Skip to content

[WAF] Add WAF release notes for 2026-07-01 and update scheduled changes#31798

Closed
ay-cf wants to merge 3 commits into
productionfrom
ay-cf-patch-0630
Closed

[WAF] Add WAF release notes for 2026-07-01 and update scheduled changes#31798
ay-cf wants to merge 3 commits into
productionfrom
ay-cf-patch-0630

Conversation

@ay-cf

@ay-cf ay-cf commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Summary

upload 2 files.
2026-07-01-waf-release.mdx
scheduled-waf-release.mdx

upload 2 files.
2026-07-01-waf-release.mdx
scheduled-waf-release.mdx
@cloudflare-docs-bot

cloudflare-docs-bot Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Review

✅ No issues found in commit 3b6ee3c.

Code Review

This code review is in beta and may not always be helpful — use your judgment.

No code review issues found.

Conventions

Checks PR title, description, and redirect checklist.

No convention issues found.

Style Guide Review

No style-guide issues found.

Redirects

No missing redirect entries found.

Commands

Only codeowners can run commands. Post a comment with the command to trigger it.

Command Description
/review Runs a review now. Incremental if a prior review exists, full if not.
/full-review Re-reviews the entire PR diff from scratch, ignoring incremental history. Useful after a rebase, when you want a fresh review, or if the bot gets out of sync and reports issues that no longer exist.
/ignore-review-limit Permanently lifts the 2-review automatic limit for this PR. Future pushes will trigger reviews as normal.
/disable-auto-review Stops automatic reviews from triggering on future pushes to this PR. Codeowners can still run /review or /full-review manually.

@github-actions

Copy link
Copy Markdown
Contributor

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern Owners
/src/content/changelog/waf/ @cloudflare/firewall, @vs-mg, @fb1337, @cloudflare/pm-changelogs, @cloudflare/appsec-reviewers, @elithrar, @cloudflare/product-owners, @hsaxenaCF, @danielegm, @ay-cf

@ask-bonk ask-bonk Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 critical/high issues need fixing before merge.

  • CRITICAL: Duplicate RuleID in the release note table (both rules share the same ID).
  • HIGH: Action transition description is inconsistent between the opening paragraph, table, and comment.
  • HIGH: The scheduled changes file still contains the Fortinet rule that is now released.

Comment thread src/content/changelog/waf/2026-07-01-waf-release.mdx Outdated
Comment thread src/content/changelog/waf/2026-07-01-waf-release.mdx
Comment thread src/content/changelog/waf/2026-07-01-waf-release.mdx
Comment thread src/content/changelog/waf/scheduled-waf-release.mdx Outdated
@ask-bonk ask-bonk Bot added the changelog Adds or updates changelog entries/pages. label Jun 30, 2026
@ask-bonk

ask-bonk Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

PR Review Summary — #31798

Labels applied: changelog

What this PR changes

  • New file: src/content/changelog/waf/2026-07-01-waf-release.mdx — WAF release notes for July 1, 2026, documenting:
    • New Fortinet FortiSandbox path traversal detection (CVE-2026-39813)
    • Disabling the "Fake Bing or MSN Bot" User-Agent anomaly rule
  • Modified file: src/content/changelog/waf/scheduled-waf-release.mdx — Updated title/description to reflect July 6 scheduled window, changed frontmatter date and publish_future_dated_entry flag.

Issues requiring maintainer attention

CRITICAL

  • Duplicate RuleID (src/content/changelog/waf/2026-07-01-waf-release.mdx:44): Both the Fortinet rule and the Fake Bing/MSN Bot rule share the same RuleID 32075e19b1494117ac5915e8d84c92c9. The second rule needs its own unique RuleID.

HIGH

  • Inconsistent action description (2026-07-01-waf-release.mdx:9): The opening paragraph says the transition is "from Block to Disabled," but the table shows "Enabled → Disabled" and the comment says "from BLOCK to Disabled." These should match the table (EnabledDisabled).
  • Stale scheduled entry (scheduled-waf-release.mdx:24): The Fortinet rule is still listed in scheduled changes with release date 2026-06-29, but it was released on 2026-07-01 in the new release note. Since it is now released, it should be removed from the scheduled changes file.

LOW / Nits

  • "BLOCK" should be "Block" (sentence case) in the table comment for consistency with action naming conventions.
  • Both files are missing trailing newlines.

I posted these findings as inline review comments on the PR.

github run

@ay-cf ay-cf left a comment

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated rule id and remove data in table's row

@ay-cf ay-cf closed this Jun 30, 2026
@ay-cf

ay-cf commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator Author

use #31801

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

changelog Adds or updates changelog entries/pages. product:changelog size/s

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants