Return 403 for /_image with href redirect using double slash (#10500)

Co-authored-by: James Opstad <[email protected]>

Author: WillTaylorDev

.changeset/weak-trams-add.md

@@ -0,0 +1,5 @@
+---
+"@cloudflare/workers-shared": minor
+---
+
+Block /\_image routes with href query param using double slash.

packages/workers-shared/router-worker/src/analytics.ts

@@ -53,6 +53,8 @@ type Data = {
 	coloRegion?: string;
 	// blob6 - URL for analysis
 	abuseMitigationURLHost?: string;
+	// blob7 - XSS detection href parameter value
+	xssDetectionImageHref?: string;
 };
 
 export class Analytics {
@@ -107,6 +109,7 @@ export class Analytics {
 				this.data.version, // blob4
 				this.data.coloRegion, // blob5
 				this.data.abuseMitigationURLHost, // blob6
+				this.data.xssDetectionImageHref, // blob7
 			],
 		});
 	}

packages/workers-shared/router-worker/src/worker.ts

@@ -128,6 +128,28 @@ export default {
 						}
 					}
 
+					if (url.pathname === "/_image") {
+						const hrefParam = url.searchParams.get("href");
+						if (
+							hrefParam &&
+							hrefParam.length > 2 &&
+							hrefParam.startsWith("//")
+						) {
+							try {
+								const hrefUrl = new URL("https:" + hrefParam);
+								const isImageFetchDest =
+									request.headers.get("sec-fetch-dest") == "image";
+
+								if (hrefUrl.hostname !== url.hostname && !isImageFetchDest) {
+									analytics.setData({ xssDetectionImageHref: hrefParam });
+									return new Response("Blocked", { status: 403 });
+								}
+							} catch {
+								console.log(`Invalid href parameter in /_image: ${hrefParam}`);
+							}
+						}
+					}
+
 					analytics.setData({
 						timeToDispatch: performance.now() - startTimeMs,
 					});