`concat​()` in JS blocked by Cloudflare.

neqis
neqis

While saving a DST, I was blocked by Cloudflare Ray (id 70aaf98fcbb0608f). It appears to have been caused by the presence of concat​() in the script, which was defining a method in an object literal using the shorthand syntax. Submitting the following as the JS for a DST is enough to trigger the block:

let range = {
concat​() {},
};

Even previewing this post triggered the block; I put some zero-width space characters between the concat and the () everywhere it appears (including the title) so as to be able to post this.

The block isn't triggered by other names that I had, nor if the longhand syntax is used for concat, nor if there are any characters between concat and ():

let range = {
concat: function () {},
concat () {}, /* this also works */
over() { },
};

A bit of trial and error running through the MySQL string functions uncovered some other names that trigger the block: ascii, char, substr, substring.

With the above workarounds, I was able to save my DST update. It should still be reported to CloudFlare so they can fix the false positives (and the false negatives from adding spaces between names and parentheses).

Comments

  • neqis
    neqis
    Posts: 28 edited May 20

    Here's another sequence that triggers a block (same ID as before). If a submission has something that looks like a base tag, followed by an href, it gets blocked. As with concat, this happens for DST JS and forum posts. Here's a code sample that would trigger the block (though the < has been replaced with \u2C2, "modified letter left arrowhead", to avoid the block):

    ˂base>
    href

    The string that looks like a base tag is closed, but the block is still triggered.

    These two character sequences don't need to be anywhere near each other. In my actual code that triggered the block, the following two lines were separated by hundreds of lines but still triggered the block:

    return new RegExp(`^(?:dsf_)?dyn_(?˂base>${base})_(?&lt;i>\\d+)(?:_(?&lt;key>.*))?$`);
    $context.find('.dsf_psyche').wrap(`&lt;a href="/characters/${psyche_slug}">&lt;/a>`);

    Note the first line doesn't have a base tag, but a named regex group.

    Post edited by neqis on
  • neqis
    neqis
    Posts: 28 edited June 2

    Here's an odd one: constructor․prototype (note: full stop "\u2E" has been replaced with one dot leader "\u2024") triggers a block (ray ID 714dc57f6de002d8). Adding whitespace still triggers the block. Bracket syntax (e.g. target['constructor'].prototype) doesn't trigger the block, so can be used as a workaround for now.

    The other two make some sense, as one could be part of an SQL injection, the other HTML injection to get around CORS (or load alternate resources), but what vulnerability this could be an exploit for, I have almost no idea, especially compared to its utility. Prevent monkey patching some builtin with an unnamed constructor (e.g. GeneratorFunction)?

    Post edited by neqis on
  • thaen
    thaen
    Posts: 960

    Thanks for posting these!  Sorry I'm only just now seeing them.  The Bug Reports category had been archived for some reason, so it wasn't showing up in the list of "unread posts" that I usually check.  It's now un-archived, so it shows up in that list now.

    For the first two (May 13 and May 20), we only get access to Ray ID lookups for 72 hours back, so I can't see what rule caused those.  If you run into them again, post again, and I'll track them down then.

    For this last one (June 2), I found the rule and disabled it, so it shouldn't give you trouble now.  Let me know if it does.

    As far as I can see, we're only able to apply the rules to the whole site or not at all, and there are a ton of "standard rules" that get applied and then you have to disable the ones you don't want.

     

    Obsidian Portal Developer

  • neqis
    neqis
    Posts: 28

    Here's a new ray ID for concat: 71664234498b8f50

    I'm no longer getting a block for <base> href

  • thaen
    thaen
    Posts: 960

    Thanks!  I disabled the rule for that Ray ID.  Let me know if you're still getting blocked for that same thing.  This was the one that was creating the blocks for "concat()" too.

    Obsidian Portal Developer

  • neqis
    neqis
    Posts: 28

    The block on <base> href is back. Please check Ray ID 737a13b6ab38c711. The other two sequences, concat() and constructor.prototype, are allowed.

  • neqis
    neqis
    Posts: 28 edited August 30

    Curiously, the block doesn't appear to trigger when posting to the forums, but does when saving a DST or posting a DM: <base> href

    Newest ray ID: 74302d11dd9c087d

    Post edited by neqis on
  • thaen
    thaen
    Posts: 960

    Thanks for pointing it out!  Should be working now.  Let me know if it's not.

    Obsidian Portal Developer

Sign In or Register to comment.

September 2022
Merovia

Read the feature post on the blog
Return to Obsidian Portal

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Discussions