search

pglombardo / PasswordPusher

🔐 Securely share sensitive information with automatic expiration & deletion after a set number of views or duration. Track who, what and when with full audit logs.
https://docs.pwpush.com
Apache License 2.0
2.11k stars 358 forks source link

Passphrase protected push is not working with Cloudflare Tunnel #2350

Open MiranoVerhoef opened 4 months ago

MiranoVerhoef commented 4 months ago

🐛 Bug Report

When deploying the docker and using its internal IP the passphrase protection is working (Filling in a password before showing the actuall password). When connecting to it through Cloudflare Tunnel it doesnt work. It just looks like it does nothing. No notification is shown either. So it looks like its not processing it.

What would be the right settings for the cloudflare tunnel?

🔬 How To Reproduce

Steps to reproduce the behavior:

  1. Deploy docker with preferences setup
  2. Setup cloudflare tunnel
  3. Connect through external IP

Code sample

Environment

Where are you running/using Password Pusher?

If applicable, what version of Password Pusher? v1.41.15

Screenshots

📈 Expected behavior

It should accept the password and go through to the page where it shows the actual password.

📎 Additional context

github-actions[bot] commented 4 months ago

Hello @MiranoVerhoef, thanks for contributing to the Password Pusher community! We will respond as soon as possible.

pglombardo commented 4 months ago

Hi @MiranoVerhoef - are there any errors in the browser console?

MiranoVerhoef commented 4 months ago

I haven't noticed any errors, (Log level was on warn).

I could rebuild the test environment if you want me to supply more information.

Hi @MiranoVerhoef - are there any errors in the browser console?

pglombardo commented 4 months ago

A long shot guess might be blocked cross site scripting requests because of the variation in HTTP host headers.

This error would show up in the browser javascript console as an error though - not in the Docker container logs.

I could rebuild the test environment if you want me to supply more information.

To diagnose we (either you or I) might have to. I'm a bit tied up today but I'll see if I can figure how to setup a Cloudflare tunnel (never done it) later today/this week.

MiranoVerhoef commented 4 months ago

Let me spin up a docker, and show you the results!

MiranoVerhoef commented 4 months ago

Uncaught (in promise) Error: Could not establish connection. Receiving end does not exist. fc moz-extension://be300fa5-05ad-4df5-aa5f-9cb3e0742fe3/javascript/BG.js:2 [BG.js:2:2083026](moz-extension://be300fa5-05ad-4df5-aa5f-9cb3e0742fe3/javascript/BG.js) sendRemoveListener on closed conduit languagetool-webextension@languagetool.org.2748779069558 3 [ConduitsChild.sys.mjs:122:13](resource://gre/modules/ConduitsChild.sys.mjs) _send resource://gre/modules/ConduitsChild.sys.mjs:122 removeListener resource://gre/modules/ExtensionChild.sys.mjs:673 removeListener resource://gre/modules/ExtensionChild.sys.mjs:929 register chrome://extensions/content/child/ext-storage.js:163 removeListener resource://gre/modules/ExtensionCommon.sys.mjs:2957 revoke resource://gre/modules/ExtensionCommon.sys.mjs:2979 close resource://gre/modules/ExtensionCommon.sys.mjs:2984 unload resource://gre/modules/ExtensionCommon.sys.mjs:1019 close resource://gre/modules/ExtensionContent.sys.mjs:1067 destroyed resource://gre/modules/ExtensionContent.sys.mjs:1140 observe resource://gre/modules/ExtensionContent.sys.mjs:1163 Promise rejected after context unloaded: Actor 'Conduits' destroyed before query 'RuntimeMessage' was resolved 3 [6.js:2](moz-extension://be300fa5-05ad-4df5-aa5f-9cb3e0742fe3/javascript/6.js) sendMessage moz-extension://be300fa5-05ad-4df5-aa5f-9cb3e0742fe3/javascript/6.js:2 Promise rejected after context unloaded: Actor 'Conduits' destroyed before query 'RuntimeMessage' was resolved [sso.js:2](moz-extension://be300fa5-05ad-4df5-aa5f-9cb3e0742fe3/content_scripts/sso.js) sendMessage moz-extension://be300fa5-05ad-4df5-aa5f-9cb3e0742fe3/content_scripts/sso.js:2 Promise rejected after context unloaded: Actor 'Conduits' destroyed before query 'RuntimeMessage' was resolved 9 [6.js:2](moz-extension://be300fa5-05ad-4df5-aa5f-9cb3e0742fe3/javascript/6.js) sendMessage moz-extension://be300fa5-05ad-4df5-aa5f-9cb3e0742fe3/javascript/6.js:2 [Exception... "Component returned failure code: 0x80070057 (NS_ERROR_ILLEGAL_VALUE) [nsIDOMWindowUtils.addSheet]" nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: resource://gre/modules/ExtensionCommon.sys.mjs :: runSafeSyncWithoutClone :: line 61" data: no] 5 [ExtensionCommon.sys.mjs:61:12](resource://gre/modules/ExtensionCommon.sys.mjs) runSafeSyncWithoutClone resource://gre/modules/ExtensionCommon.sys.mjs:61 cssPromise resource://gre/modules/ExtensionContent.sys.mjs:585 Welcome to Password Pusher! ( ◑‿◑)ɔ┏🍟--🍔┑٩(^◡^ ) [application-d87c2becacd3dfbaac7976628d5edee5da6640343ba84be52b2c00dd23eca734.js:24:124694](https://*****/assets/application-d87c2becacd3dfbaac7976628d5edee5da6640343ba84be52b2c00dd23eca734.js) --> 🏝 May all your pushes be stored securely, read once and expired quickly.

MiranoVerhoef commented 4 months ago

afbeelding

PHoto for reference

pglombardo commented 4 months ago

That was a quick turn around! Those exceptions are from the Chrome MozBar extension. Could you try in an incognito window with no extensions?

MiranoVerhoef commented 4 months ago

afbeelding afbeelding

When doing in incognito i get no result at al which is strange

pglombardo commented 4 months ago

That is weird. Nothing easy unfortunately... You can do a network trace in the "Network" tab, reload the page and submit the passphrase.

You should see the page load and form submission in the network trace. Could you try that?

MiranoVerhoef commented 4 months ago

I have a .HAR file, would you like this?

afbeelding

pglombardo commented 4 months ago

Hrm no errors? Apologies, I'm tied up with the day job. I'll loop back soon.

If you want you can email the .HAR file to me at pglombardo @ pwpush.com domain.

Better if you send it to me using pwpush.com in a new push. :-)

MiranoVerhoef commented 4 months ago

Send!

Ofcourse, in a push ;)

pglombardo commented 4 months ago

That helped - thanks. When posting a passphrase, the server responds with a Set Cookie and then redirects to the direct push URL. When serving the direct push URL, the server checks for the cookie.

It seems the cookie isn't being set. Not sure why yet though. Is there any setting in Cloudflare to in respect to cookies?

MiranoVerhoef commented 4 months ago

Just checking Cloudflare:

afbeelding afbeelding afbeelding

Doesn't seem to be anything related whilst using HTTP atleast

pglombardo commented 4 months ago

Slight long shot but try this:

  1. Set the Cloudflare Host Header to the public domain/url you are using (e.g. x.domain.nl)
  2. In Password Pusher set PWP__ALLOWED_HOSTS="x.domain.nl"

I suspect it might be a mismatch that is blocking the cookie.

MiranoVerhoef commented 4 months ago

Hello,

I will go ahead and try this on the end of the week (We don't use database variant for security reasons) that's why i cannot change a parameter. Unless it works without rebooting? (using Config file)

pglombardo commented 1 week ago

Hi @MiranoVerhoef - did you ever make an progress on this? I may be moving pwpush.com to cloudflare in the near future.

MiranoVerhoef commented 1 week ago

Hey @pglombardo I am sorry for my absence in this matter. I remember that I've tried it, but since 2 weeks I have it running myself. I will either tonight or tomorrow evening be trying what you requested.

Again, sorry for totally forgetting to answer the question above, i will test the case you've just noted above!

pglombardo commented 1 week ago

It's ok - not a problem at all. I was just making sure that I didn't abandon you in the hurricane of supporting this project. :-)

MiranoVerhoef commented 1 week ago

Thank you for reminding me! i will keep in touch :)

MiranoVerhoef commented 1 week ago

Hey @pglombardo

Just tested, I only set this up correctly: host_domain: 'password.*.'

And it all worked fine through Cloudflare

Would it be possible to limit upload size? so i can prevent someone uploading 1GB+?

pglombardo commented 1 week ago

Excellent.

Would it be possible to limit upload size? so i can prevent someone uploading 1GB+?

This is an area that hasn't been investigated yet. I've had other reports of people who can't upload files larger than 4GB but I think that was with MS Azure storage issue. But tldr; there is no way yet to limit file upload size.

Eventually I could put some Javascript but that could be easily bypassed...

MiranoVerhoef commented 1 week ago

Excellent.

Would it be possible to limit upload size? so i can prevent someone uploading 1GB+?

This is an area that hasn't been investigated yet. I've had other reports of people who can't upload files larger than 4GB but I think that was with MS Azure storage issue. But tldr; there is no way yet to limit file upload size.

Eventually I could put some Javascript but that could be easily bypassed...

Reason why i'm asking, Cloudflare tunnel got no download size limit but does have a upload limit, so thats a limitation because it's going through CF's CDN

pglombardo commented 5 days ago

Hey @MiranoVerhoef - off topic notice. A security research team reported a vulnerability related to proxies here.

In v1.49.0 only local network proxies are trusted by default. For that release and going forward, when using Cloudflare, you will likely have to authorize the external IP to act as a proxy. Documentation here.