That WAF needs to be tuned. If they’re worried about the possibility of a local file read that can disclose /etc/shadow, there are much bigger issues.

Or it is defense in depth. Although blocking it even if the / is percent encoded seems a bit excessive, especially as a default.

...that's a Cloudflare security page. Is this a default setting for one of Cloudflare's security options, or did Algolia specifically add this to some edge detection worker or something? I'm curious which party is being ridiculous.

I just hit a website I know has an entirely default config on the free plan as https://website/q=cat /etc/shadow and got the same exact error page.

So much for CloudFlare's stance on free speech, I'm being censored for comedy!

(The title is a wordplay on What We Do in the Shadows.)

Joke aside, I can understand why, generally, protecting from /etc/shadow disclosures is a good default, but it should be possible to disable this particular protection. If anyone knows how, that'd be good to share.

EDIT: A bypass has been discovered https://infosec.exchange/@jsmall/109647469548014823

It's a great title

Ohhh Cloudflare. I have to wonder how many sites are left that are actually vulnerable to having their shadow file dumped. Even for the sites that have filesystem traversal vulns, how many of those would cough up something publicly accessible from the shadow file?

That’s so depressing.