SECURITY: 413 for GET, HEAD or DELETE requests with payload.

2020-08-03 14:11:17 +08:00 · 2020-08-03 14:11:17 +08:00 · 105d560177
parent 32af607b70
commit 105d560177
2 changed files with 18 additions and 0 deletions
--- a/lib/middleware/anonymous_cache.rb
+++ b/lib/middleware/anonymous_cache.rb
@ -307,7 +307,15 @@ module Middleware
      @app = app
    end

+    PAYLOAD_INVALID_REQUEST_METHODS = ["GET", "DELETE", "HEAD"]
+
    def call(env)
+      if PAYLOAD_INVALID_REQUEST_METHODS.include?(env[Rack::REQUEST_METHOD]) &&
+        env[Rack::RACK_INPUT].size > 0
+
+        return [413, {}, []]
+      end
+
      helper = Helper.new(env)
      force_anon = false

--- a/spec/components/middleware/anonymous_cache_spec.rb
+++ b/spec/components/middleware/anonymous_cache_spec.rb
@ -195,6 +195,16 @@ describe Middleware::AnonymousCache do
    end
  end

+  context 'invalid request payload' do
+    it 'returns 413 for GET request with payload' do
+      status, _, _ = middleware.call(env.tap do |environment|
+        environment[Rack::RACK_INPUT].write("test")
+      end)
+
+      expect(status).to eq(413)
+    end
+  end
+
  context "crawler blocking" do
    let :non_crawler do
      {