-cdn-cgi-host-validation.md: [@cloudflare/wrangler]
  • packages/miniflare/src/workers/core/entry.worker.ts: [@cloudflare/wrangler]
  • packages/miniflare/test/plugins/local-explorer/index.spec.ts: [@cloudflare/wrangler]

@ask-bonk

ask-bonk Bot commented May 13, 2026

Copy link
Copy Markdown
Contributor

I've now thoroughly reviewed the PR. Let me verify my understanding of the logic:

  1. Before this PR: All configured route hostnames (both exact like my-custom-site.com/* and wildcard like *.example.com/*) were put into a single allowedHostnames set. The isHostnameAllowed function then did subdomain matching (endsWith) against all of them. This meant sub.my-custom-site.com would be incorrectly accepted for an exact route my-custom-site.com/*.

  2. After this PR: Routes are split into exactHostnames and wildcardHostnames. Exact routes require exact match via Set.has(). Only wildcard routes allow subdomain matching via endsWith. The upstream hostname is also treated as exact-only.

The logic is correct. The allowHostnamePrefix flag from parseRoutes is the right discriminator — it's true only for routes starting with * (like *.example.com/*). The hostname field has the leading * stripped (leaving .example.com), and the code correctly strips the leading . before adding to the set.

The wildcard matching in isHostnameAllowed checks both hostname === allowed (base domain match) and hostname.endsWith(.${allowed}) (subdomain match with dot boundary), which correctly prevents notexample.com from matching example.com.

Tests are comprehensive: they cover exact route subdomain blocking, look-alike hostname blocking, wildcard deep subdomain allowing, wildcard look-alike sibling blocking, and upstream hostname exact/subdomain validation.

The changeset is properly formatted and scoped. The code is clean and well-commented.

LGTM

github run

@github-actions

github-actions Bot commented May 13, 2026

Copy link
Copy Markdown
Contributor

✅ All changesets look good

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

Open in Devin Review

@pkg-pr-new

pkg-pr-new Bot commented May 13, 2026

Copy link
Copy Markdown
create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@13912

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@13912

miniflare

npm i https://pkg.pr.new/miniflare@13912

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@13912

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@13912

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@13912

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@13912

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@13912

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@13912

wrangler

npm i https://pkg.pr.new/wrangler@13912

commit: 057dc05

@workers-devprod

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • ✅ @cloudflare/wrangler
Show detailed file reviewers

@workers-devprod workers-devprod left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codeowners reviews satisfied

@github-project-automation github-project-automation Bot moved this from Untriaged to Approved in workers-sdk May 19, 2026
@petebacondarwin petebacondarwin force-pushed the fix/miniflare-cdn-cgi-exact-vs-wildcard branch from 13d3ccc to e1df33e Compare May 19, 2026 15:05
…omains of exact configured routes

Miniflare's /cdn-cgi/* host/origin validator was treating exact configured
routes the same as wildcard configured routes, so a request whose Host or
Origin hostname was a subdomain of an exact route was incorrectly accepted.
The validator now keeps exact hosts and wildcard hosts in separate buckets:
exact configured routes and the configured upstream hostname must match the
request hostname exactly, while subdomain matching is only applied to
wildcard routes such as *.example.com/*. Localhost hostnames continue to be
allowed as before.
@petebacondarwin petebacondarwin force-pushed the fix/miniflare-cdn-cgi-exact-vs-wildcard branch from e1df33e to 057dc05 Compare May 19, 2026 16:00
@petebacondarwin petebacondarwin merged commit d803737 into main May 20, 2026
52 checks passed
@petebacondarwin petebacondarwin deleted the fix/miniflare-cdn-cgi-exact-vs-wildcard branch May 20, 2026 05:54
@github-project-automation github-project-automation Bot moved this from Approved to Done in workers-sdk May 20, 2026
penalosa pushed a commit that referenced this pull request May 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

3 participants