Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: validate Host/Origin headers in magic proxy and InspectorProxyWorker #4550

Merged
merged 2 commits into from
Dec 5, 2023

Conversation

mrbbot
Copy link
Contributor

@mrbbot mrbbot commented Dec 5, 2023

What this PR solves / how to test:

Host and Origin headers are now checked when connecting to the inspector and Miniflare's magic proxy. If these don't match what's expected, the request will fail. To test this, host DevTools on a different networked computer, and try to connect to the local wrangler dev server from that. The request should fail. Connecting from the hosted devtools and local devtools should succeed. Miniflare's test suite should succeed too.

Author has addressed the following:

  • Tests
    • Included
    • Not necessary because:
  • Changeset (Changeset guidelines)
    • Included
    • Not necessary because:
  • Associated docs
    • Issue(s)/PR(s):
    • Not necessary because: this shouldn't affect regular use

Note for PR author:

We want to celebrate and highlight awesome PR review! If you think this PR received a particularly high-caliber review, please assign it the label highlight pr review so future reviewers can take inspiration and learn from it.

Copy link

changeset-bot bot commented Dec 5, 2023

🦋 Changeset detected

Latest commit: e349ba8

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
miniflare Patch
wrangler Patch
@cloudflare/pages-shared Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

Copy link
Contributor

github-actions bot commented Dec 5, 2023

A wrangler prerelease is available for testing. You can install this latest build in your project with:

npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7104924584/npm-package-wrangler-4550

You can reference the automatically updated head of this PR with:

npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/prs/7104924584/npm-package-wrangler-4550

Or you can use npx with this latest build directly:

npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7104924584/npm-package-wrangler-4550 dev path/to/script.js
Additional artifacts:
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7104924584/npm-package-miniflare-4550
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7104924584/npm-package-cloudflare-pages-shared-4550
npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7104924584/npm-package-create-cloudflare-4550

Note that these links will no longer work once the GitHub Actions artifact expires.


wrangler@3.18.0 includes the following runtime dependencies:

Package Constraint Resolved
miniflare workspace:* 3.20231030.2
workerd 1.20231030.0 1.20231030.0
workerd --version 1.20231030.0 2023-10-30

|

Please ensure constraints are pinned, and miniflare/workerd minor versions match.

@mrbbot mrbbot force-pushed the bcoll/validate-hostnames branch from 7dc6766 to 71eed02 Compare December 5, 2023 13:47
Copy link

codecov bot commented Dec 5, 2023

Codecov Report

Merging #4550 (e349ba8) into main (71fb0b8) will increase coverage by 0.01%.
Report is 1 commits behind head on main.
The diff coverage is n/a.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #4550      +/-   ##
==========================================
+ Coverage   75.44%   75.46%   +0.01%     
==========================================
  Files         240      240              
  Lines       12854    12855       +1     
  Branches     3312     3313       +1     
==========================================
+ Hits         9698     9701       +3     
+ Misses       3156     3154       -2     
Files Coverage Δ
...wrangler/src/api/startDevWorker/ProxyController.ts 61.32% <ø> (ø)

... and 7 files with indirect coverage changes

@mrbbot mrbbot marked this pull request as ready for review December 5, 2023 14:20
@mrbbot mrbbot requested a review from a team as a code owner December 5, 2023 14:20
@petebacondarwin petebacondarwin added the e2e Run e2e tests on a PR label Dec 5, 2023
Copy link
Contributor

@petebacondarwin petebacondarwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this not possible to write automated tests for?

packages/miniflare/src/workers/core/proxy.worker.ts Outdated Show resolved Hide resolved
@mrbbot mrbbot changed the title fix: validate Host/Origin headers in magic proxy InspectorProxyWorker fix: validate Host/Origin headers in magic proxy and InspectorProxyWorker Dec 5, 2023
@mrbbot mrbbot force-pushed the bcoll/validate-hostnames branch from 71eed02 to ad457f1 Compare December 5, 2023 17:44
@mrbbot mrbbot force-pushed the bcoll/validate-hostnames branch from ad457f1 to e349ba8 Compare December 5, 2023 18:20
@lrapoport-cf lrapoport-cf merged commit 63708a9 into main Dec 5, 2023
19 checks passed
@lrapoport-cf lrapoport-cf deleted the bcoll/validate-hostnames branch December 5, 2023 18:49
@workers-devprod workers-devprod mentioned this pull request Dec 5, 2023
mrbbot added a commit that referenced this pull request Dec 11, 2023
mrbbot added a commit that referenced this pull request Dec 12, 2023
* Change dev registry and inspector server to use 127.0.0.1 instead of all interfaces (#4437)

(cherry picked from commit 05b1bbd)

* fix: validate `Host`/`Origin` headers in inspector proxy

Backport of #4550

---------

Co-authored-by: Joshua Johnson <jspspike@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
e2e Run e2e tests on a PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants