Stricter handling of /cdn-cgi/handler/ routes. (#10673)

* Scope trigger handlers middleware to /cdn-cgi/handler/ rather than /cdn-cgi/

* Send 404 response for unimplemented /cdn-cgi/handler/ routes

* Add changesets

* Add additional test to ensure non-handler /cdn-cgi/ routes are not blocked

Author: jamesopstad

.changeset/hungry-pants-talk.md

@@ -0,0 +1,5 @@
+---
+"miniflare": patch
+---
+
+Send a 404 response for unimplemented `/cdn-cgi/handler/` routes.

.changeset/social-foxes-crash.md

@@ -0,0 +1,5 @@
+---
+"@cloudflare/vite-plugin": patch
+---
+
+Only forward `/cdn-cgi/handler/` routes to trigger handlers.

packages/miniflare/src/workers/core/entry.worker.ts

@@ -430,6 +430,13 @@ export default <ExportedHandler<Env>>{
 						ctx
 					);
 				}
+
+				if (url.pathname.startsWith("/cdn-cgi/handler/")) {
+					return new Response(
+						`"${url.pathname}" is not a valid handler. Did you mean to use "/cdn-cgi/handler/scheduled" or "/cdn-cgi/handler/email"?`,
+						{ status: 404 }
+					);
+				}
 			}
 
 			let response = await service.fetch(request);

packages/miniflare/test/index.spec.ts

@@ -1736,6 +1736,47 @@ This is a random email body.
 	t.is(await res.text(), "true");
 });
 
+test("Miniflare: unimplemented /cdn-cgi/handler/ routes", async (t) => {
+	const mf = new Miniflare({
+		modules: true,
+		script: `
+			export default {
+				fetch() {
+					return new Response("Hello world");
+				}
+			}
+		`,
+		unsafeTriggerHandlers: true,
+	});
+	t.teardown(() => mf.dispose());
+
+	const res = await mf.dispatchFetch("http://localhost/cdn-cgi/handler/foo");
+	t.is(
+		await res.text(),
+		`"/cdn-cgi/handler/foo" is not a valid handler. Did you mean to use "/cdn-cgi/handler/scheduled" or "/cdn-cgi/handler/email"?`
+	);
+	t.is(res.status, 404);
+});
+
+test("Miniflare: other /cdn-cgi/ routes", async (t) => {
+	const mf = new Miniflare({
+		modules: true,
+		script: `
+			export default {
+				fetch() {
+					return new Response("Hello world");
+				}
+			}
+		`,
+		unsafeTriggerHandlers: true,
+	});
+	t.teardown(() => mf.dispose());
+
+	const res = await mf.dispatchFetch("http://localhost/cdn-cgi/foo");
+	t.is(await res.text(), "Hello world");
+	t.is(res.status, 200);
+});
+
 test("Miniflare: listens on ipv6", async (t) => {
 	const log = new TestLog(t);
 

packages/vite-plugin-cloudflare/src/index.ts

@@ -595,19 +595,25 @@ export function cloudflare(pluginConfig: PluginConfig = {}): vite.Plugin[] {
 					const entryWorkerName = entryWorkerConfig.name;
 
 					// cron && email triggers
-					viteDevServer.middlewares.use("/cdn-cgi/", (req, res, next) => {
-						const requestHandler = createRequestHandler((request) => {
-							assert(miniflare, `Miniflare not defined`);
-
-							// set the target service that handles these requests
-							// to point to the User Worker (see `getTargetService` fn in
-							// `packages/miniflare/src/workers/core/entry.worker.ts`)
-							request.headers.set(CoreHeaders.ROUTE_OVERRIDE, entryWorkerName);
-							return miniflare.dispatchFetch(request, { redirect: "manual" });
-						});
-
-						requestHandler(req, res, next);
-					});
+					viteDevServer.middlewares.use(
+						"/cdn-cgi/handler/",
+						(req, res, next) => {
+							const requestHandler = createRequestHandler((request) => {
+								assert(miniflare, `Miniflare not defined`);
+
+								// set the target service that handles these requests
+								// to point to the User Worker (see `getTargetService` fn in
+								// `packages/miniflare/src/workers/core/entry.worker.ts`)
+								request.headers.set(
+									CoreHeaders.ROUTE_OVERRIDE,
+									entryWorkerName
+								);
+								return miniflare.dispatchFetch(request, { redirect: "manual" });
+							});
+
+							requestHandler(req, res, next);
+						}
+					);
 				}
 			},
 		},