SECURITY: 413 for GET, HEAD or DELETE requests with payload.

SECURITY: 413 for GET, HEAD or DELETE requests with payload.

diff --git a/lib/middleware/anonymous_cache.rb b/lib/middleware/anonymous_cache.rb
index 4e9b74b..814cf0c 100644
--- a/lib/middleware/anonymous_cache.rb
+++ b/lib/middleware/anonymous_cache.rb
@@ -307,7 +307,15 @@ module Middleware
       @app = app
     end
 
+    PAYLOAD_INVALID_REQUEST_METHODS = ["GET", "DELETE", "HEAD"]
+
     def call(env)
+      if PAYLOAD_INVALID_REQUEST_METHODS.include?(env[Rack::REQUEST_METHOD]) &&
+        env[Rack::RACK_INPUT].size > 0
+
+        return [413, {}, []]
+      end
+
       helper = Helper.new(env)
       force_anon = false
 
diff --git a/spec/components/middleware/anonymous_cache_spec.rb b/spec/components/middleware/anonymous_cache_spec.rb
index 94db541..2d27f99 100644
--- a/spec/components/middleware/anonymous_cache_spec.rb
+++ b/spec/components/middleware/anonymous_cache_spec.rb
@@ -195,6 +195,16 @@ describe Middleware::AnonymousCache do
     end
   end
 
+  context 'invalid request payload' do
+    it 'returns 413 for GET request with payload' do
+      status, _, _ = middleware.call(env.tap do |environment|
+        environment[Rack::RACK_INPUT].write("test")
+      end)
+
+      expect(status).to eq(413)
+    end
+  end
+
   context "crawler blocking" do
     let :non_crawler do
       {

GitHub sha: 105d5601

1 Like