[miniflare] Fix /cdn-cgi/* host validation incorrectly accepting subdomains of exact configured routes#13912
Conversation
🦋 Changeset detectedLatest commit: 057dc05 The changes in this PR will be included in the next version bump. This PR includes changesets to release 5 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Codeowners approval required for this PR:
Show detailed file reviewers
|
|
I've now thoroughly reviewed the PR. Let me verify my understanding of the logic:
The logic is correct. The The wildcard matching in Tests are comprehensive: they cover exact route subdomain blocking, look-alike hostname blocking, wildcard deep subdomain allowing, wildcard look-alike sibling blocking, and upstream hostname exact/subdomain validation. The changeset is properly formatted and scoped. The code is clean and well-commented. LGTM |
|
✅ All changesets look good |
create-cloudflare
@cloudflare/kv-asset-handler
miniflare
@cloudflare/pages-shared
@cloudflare/unenv-preset
@cloudflare/vite-plugin
@cloudflare/vitest-pool-workers
@cloudflare/workers-editor-shared
@cloudflare/workers-utils
wrangler
commit: |
|
Codeowners approval required for this PR:
Show detailed file reviewers |
workers-devprod
left a comment
There was a problem hiding this comment.
Codeowners reviews satisfied
13d3ccc to
e1df33e
Compare
…omains of exact configured routes Miniflare's /cdn-cgi/* host/origin validator was treating exact configured routes the same as wildcard configured routes, so a request whose Host or Origin hostname was a subdomain of an exact route was incorrectly accepted. The validator now keeps exact hosts and wildcard hosts in separate buckets: exact configured routes and the configured upstream hostname must match the request hostname exactly, while subdomain matching is only applied to wildcard routes such as *.example.com/*. Localhost hostnames continue to be allowed as before.
e1df33e to
057dc05
Compare
…omains of exact configured routes (#13912)
Miniflare's
/cdn-cgi/*host/origin validator was treating exact configured routes the same as wildcard configured routes. A request whoseHostorOriginhostname was a subdomain of an exact configured route (e.g.sub.my-custom-site.comfor amy-custom-site.com/*route) was therefore incorrectly accepted on/cdn-cgi/*endpoints, including the local explorer API. The same applied to the configuredupstreamhostname.The validator in
packages/miniflare/src/workers/core/entry.worker.tsnow keeps exact and wildcard hosts in separate buckets. Exact configured routes and the configured upstream hostname must match the request hostname exactly. Subdomain matching is only applied to wildcard routes such as*.example.com/*. Localhost hostnames continue to be allowed as before.This also covers
wrangler devand local development through@cloudflare/vite-plugin, both of which use Miniflare under the hood./cdn-cgi/*host validation in Miniflare; there is no public API or user-facing configuration change.