search

cubing / cubing.js

🛠 A library for displaying and working with twisty puzzles. Also currently home to the code for Twizzle.
https://js.cubing.net/cubing/
GNU General Public License v3.0
232 stars 42 forks source link

[Twizzle issue] Twizzle deployment 500's for Square-1 reconstructions #314

Closed lgarron closed 5 months ago

lgarron commented 5 months ago

Steps to reproduce the issue

  1. Run the dev server and go to http://cubing.localhost:3333/alpha.twizzle.net/edit/?puzzle=square1&setup-alg=%284%2C+6%29+%2F+%282%2C+-1%29+%2F+%28-3%2C+0%29+%2F+%280%2C+-3%29+%2F+%281%2C+-5%29+%2F+%283%2C+0%29+%2F+%280%2C+-4%29+%2F+%28-3%2C+-3%29+%2F+%28-1%2C+-2%29+%2F+%282%2C+0%29+%2F+%28-4%2C+0%29+%2F+%28-4%2C+-4%29&alg=%282%2C+0%29+%2F+%280%2C+-4%29+%2F+%281%2C+0%29+%2F
  2. Go to https://alpha.twizzle.net/edit/?puzzle=square1&setup-alg=%284%2C+6%29+%2F+%282%2C+-1%29+%2F+%28-3%2C+0%29+%2F+%280%2C+-3%29+%2F+%281%2C+-5%29+%2F+%283%2C+0%29+%2F+%280%2C+-4%29+%2F+%28-3%2C+-3%29+%2F+%28-1%2C+-2%29+%2F+%282%2C+0%29+%2F+%28-4%2C+0%29+%2F+%28-4%2C+-4%29&alg=%282%2C+0%29+%2F+%280%2C+-4%29+%2F+%281%2C+0%29+%2F

Observed behaviour

The second URL results in a 500 (internal server error). Something about the URL is tripping up Dreamhost.

🖼 Screenshots

No response

Expected behaviour

No 500 error.

Browser & operating system

Chrome 120 on macOS 14.2.1

Additional info

No response

lgarron commented 5 months ago

The simplest repro seems to be to have moves to the either side of a / in Square-1, for both the setup and the alg:

https://alpha.twizzle.net/edit/?puzzle=square1&setup-alg=%283%2C+3%29+%2F+%283%2C+3%29&alg=%28-3%2C+3%29+%2F+%28-3%2C+3%29

Given the escaped URI components, I don't see how this could be happening unless Dreamhost is trying to parse the parameters. That sounds… concerning? Those parameters should be opaque to the hosting server.

lgarron commented 5 months ago

Woah, it seems to be tripping a ModSecurity false positive:

[Sat Jan 20 15:36:15.217532 2024] [:error] [pid 264179:tid 115252986328832] [client 76.103.226.2:57127] [client 76.103.226.2] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/etc/modsecurity/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "alpha.twizzle.net"] [uri "/edit/"] [unique_id "ZaxY7xkx7RLuKnzAM5@SgQAAAAE"], referer: https://github.com/cubing/cubing.js/issues/314
lgarron commented 5 months ago

Okay, I've disabled ModSecurity. We don't have server-side handling for Twizzle anyhow, and fortunately this kind of stuff is my day job expertise.