Block requests vulnerable to opennext vulnerability (#9635)

Addresses GHSA-rvpw-p7vw-wj3m

This has already been applied in production, this commit keeps the
repository in sync.

Images loaded via the /_next/image?url=<some remote image> were
vulnerable to SSRF, and particularly if the user loaded the image in a
new tab (instead of forcing the browser to treat it as an image). Thus,
if request didn't indicate that the browser was going to treat the
resource as an image (via the 'Sec-Fetch-Dest: image' header), we block
the request when it doesn't return image content.

Author: matthewdavidrodgers

.changeset/eleven-fans-smoke.md

@@ -0,0 +1,5 @@
+---
+"@cloudflare/workers-shared": patch
+---
+
+Block possibly vulnerable requests to the router worker

packages/workers-shared/router-worker/src/analytics.ts

@@ -33,6 +33,8 @@ type Data = {
 	userWorkerAhead?: boolean;
 	// double6 - Routing performed based on the _routes.json (if provided)
 	staticRoutingDecision?: STATIC_ROUTING_DECISION;
+	// double7 - Whether the request was blocked by abuse mitigation or not
+	abuseMitigationBlocked?: boolean;
 
 	// -- Blobs --
 	// blob1 - Hostname of the request
@@ -45,6 +47,8 @@ type Data = {
 	version?: string;
 	// blob5 - Region of the colo (e.g. WEUR)
 	coloRegion?: string;
+	// blob6 - URL for analysis
+	abuseMitigationURLHost?: string;
 };
 
 export class Analytics {
@@ -88,13 +92,15 @@ export class Analytics {
 					? -1
 					: Number(this.data.userWorkerAhead),
 				this.data.staticRoutingDecision ?? STATIC_ROUTING_DECISION.NOT_PROVIDED, // double6
+				this.data.abuseMitigationBlocked ? 1 : 0, // double7
 			],
 			blobs: [
 				this.data.hostname?.substring(0, 256), // blob1 - trim to 256 bytes
 				this.data.dispatchtype, // blob2
 				this.data.error?.substring(0, 256), // blob3 - trim to 256 bytes
 				this.data.version, // blob4
 				this.data.coloRegion, // blob5
+				this.data.abuseMitigationURLHost, // blob6
 			],
 		});
 	}

packages/workers-shared/router-worker/src/worker.ts

@@ -77,6 +77,24 @@ export default {
 
 			const maybeSecondRequest = request.clone();
 
+			let shouldBlockNonImageResponse = false;
+			if (url.pathname === "/_next/image") {
+				// is a next image
+				const queryURLParam = url.searchParams.get("url");
+				if (queryURLParam && !queryURLParam.startsWith("/")) {
+					// that's a remote resource
+					if (
+						maybeSecondRequest.method !== "GET" ||
+						maybeSecondRequest.headers.get("sec-fetch-dest") !== "image"
+					) {
+						// that was not loaded via a browser's <img> tag
+						shouldBlockNonImageResponse = true;
+						analytics.setData({ abuseMitigationURLHost: queryURLParam });
+					}
+					// otherwise, we're good
+				}
+			}
+
 			if (config.static_routing) {
 				// evaluate "exclude" rules
 				const excludeRulesMatcher = generateStaticRoutingRuleMatcher(
@@ -129,6 +147,17 @@ export default {
 						});
 
 						userWorkerInvocation = true;
+						if (shouldBlockNonImageResponse) {
+							const resp = await env.USER_WORKER.fetch(maybeSecondRequest);
+							if (
+								!resp.headers.get("content-type")?.startsWith("image/") &&
+								resp.status !== 304
+							) {
+								analytics.setData({ abuseMitigationBlocked: true });
+								return new Response("Blocked", { status: 403 });
+							}
+							return resp;
+						}
 						return env.USER_WORKER.fetch(maybeSecondRequest);
 					});
 				}
@@ -158,6 +187,17 @@ export default {
 					});
 
 					userWorkerInvocation = true;
+					if (shouldBlockNonImageResponse) {
+						const resp = await env.USER_WORKER.fetch(maybeSecondRequest);
+						if (
+							!resp.headers.get("content-type")?.startsWith("image/") &&
+							resp.status !== 304
+						) {
+							analytics.setData({ abuseMitigationBlocked: true });
+							return new Response("Blocked", { status: 403 });
+						}
+						return resp;
+					}
 					return env.USER_WORKER.fetch(maybeSecondRequest);
 				});
 			}
@@ -175,6 +215,17 @@ export default {
 					});
 
 					userWorkerInvocation = true;
+					if (shouldBlockNonImageResponse) {
+						const resp = await env.USER_WORKER.fetch(maybeSecondRequest);
+						if (
+							!resp.headers.get("content-type")?.startsWith("image/") &&
+							resp.status !== 304
+						) {
+							analytics.setData({ abuseMitigationBlocked: true });
+							return new Response("Blocked", { status: 403 });
+						}
+						return resp;
+					}
 					return env.USER_WORKER.fetch(maybeSecondRequest);
 				});
 			}

packages/workers-shared/router-worker/tests/index.test.ts

@@ -246,4 +246,135 @@ describe("unit tests", async () => {
 		const response = await worker.fetch(request, env, ctx);
 		expect(await response.text()).toEqual("hello from user worker");
 	});
+
+	it("blocks /_next/image requests with remote URLs when not fetched as image", async () => {
+		const request = new Request(
+			"https://example.com/_next/image?url=https://evil.com/ssrf"
+		);
+		const ctx = createExecutionContext();
+
+		const env = {
+			CONFIG: {
+				has_user_worker: true,
+				invoke_user_worker_ahead_of_assets: true,
+			},
+			USER_WORKER: {
+				async fetch(_: Request): Promise<Response> {
+					return new Response("<!DOCTYPE html><html></html>", {
+						headers: { "content-type": "text/html" },
+					});
+				},
+			},
+		} as Env;
+
+		const response = await worker.fetch(request, env, ctx);
+		expect(response.status).toBe(403);
+		expect(await response.text()).toBe("Blocked");
+	});
+
+	it("allows /_next/image requests with remote URLs when fetched as image", async () => {
+		const request = new Request(
+			"https://example.com/_next/image?url=https://example.com/image.jpg",
+			{
+				headers: { "sec-fetch-dest": "image" },
+			}
+		);
+		const ctx = createExecutionContext();
+
+		const env = {
+			CONFIG: {
+				has_user_worker: true,
+				invoke_user_worker_ahead_of_assets: true,
+			},
+			USER_WORKER: {
+				async fetch(_: Request): Promise<Response> {
+					return new Response("fake image data", {
+						headers: { "content-type": "image/jpeg" },
+					});
+				},
+			},
+		} as Env;
+
+		const response = await worker.fetch(request, env, ctx);
+		expect(response.status).toBe(200);
+		expect(await response.text()).toBe("fake image data");
+	});
+
+	it("allows /_next/image with remote URL and image header regardless of response content", async () => {
+		const request = new Request(
+			"https://example.com/_next/image?url=https://example.com/image.jpg",
+			{
+				headers: { "sec-fetch-dest": "image" },
+			}
+		);
+		const ctx = createExecutionContext();
+
+		const env = {
+			CONFIG: {
+				has_user_worker: true,
+				invoke_user_worker_ahead_of_assets: true,
+			},
+			USER_WORKER: {
+				async fetch(_: Request): Promise<Response> {
+					return new Response("<!DOCTYPE html><html></html>", {
+						headers: { "content-type": "text/html" },
+					});
+				},
+			},
+		} as Env;
+
+		const response = await worker.fetch(request, env, ctx);
+		expect(response.status).toBe(200);
+		expect(await response.text()).toBe("<!DOCTYPE html><html></html>");
+	});
+
+	it("allows /_next/image requests with local URLs", async () => {
+		const request = new Request(
+			"https://example.com/_next/image?url=/local/image.jpg"
+		);
+		const ctx = createExecutionContext();
+
+		const env = {
+			CONFIG: {
+				has_user_worker: true,
+				invoke_user_worker_ahead_of_assets: true,
+			},
+			USER_WORKER: {
+				async fetch(_: Request): Promise<Response> {
+					return new Response("local image data", {
+						headers: { "content-type": "image/jpeg" },
+					});
+				},
+			},
+		} as Env;
+
+		const response = await worker.fetch(request, env, ctx);
+		expect(response.status).toBe(200);
+		expect(await response.text()).toBe("local image data");
+	});
+
+	it("allows /_next/image requests with 304 status", async () => {
+		const request = new Request(
+			"https://example.com/_next/image?url=https://example.com/image.jpg"
+		);
+		const ctx = createExecutionContext();
+
+		const env = {
+			CONFIG: {
+				has_user_worker: true,
+				invoke_user_worker_ahead_of_assets: true,
+			},
+			USER_WORKER: {
+				async fetch(_: Request): Promise<Response> {
+					return new Response(null, {
+						status: 304,
+						headers: { "content-type": "text/html" },
+					});
+				},
+			},
+		} as Env;
+
+		const response = await worker.fetch(request, env, ctx);
+		expect(response.status).toBe(304);
+	});
 });