Gutenberg: CloudFlare can unexpectedly block REST API requests

Created on 17 Nov 2017 · 12Comments · Source: WordPress/gutenberg

Issue Overview

Don't save when my list item has parentheses.

Steps to Reproduce

Open the editor
Create an list block
Try to save
Error raise (Can not save)

Expected Behavior

Should save.

Versions

Wordpress 4.9
Gutenberg 1.7.0

REST API Interaction [Status] Duplicate [Type] Bug [Type] Plugin Interoperability

Source

thenets

Most helpful comment

For now, we should solve this problem with documentation. I've captured the CloudFlare issue to #4646

danielbachhuber on 11 Apr 2018

❤2

All 12 comments

Not able to reproduce, can you add more details? Do you see a failing request? Are you able to get the response of the request...?

youknowriad on 20 Nov 2017

I'll check the Apache log later. The Firefox don't return any error log msg.

thenets on 20 Nov 2017

There's no log error on Firefox console or Apache. Can I enable some debug mode on Wordpress?
I'm using the CloudFlare as my proxy. Should it be related to this bug?

thenets on 20 Nov 2017

I'm using the CloudFlare as my proxy. Should it be related to this bug?

Yes, I think it's related. Can you take a look at this issue, there's a workaround there https://github.com/WordPress/gutenberg/issues/2704 (even if it seems CloudFlare is not blocking the API anymore)

youknowriad on 20 Nov 2017

Thanks a lot, @youknowriad!
CloudFlare was the problem. I disable the security request to API and now it's working:

thenets on 20 Nov 2017

Talking with CloudFlare support and later analyzing the "request" content I found the problem with API request. The CloudFlare firewall identifies the Gutenberg request as a possible SQL Injection attack.

The way the requests is made looks like an SQL Injection can be done. Maybe is better encode and strip special chars before sending to Wordpress API.

thenets on 28 Nov 2017

I had a similar problem just this morning in Gutenberg v1.8.0. Setting a background or text color on the block seems to push CloudFlare over the edge. Here's the full JSON export of the triggers that caused this. See: https://gist.github.com/jaswrks/e1985e071502099b53aac01f33b97b27

Inbound Anomaly Score Exceeded (Total Score: 66, SQLi=11, XSS=25)

jaswrks on 29 Nov 2017

I have a similar problem just like @jaswrks . While updating the table or button elements of gutenberg editor. I will get 403 forbidden from cloudflare with

2017-12-12 12 13 33

swarchen on 12 Dec 2017

I'm afraid we can't do anything about this on our side. The REST API should allow storing any post content string and this is not a security issue IMO.

youknowriad on 28 Dec 2017

I wonder if anyone working on the REST API has been in contact with the OWASP team that works on the core ruleset, which is used by Mod Security and many web application firewalls, including CloudFlare. Referencing: https://coreruleset.org/

There's a file in the core ruleset with several WordPress exceptions, and it helps to avoid things like this. However, I don't see that any of the existing rules deal with raw HTML content being POSTd to JSON API endpoints. That seems like a problem.

If we have someone who has a contact at CloudFlare or with the OWASP core ruleset team, it would be awesome if they could inquire about adding JSON API exceptions. That may improve this situation, over time, across many hosts that use the core ruleset, including at CloudFlare.

jaswrks on 2 Jan 2018

👍2

For now, we should solve this problem with documentation. I've captured the CloudFlare issue to #4646

danielbachhuber on 11 Apr 2018

❤2

I had to whitelist my IP address to get this working. The rule that was triggered for me was Rule 981176.