Skip to content

[Security] Due to the default caching of POST requests personal information can be leaked #1434

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Oct 14, 2022
Merged

[Security] Due to the default caching of POST requests personal information can be leaked #1434

merged 6 commits into from
Oct 14, 2022

Conversation

craigpearson
Copy link
Contributor

We've just had a GDPR issue with WooCommerce and Trellis, based on the trellis docs here: https://docs.roots.io/trellis/master/fastcgi-caching/#example-cache-configurations

Specifically for WooCommerce you assume that by adding the skip_cache_uri parameters for WooCommerce is enough, however, POST data can still be stored on another URL, and recalled on an uncached page.

As a result although our checkout page was uncached, the way that WooCommerce outputs data on the checkout page, is to check for POST data containing customer information, if that data exists it outputs it. This is only visible as an issue if you are making requests within the cache window specified.

That POST data can be set on other WooCommerce pages not included in the skip_cache_uri, such as checkout completion.

This could also be a problem for other plugins taking personal data via POST such as Gravity Forms etc. Although Trellis can't account for a users specific configuration, should someone not set a URI where POST data is set in the skip_cache_uri then that data is cached by default and potentially leaked to the world

The caveat to this is, that setting a default of not caching any POST data could result as a bypass to any DDoS protection via POST requests, however this seems like a safer default given the data POST can contain. To get around DDoS concerns we could potentially add an option to enable caching of POST data, but with a warning / disclaimer

@swalkinshaw
Copy link
Member

Wow I'm surprised this has never come up, thank you.

I agree this should be the default.

The caveat to this is, that setting a default of not caching any POST data could result as a bypass to any DDoS protection via POST requests, however this seems like a safer default given the data POST can contain. To get around DDoS concerns we could potentially add an option to enable caching of POST data, but with a warning / disclaimer

I'm not too worried about this since DDoS protection isn't really the purpose of the cache (though I guess a nice bonus if it helps). Plus they could already target non-cached pages. This cache is designed to be conservative and safe by default, which should include these new condition.

@tangrufus
Copy link
Member

tangrufus commented Oct 14, 2022
edited
Loading

How about a allow-list approach?

  set $skip_cache 1;

  # Only allow GET data being held in cache
  if ($request_method = GET) {
      set $skip_cache 0;
  }

Otherwise, we need to handle DELETE as well.

@swalkinshaw
Copy link
Member

@tangrufus I do think that's a better refactor. We can look at that separately after this?

@craigpearson
Copy link
Contributor Author

I think switching the $skip_cache behaviour might be more risky to push through upstream with minimal impact on any existing installs (?) but open to this approach. My thought path is should someone have extra rules in place and we unwittingly reverse those rules due to the new default (although that is probably slim pickings)

I could also tweak the commit to something like so:

# Prevent POST data being held in cache
if ($request_method = POST) {
    set $skip_cache 1;
}

# Prevent common API POST like requests being cached
if ( $request_method = ^(PUT|PATCH|DELETE)$ ) {
   set $skip_cache 1;
}

Untested

@swalkinshaw
Copy link
Member

The grouping + comment is nice 👍

@craigpearson
Condense API POST like requests
3c0be54
@craigpearson
Linting
1bc0724
@craigpearson
Linting again (sorry)
434547a
@craigpearson
Make match case sensitive
0eb7b9a 
As per: https://www.rfc-editor.org/rfc/rfc7231#section-4.1

"The method token is case-sensitive because it might be used as a gateway to object-based systems with case-sensitive method names."
swalkinshaw
swalkinshaw reviewed Oct 14, 2022
View reviewed changes
@swalkinshaw swalkinshaw merged commit e4764e3 into roots:master Oct 14, 2022
@swalkinshaw
Copy link
Member

Thanks @craigpearson 🚀

@PDowney
Copy link

PDowney commented Oct 14, 2022

Adding OPTIONS to that might be a good idea too.

You really only want to be caching GET & HEAD. So that means everything below should skip the cache:

CONNECT
DEBUG
DELETE
MOVE
OPTIONS
PATCH
PUT
TRACE
TRACK

@swalkinshaw swalkinshaw mentioned this pull request Oct 14, 2022
Merged
paulbrzeski pushed a commit to paulbrzeski/trellis that referenced this pull request Mar 3, 2023
@craigpearson @paulbrzeski
[Security] Due to the default caching of POST requests personal infor…
b9e19aa 
…mation can be leaked (roots#1434)

As per: https://www.rfc-editor.org/rfc/rfc7231#section-4.1
paulbrzeski pushed a commit to paulbrzeski/trellis that referenced this pull request Mar 3, 2023
@craigpearson @paulbrzeski
[Security] Due to the default caching of POST requests personal infor…
ea3f133 
…mation can be leaked (roots#1434)

As per: https://www.rfc-editor.org/rfc/rfc7231#section-4.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@swalkinshaw swalkinshaw swalkinshaw left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@craigpearson @swalkinshaw @tangrufus @PDowney