Does this mean that currently this issue is still exploitable even with domain lockdown? Or do you

IIEatBeans Does this mean that currently this issue is still exploitable even with domain l...

J

James•5/9/24, 5:03 PM

If you turn on Domain Lockdown, then it's not exploitable with your domain. But many of their customers don't have this enabled, and if you sign up with another hosting provider that uses MailChannels, you can still send emails from many of their customers that'll pass security checks, yes.

J

James•5/9/24, 5:03 PM

They used to allow self-service for just $80 where you could do this. But they quietly removed that from their site. So now you have to signup via a third-party.

J

James•5/9/24, 5:04 PM

It all just reinforces their terrible communication throughout the process, and is a partnership that I think is irresponsible for Cloudflare to upkeep, personally.

B

Barry_Based_Benson•5/10/24, 2:41 AM

const newRequest = new Request(request);

            const contentType = url.searchParams.get("content-type");
            if (contentType) {
                newRequest.headers.set("Content-Type", contentType);
            }
            
            const contentDisposition = url.searchParams.get("content-disposition");
            if (contentDisposition) {
                newRequest.headers.set("Content-Disposition", contentDisposition);
            }

            return fetch(new URL(url.pathname, `https://${requiredHostname}`), newRequest);

const newRequest = new Request(request);

            const contentType = url.searchParams.get("content-type");
            if (contentType) {
                newRequest.headers.set("Content-Type", contentType);
            }
            
            const contentDisposition = url.searchParams.get("content-disposition");
            if (contentDisposition) {
                newRequest.headers.set("Content-Disposition", contentDisposition);
            }

            return fetch(new URL(url.pathname, `https://${requiredHostname}`), newRequest);

const newRequest = new Request(request);

            const contentType = url.searchParams.get("content-type");
            if (contentType) {
                newRequest.headers.set("Content-Type", contentType);
            }
            
            const contentDisposition = url.searchParams.get("content-disposition");
            if (contentDisposition) {
                newRequest.headers.set("Content-Disposition", contentDisposition);
            }

            return fetch(new URL(url.pathname, `https://${requiredHostname}`), newRequest);

const newRequest = new Request(request);

            const contentType = url.searchParams.get("content-type");
            if (contentType) {
                newRequest.headers.set("Content-Type", contentType);
            }
            
            const contentDisposition = url.searchParams.get("content-disposition");
            if (contentDisposition) {
                newRequest.headers.set("Content-Disposition", contentDisposition);
            }

            return fetch(new URL(url.pathname, `https://${requiredHostname}`), newRequest);

How do i get content-disposition: attachment to cause my custom domain r2 to force a download instead of treating it as inline? Am i doing it wrong? it's appearing correctly in the param as attachment and i'm trying to send it as a header in the fetch request but the file is still being displayed in-browser instead of starting a download

BBarry_Based_Benson ``` const newRequest = new Request(request); const cont...

I

Isaac McFadyen•5/10/24, 4:28 AM

So content-disposition is a response header, not a request header.

I

Isaac McFadyen•5/10/24, 4:28 AM

Your need to reply with the

content-disposition

content-disposition

content-disposition

content-disposition header (it looks like you're making the request with the header, which is different)

I

Isaac McFadyen•5/10/24, 4:29 AM

You probably need to do a (untested but should work):

const res = fetch(new URL(url.pathname, `https://${requiredHostname}`));

// Clone the response because it's immutable by default.
const clonedRes = new Response(res.body, res);
clonedRes.headers.set("Content-Disposition", contentDisposition);
clonedRes.headers.set("Content-Type", contentType);

return clonedRes

const res = fetch(new URL(url.pathname, `https://${requiredHostname}`));

// Clone the response because it's immutable by default.
const clonedRes = new Response(res.body, res);
clonedRes.headers.set("Content-Disposition", contentDisposition);
clonedRes.headers.set("Content-Type", contentType);

return clonedRes

const res = fetch(new URL(url.pathname, `https://${requiredHostname}`));

// Clone the response because it's immutable by default.
const clonedRes = new Response(res.body, res);
clonedRes.headers.set("Content-Disposition", contentDisposition);
clonedRes.headers.set("Content-Type", contentType);

return clonedRes

const res = fetch(new URL(url.pathname, `https://${requiredHostname}`));

// Clone the response because it's immutable by default.
const clonedRes = new Response(res.body, res);
clonedRes.headers.set("Content-Disposition", contentDisposition);
clonedRes.headers.set("Content-Type", contentType);

return clonedRes

I

Isaac McFadyen•5/10/24, 4:30 AM

Just as a side-note, you should probably not be deciding what content-type to return based on what the client asks you to - the content-type is usually decided by what the actual content is, not what the browser wants.

I

Isaac McFadyen•5/10/24, 4:31 AM

So for example, text files should usually be returned as

text/plain

text/plain

, in your example I could do a

contentType

contentType

contentType

contentType query param of

video/webm

video/webm

video/webm

video/webm and the browser would think my text file is a video

B

Barry_Based_Benson•5/10/24, 4:31 AM

The client is the backend which uses the file metadata stored on the database to make sure the content type is correct in the header that's sent

I

Isaac McFadyen•5/10/24, 4:31 AM

Ah I see - ok then, probably fine.

B

Barry_Based_Benson•5/10/24, 4:31 AM

I'll try out your solution though, thanks for your help

B

Barry_Based_Benson•5/10/24, 5:03 AM

This fixed the issue, been spending ages on this. Thank you!

S

Sheng•5/10/24, 12:20 PM

Mailchannels + CF Workers, anyone facing status 500 error, EOF when sending email sometimes? like 1 out of 10 times will hit this error while remaining 9 no issue, can send email

J

johtso•5/10/24, 12:24 PM

what happens when you hit the subrequest limit, does fetch throw an error?

S

Sheng•5/10/24, 12:26 PM

I don't think I hit any limit, because this error usually is the first request of the day / first request after deploy new version to CF worker, and the status 500 is coming from mailchannels api

SSheng I don't think I hit any limit, because this error usually is the first request o...

J

johtso•5/10/24, 12:28 PM

sorry, that wasn't in response to you, was an unrelated question

Jjohtso what happens when you hit the subrequest limit, does fetch throw an error?

K

kian•5/10/24, 12:40 PM

Yes

K

kian•5/10/24, 12:41 PM

So subrequests work in two ways - there are in-house subrequests, and everything else.

K

kian•5/10/24, 12:41 PM

They have separate counters, separate 'buckets'

K

kian•5/10/24, 12:41 PM

You can (on a paid plan) make 1000 subrequests with something like

fetch(url)

fetch(url)

fetch(url)

fetch(url), and another 1000 to in-house things (KV, R2, DO, D1, you get the idea)

K

kian•5/10/24, 12:41 PM

Once you hit that limit, they throw a "subrequest limit exceeded" exception

J

johtso•5/10/24, 12:55 PM

@kian thanks for clarifying!

J

johtso•5/10/24, 12:56 PM

still not entirely sure how to deal with these limits when I'm doing work that requires making a lot of requests

J

johtso•5/10/24, 1:10 PM

My instinct is to catch that error at a high level, and then schedule an immediate alarm

J

johtso•5/10/24, 1:11 PM

Scheduling an alarm doesn't count as a request does it?

J

johtso•5/10/24, 1:13 PM

Ah yes, they're transactional storage API operations, that's good

J

johtso•5/10/24, 1:21 PM

@kian is there anywhere I can see exactly how to catch that exception?

K

kian•5/10/24, 1:23 PM

Just a normal

try/catch

try/catch

try/catch

try/catch around the subrequest

Kkian Just a normal `try/catch` around the subrequest

J

johtso•5/10/24, 1:54 PM

but how to I check if an error is a "subrequest limit exceeded" exception? is that the exact name of the exception?

e.name === "subrequest limit exceeded"

e.name === "subrequest limit exceeded"

e.name === "subrequest limit exceeded"

e.name === "subrequest limit exceeded"?

SSheng Mailchannels + CF Workers, anyone facing status 500 error, EOF when sending emai...

J

James•5/10/24, 1:57 PM

Sadly not a direct solution to your problem, but I would recommend you avoid MailChannels. Cloudflare's continued partnership with them is very disappointing after their security issues and terrible response. See https://canary.discord.com/channels/595317990191398933/779390076219686943/1226529017763463219 for more details.

Jjohtso but how to I check if an error is a "subrequest limit exceeded" exception? is th...

K

kian•5/10/24, 1:58 PM

export default {
  async fetch() {
    try {
      while (true) { await fetch("https://cloudflare.com/cdn-cgi/trace") }
    } catch (e) {
      return new Response(JSON.stringify(e, Object.getOwnPropertyNames(e)))
    }
  },
};

export default {
  async fetch() {
    try {
      while (true) { await fetch("https://cloudflare.com/cdn-cgi/trace") }
    } catch (e) {
      return new Response(JSON.stringify(e, Object.getOwnPropertyNames(e)))
    }
  },
};

export default {
  async fetch() {
    try {
      while (true) { await fetch("https://cloudflare.com/cdn-cgi/trace") }
    } catch (e) {
      return new Response(JSON.stringify(e, Object.getOwnPropertyNames(e)))
    }
  },
};

export default {
  async fetch() {
    try {
      while (true) { await fetch("https://cloudflare.com/cdn-cgi/trace") }
    } catch (e) {
      return new Response(JSON.stringify(e, Object.getOwnPropertyNames(e)))
    }
  },
};

K

kian•5/10/24, 1:58 PM

You can test it with that and see what the error is

Kkian ```js export default { async fetch() { try { while (true) { await fe...

J

johtso•5/10/24, 1:59 PM

I'm guessing it's along the lines of this? https://github.com/cloudflare/miniflare/blob/c2ed3afdc1fed9f78d5cb6c50edc793a9a43a850/packages/shared/src/context.ts#L149

J

johtso•5/10/24, 2:00 PM

which doesn't seem very amenable to being handled specifically

J

johtso•5/10/24, 2:01 PM

Is this just the javascript way? generic errors with error text?

J

johtso•5/10/24, 2:01 PM

coming from python I'm used to specific subclasses of errors

J

James•5/10/24, 2:02 PM

You absolutely can create subclasses of errors in JS, and attach things like a

code

code

code

code, etc. but not everything does, sadly

J

johtso•5/10/24, 2:03 PM

would be nice if core cloudflare errors did this :/

J

johtso•5/10/24, 2:10 PM

{"stack":"Error: Too many subrequests.\n    at Object.fetch (worker.js:15:28)","message":"Too many subrequests."}

{"stack":"Error: Too many subrequests.\n    at Object.fetch (worker.js:15:28)","message":"Too many subrequests."}

{"stack":"Error: Too many subrequests.\n    at Object.fetch (worker.js:15:28)","message":"Too many subrequests."}

{"stack":"Error: Too many subrequests.\n    at Object.fetch (worker.js:15:28)","message":"Too many subrequests."}

J

johtso•5/10/24, 2:19 PM

and this is going to behave differently when ran locally?

J

johtso•5/10/24, 2:20 PM

@kian and do you think I can safely run that snippet locally, or will I end up spamming cloudflare?

J

johtso•5/10/24, 2:24 PM

I don't think local wrangler is respecting subrequest limits..

J

johtso•5/10/24, 2:51 PM

should I be able to test locally with the same subrequest limit behaviour? the github issues I'm seeing give the impression that it should "just work"

J

James•5/10/24, 5:34 PM

I don't believe subrequest limits are enforced at all locally

J

James•5/10/24, 5:35 PM

so that'll probably just run forever

J

johtso•5/10/24, 6:29 PM

@James that seems unfortunate? something can seem to run fine locally and then break when deployed

J

James•5/10/24, 6:29 PM

I agree, it's very much not ideal

Does this mean that currently this issue is still exploitable even with domain lockdown? Or do you

Similar Threads

Similar Threads

Similar Threads