aspnetcore icon indicating copy to clipboard operation
aspnetcore copied to clipboard

Published 20 hours ago verified publisher icon dotnet

Cannot do request filtering on invalid requests as blazor expects to use the fallback

Open olejsc opened this issue 8 months ago • 0 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Describe the bug

Hi!

We have a blazor server application which is public facing - faily large, with multiple forms various third party services / integrations we communicate with. We have a few controllers and in general it's working alright. However, we have recently discovered that we get quite a few different POST requests from more less malicious actors to our endpoint, and they're not hitting any of our controllers, but are instead routed to the _Host path, as this is the default fallback page.

We want to filter out all unexpected request with a middleware, but we cannot make make an effective filter that doesn't impact the blazor server application ,as it expects the use of the fallback.

The documentation states this: image

The consequences of this is that we cannot distinguish between blazor server requests and bogus requests done with normal http.

We want to be able to pass blazor server requests to the /_host path, and only allow GET requests to end up in the fallback. Is there a workaround to handle blazor server requests before they up in the fallback?

We found no documenation regarding native blazor requests and their parameters / paths. We know of a few, like _blazor/disconnect , _blazor/reconnect, _blazor/connect etc. but are there some that does not rely on the _blazor prefix, and optionally, other postfixes than the ones mentioned?

Expected Behavior

Expected behaviour is that it should be possible to allow blazor server requests to be redirected to the "_host"endpoint before hitting the fallback to the host file.

Steps To Reproduce

Create a default net 7 blazor server app. Create a simple post request in postman or similar, with form content (any content will do). Write a simple middleware to stop post requests with form (and return 4xx). Start the application and notice that the blazor server app doesn't work correctly, as it depends on reaching the fallback.

Exceptions (if any)

No response

.NET Version

7

Anything else?

No response

olejsc avatar Jun 28 '24 12:06 olejsc