AWS WAF Blocks Media Library AJAX Pagination URLs

Open on Drupal.org →

Created on 13 February 2024, 9 months ago

Updated 15 February 2024, 9 months ago

Problem/Motivation

In Drupal 9.5.11, the Media Library AJAX pagination used the POST method. In Drupal 10.1.x, it switched to using the GET method.
With multiple pages in the Media Library, the URLs for these pages become longer and longer. Consequently, these lengthy URLs are being blocked by AWS WAF when following the core ruleset https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-g...
---
SizeRestrictions_QUERYSTRING
Inspects for URI query strings that are over 2,048 bytes.
Rule action: Block
Label: awswaf:managed:aws:core-rule-set:SizeRestrictions_QueryString
--
The specific rule causing the block is the "SizeRestrictions_QUERYSTRING" rule, which checks for URI query strings over 2,048 bytes and blocks them accordingly.

This issue is related to
- Compress ajax_page_state https://www.drupal.org/project/drupal/issues/3348789 📌 Compress ajax_page_state Fixed
- Extremely long Views AJAX query string triggers 403 in AWS https://www.drupal.org/project/drupal/issues/3380486 💬 Extremely long Views AJAX query string triggers 403 in AWS Postponed: needs info

Despite applying a patch to compress libraries in the AjaxPageState https://www.drupal.org/project/drupal/issues/3348789#comment 📌 Compress ajax_page_state Fixed the URL length remains too large. The URL length was reduced from approximately 2600 to 2200 characters, and it still triggers blocks by AWS WAF.

This issue may also be connected to the discussion on allowing AJAX to use GET requests https://www.drupal.org/project/drupal/issues/956186 📌 Allow AJAX to use GET requests Fixed

Proposed resolution

A question/suggestion arises: Wouldn't it be better to handle view ajax pagination with the POST method to avoid such URL length issues altogether?

💬 Support request

Status

Active

Version

10.1 ✨

Component

Last updated 1 day ago

Maintained by
🇩🇪Germany @dawehner
🇺🇸United States @tim.plunkett
🇬🇧United Kingdom @damiankloip
🇺🇸United States @xjm
🇳🇱Netherlands @Lendude

Created by

🇩🇪Germany vesnag

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @vesnag
Comment 9 months ago →
🇩🇪Germany vesnag
Comment 9 months ago →
cilefen
Can you verify on 10.2 please?
Comment 9 months ago →
🇩🇪Germany vesnag
With the clean install of 10.2.3, the Media Library URL may extend beyond 2000 characters when navigating through pages.
Comment 9 months ago →
🇬🇧United Kingdom longwave UK
This isn't a bug in Drupal, just a false positive in the WAF. I've also run into this as I have sites behind AWS WAF and have had to add exceptions for this rule and the media library URLs (as an aside, editing content in Drupal often triggers false positives in other WAF rules such as XSS, this is not a bug either).

There are lots of different resources to refer to here, but the most up to date standard from https://stackoverflow.com/questions/417142/what-is-the-maximum-length-of... says

It is RECOMMENDED that all senders and recipients support, at a minimum, URIs with lengths of 8000 octets in protocol elements.

so Drupal is not technically doing anything wrong here.
Comment 9 months ago →
🇩🇪Germany vesnag
As already reported here https://www.drupal.org/project/drupal/issues/3403077 🐛 media_library_opener leads to massive GET requests that break varnish etc. Active , GET requests also break Varnish.
Comment 9 months ago →
🇬🇧United Kingdom longwave UK
Well yes, but that's a separate issue; the AWS WAF does not use Varnish.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024