SECURITY: theme key should be an anon cache breaker

2017-06-15 09:36:27 -04:00 · 2017-06-15 09:36:27 -04:00 · ac1f84d3e1
parent 8f48c20598
commit ac1f84d3e1
2 changed files with 26 additions and 1 deletions
--- a/lib/middleware/anonymous_cache.rb
+++ b/lib/middleware/anonymous_cache.rb
@ -15,6 +15,7 @@ module Middleware

      def initialize(env)
        @env = env
+        @request = Rack::Request.new(env)
      end

      def is_mobile=(val)
@ -54,7 +55,16 @@ module Middleware
      end

      def cache_key
-        @cache_key ||= "ANON_CACHE_#{@env["HTTP_ACCEPT"]}_#{@env["HTTP_HOST"]}#{@env["REQUEST_URI"]}|m=#{is_mobile?}|c=#{is_crawler?}|b=#{has_brotli?}"
+        @cache_key ||= "ANON_CACHE_#{@env["HTTP_ACCEPT"]}_#{@env["HTTP_HOST"]}#{@env["REQUEST_URI"]}|m=#{is_mobile?}|c=#{is_crawler?}|b=#{has_brotli?}|t=#{theme_key}"
+      end
+
+      def theme_key
+        key = @request.cookies['theme_key']
+        if key && Guardian.new.allow_theme?(key)
+          key
+        else
+          nil
+        end
      end

      def cache_key_body
--- a/spec/components/middleware/anonymous_cache_spec.rb
+++ b/spec/components/middleware/anonymous_cache_spec.rb
@ -31,6 +31,21 @@ describe Middleware::AnonymousCache::Helper do
    end
  end

+  context "per theme cache" do
+    it "handles theme keys" do
+      theme = Theme.create(name: "test", user_id: -1, user_selectable: true)
+
+      with_bad_theme_key = new_helper("HTTP_COOKIE" => "theme_key=abc").cache_key
+      with_no_theme_key = new_helper().cache_key
+
+      expect(with_bad_theme_key).to eq(with_no_theme_key)
+
+      with_good_theme_key = new_helper("HTTP_COOKIE" => "theme_key=#{theme.key}").cache_key
+
+      expect(with_good_theme_key).not_to eq(with_no_theme_key)
+    end
+  end
+
  context "cached" do
    let!(:helper) do
      new_helper("ANON_CACHE_DURATION" => 10)