Disable caching on repo/blobs/[sha]/raw endpoint

Caching of file contents creates an inconsistency in the value of the `Content-Disposition` header, allowing files that should only be sent as attachment to instead be returned as inline, causing them to be evaluated and executed by the receiving client. This is due to how gitaly and the main Rails application coordinate around evaluating etags for content freshness. This fix addresses the issue by removing caching from this endpoint, but does not address the underlying issue (namely that Rails can not accurately determine the file type of the requested content, thus can not be responsible for determining appropriate or safe Content-Disposition.)

Disable caching on repo/blobs/[sha]/raw endpoint
Caching of file contents creates an inconsistency in the value of the `Content-Disposition` header, allowing files that should only be sent as attachment to instead be returned as inline, causing them to be evaluated and executed by the receiving client. This is due to how gitaly and the main Rails application coordinate around evaluating etags for content freshness. This fix addresses the issue by removing caching from this endpoint, but does not address the underlying issue (namely that Rails can not accurately determine the file type of the requested content, thus can not be responsible for determining appropriate or safe Content-Disposition.)
4157435e · Kerri Miller · c036703a · 4157435e · 4157435e · 4157435e
Commit 4157435e authored Mar 26, 2020 by Kerri Miller
4 changed files
--- a/changelogs/unreleased/security-99-disable-caching-on-api-repo-blobs-raw.yml
+++ b/changelogs/unreleased/security-99-disable-caching-on-api-repo-blobs-raw.yml
+---
+title: Disable caching on repo/blobs/[sha]/raw endpoint
+merge_request:
+author:
+type: security
--- a/lib/api/repositories.rb
+++ b/lib/api/repositories.rb
@@ -6,6 +6,8 @@ module API
  class Repositories < Grape::API
    include PaginationParams

+    helpers ::API::Helpers::HeadersHelpers
+
    before { authorize! :download_code, user_project }

    params do
@@ -67,6 +69,8 @@ module API
      get ':id/repository/blobs/:sha/raw' do
        assign_blob_vars!

+        no_cache_headers
+
        send_git_blob @repo, @blob
      end


--- a/spec/requests/api/repositories_spec.rb
+++ b/spec/requests/api/repositories_spec.rb
@@ -177,6 +177,12 @@ describe API::Repositories do
        expect(headers['Content-Disposition']).to eq 'inline'
      end

+      it_behaves_like 'uncached response' do
+        before do
+          get api(route, current_user)
+        end
+      end
+
      context 'when sha does not exist' do
        it_behaves_like '404 response' do
          let(:request) { get api(route.sub(sample_blob.oid, 'abcd9876'), current_user) }

--- a/spec/support/shared_examples/uncached_response_shared_examples.rb
+++ b/spec/support/shared_examples/uncached_response_shared_examples.rb
+# frozen_string_literal: true
+#
+# Pairs with lib/gitlab/no_cache_headers.rb
+#
+
+RSpec.shared_examples 'uncached response' do
+  it 'defines an uncached header response' do
+    expect(response.headers["Cache-Control"]).to include("no-store", "no-cache")
+    expect(response.headers["Pragma"]).to eq("no-cache")
+    expect(response.headers["Expires"]).to eq("Fri, 01 Jan 1990 00:00:00 GMT")
+  end
+end