Hi all, I’ve got a script about as simple as possible on the internet-facing side. It has a form for accepting file uploads. The uploads are sent via a form action of POST, sending content type multipart/form-data. If the files are text, it works fine. If the files are binary (mostly used for images and PDF’s), they get intercepted by the Cloudflare WAF, specifically numerous owasp rules that are part of managed rules.
I’d prefer to not turn off the firewall on this URI, or the whole site.
What I’m confused about is why an image upload would trigger rules like RCE bypass, xss attack in html tag handler, six different flavors of sql injection.
Is CF’s WAF simply incompatible with the uploading of files and I have no option but to disable every rule those trigger?
Thank you for reaching out to us. Cloudflare’s WAF uses a set of managed rules to detect and block potentially malicious traffic. These rules include checks for common web vulnerabilities like Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL Injection. Binary file uploads might be triggering these rules due to the way the WAF inspects multipart/form-data payloads. Sometimes, the binary data might contain byte sequences that resemble attack patterns, even though they are harmless.
Have you considered adding an exception for the specific path that is being triggered by the Managed Rules?
That would not be ideal because the purpose of having the CF WAF is to protect the application. If it generates 10+ false positives for a post of binary data, and I have to turn each of those rules off, it eliminates the value of the WAF.
There’s no proper solution because CF doesn’t seem to have an interest in fixing this. 920270 is typically one of the rules that triggers on file uploads, which means it’s being applied to the request body. That conflicts with how the owasp ruleset, that rule specifically, says it should be applied:
# 920270: PL1 : REQUEST_URI, REQUEST_HEADERS, ARGS and ARGS_NAMES
# ASCII 1-255 : Full ASCII range without null character
It’s not intended to be used on request body, yet CF does.
Anyway, setting the paranoia level down to PL1 from PL2 will likely make most of the headaches go away, without having to turn rules off completely as CF support will tell you to do. Downside to that is of course you do not get the higher security of PL2. Alternatively, you’d need an explicit file upload endpoint that has been given a skip rule for the owasp ruleset.