From 4342d08edde5694f6071d3c702d4a379643c54d5 Mon Sep 17 00:00:00 2001
From: Guo Xiang Tan <gxtan1990@gmail.com>
Date: Mon, 3 Aug 2020 14:11:17 +0800
Subject: [PATCH] SECURITY: 413 for GET, HEAD or DELETE requests with payload.

---
 lib/middleware/anonymous_cache.rb                  |  8 ++++++++
 spec/components/middleware/anonymous_cache_spec.rb | 10 ++++++++++
 2 files changed, 18 insertions(+)

diff --git a/lib/middleware/anonymous_cache.rb b/lib/middleware/anonymous_cache.rb
index 8f1e75606a9..700588d72c9 100644
--- a/lib/middleware/anonymous_cache.rb
+++ b/lib/middleware/anonymous_cache.rb
@@ -297,7 +297,15 @@ module Middleware
       @app = app
     end
 
+    PAYLOAD_INVALID_REQUEST_METHODS = ["GET", "DELETE", "HEAD"]
+
     def call(env)
+      if PAYLOAD_INVALID_REQUEST_METHODS.include?(env[Rack::REQUEST_METHOD]) &&
+        env[Rack::RACK_INPUT].size > 0
+
+        return [413, {}, []]
+      end
+
       helper = Helper.new(env)
       force_anon = false
 
diff --git a/spec/components/middleware/anonymous_cache_spec.rb b/spec/components/middleware/anonymous_cache_spec.rb
index 2eb18825d94..d81d883f242 100644
--- a/spec/components/middleware/anonymous_cache_spec.rb
+++ b/spec/components/middleware/anonymous_cache_spec.rb
@@ -169,6 +169,16 @@ describe Middleware::AnonymousCache do
     end
   end
 
+  context 'invalid request payload' do
+    it 'returns 413 for GET request with payload' do
+      status, _, _ = middleware.call(env.tap do |environment|
+        environment[Rack::RACK_INPUT].write("test")
+      end)
+
+      expect(status).to eq(413)
+    end
+  end
+
   context "crawler blocking" do
     let :non_crawler do
       {