AWS WAF blocking file uploads

cds-snc / platform-forms-client

NextJS application that serves the public-facing website for Forms

https://forms-staging.cdssandbox.xyz/

MIT License

34 stars 13 forks source link

AWS WAF blocking file uploads #434

Closed bryan-robitaille closed 2 years ago

bryan-robitaille commented 3 years ago

AWS Web Application Firewall is blocking some file uploads due to a positive detection of AWS#AWSManagedRulesCommonRuleSet#CrossSiteScripting_BODY. This is due to image files having random characters in their metadata which can lead to false detections. https://aws.amazon.com/premiumsupport/knowledge-center/waf-upload-blocked-files/

Proposed solution: encode all files from browser to api endpoint as base64 strings.
Existing work-around: disabled rule on WAF for staging environment to not impact demos.

bryan-robitaille commented 3 years ago

Also blocking on AWS#AWSManagedRulesCommonRuleSet#GenericLFI_BODY

patheard commented 2 years ago

Related to cds-snc/platform-sre-security-support#47

patheard commented 2 years ago

Some possible solutions to exclude only GenericLFI_BODY for specific URLs: cds-snc/platform-sre-security-support#49

patheard commented 2 years ago

The label_match_statement is now part of the latest AWS Terraform provider, so you can use something like the following to exclude WAF ACL managed rules from specific URLs only:

https://github.com/cds-snc/platform-sre-security-support/issues/49#issuecomment-993877133

It's working nicely in Articles.