SECURITY: Don't reuse CSP nonce between anonymous requests

This commit is contained in:
OsamaSayegh
2023-07-28 12:53:44 +01:00
committed by David Taylor
parent 672f3e7e41
commit 0976c8fad6
15 changed files with 105 additions and 22 deletions

View File

@ -43,6 +43,21 @@ module Middleware
env["ANON_CACHE_DURATION"] = duration
end
def self.clear_all_cache!
if Rails.env.production?
raise "for perf reasons, clear_all_cache! cannot be used in production."
end
Discourse.redis.keys("ANON_CACHE_*").each { |k| Discourse.redis.del(k) }
end
def self.disable_anon_cache
@@disabled = true
end
def self.enable_anon_cache
@@disabled = false
end
# This gives us an API to insert anonymous cache segments
class Helper
RACK_SESSION = "rack.session"
@ -232,7 +247,10 @@ module Middleware
end
def cacheable?
!!(!has_auth_cookie? && get? && no_cache_bypass)
!!(
GlobalSetting.anon_cache_store_threshold > 0 && !has_auth_cookie? && get? &&
no_cache_bypass
)
end
def compress(val)
@ -326,6 +344,8 @@ module Middleware
PAYLOAD_INVALID_REQUEST_METHODS = %w[GET HEAD]
def call(env)
return @app.call(env) if defined?(@@disabled) && @@disabled
if PAYLOAD_INVALID_REQUEST_METHODS.include?(env[Rack::REQUEST_METHOD]) &&
env[Rack::RACK_INPUT].size > 0
return 413, { "Cache-Control" => "private, max-age=0, must-revalidate" }, []