SECURITY: 413 for GET, HEAD or DELETE requests with payload.

This commit is contained in:
Guo Xiang Tan 2020-08-03 14:11:17 +08:00
parent 3260865697
commit 4342d08edd
No known key found for this signature in database
GPG Key ID: FBD110179AAC1F20
2 changed files with 18 additions and 0 deletions

View File

@ -297,7 +297,15 @@ module Middleware
@app = app
end
PAYLOAD_INVALID_REQUEST_METHODS = ["GET", "DELETE", "HEAD"]
def call(env)
if PAYLOAD_INVALID_REQUEST_METHODS.include?(env[Rack::REQUEST_METHOD]) &&
env[Rack::RACK_INPUT].size > 0
return [413, {}, []]
end
helper = Helper.new(env)
force_anon = false

View File

@ -169,6 +169,16 @@ describe Middleware::AnonymousCache do
end
end
context 'invalid request payload' do
it 'returns 413 for GET request with payload' do
status, _, _ = middleware.call(env.tap do |environment|
environment[Rack::RACK_INPUT].write("test")
end)
expect(status).to eq(413)
end
end
context "crawler blocking" do
let :non_crawler do
{