Forbid public cache for private repos

When project is public but the repository is private, we don't want to cache it as public. In this case, anybody will be able to see the cached version of the private content during 60s after an eligible user has viewed it.

Forbid public cache for private repos
When project is public but the repository is private, we don't want to cache it as public. In this case, anybody will be able to see the cached version of the private content during 60s after an eligible user has viewed it.
7ceb8f05 · Igor Drozdov · 2f219efa · 7ceb8f05 · 7ceb8f05 · 7ceb8f05
Commit 7ceb8f05 authored Dec 16, 2020 by Igor Drozdov
5 changed files
--- a/app/controllers/projects/raw_controller.rb
+++ b/app/controllers/projects/raw_controller.rb
@@ -21,7 +21,7 @@ class Projects::RawController < Projects::ApplicationController
  def show
    @blob = @repository.blob_at(@ref, @path)

-    send_blob(@repository, @blob, inline: (params[:inline] != 'false'), allow_caching: @project.public?)
+    send_blob(@repository, @blob, inline: (params[:inline] != 'false'), allow_caching: Guest.can?(:download_code, @project))
  end

  private

--- a/app/controllers/projects/repositories_controller.rb
+++ b/app/controllers/projects/repositories_controller.rb
@@ -53,7 +53,7 @@ class Projects::RepositoriesController < Projects::ApplicationController
  end

  def set_cache_headers
-    expires_in cache_max_age(archive_metadata['CommitId']), public: project.public?
+    expires_in cache_max_age(archive_metadata['CommitId']), public: Guest.can?(:download_code, project)
    fresh_when(etag: archive_metadata['ArchivePath'])
  end


--- a/changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml
+++ b/changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml
+---
+title: Forbid public cache for private repos
+merge_request: 1117
+author:
+type: security
--- a/spec/controllers/projects/raw_controller_spec.rb
+++ b/spec/controllers/projects/raw_controller_spec.rb
@@ -250,6 +250,18 @@ RSpec.describe Projects::RawController do
        expect(response.cache_control[:no_store]).to be_nil
      end

+      context 'when a public project has private repo' do
+        let(:project) { create(:project, :public, :repository, :repository_private) }
+        let(:user) { create(:user, maintainer_projects: [project]) }
+
+        it 'does not set public caching header' do
+          sign_in user
+          request_file
+
+          expect(response.header['Cache-Control']).to include('max-age=60, private')
+        end
+      end
+
      context 'when If-None-Match header is set' do
        it 'returns a 304 status' do
          request_file

--- a/spec/controllers/projects/repositories_controller_spec.rb
+++ b/spec/controllers/projects/repositories_controller_spec.rb
@@ -137,6 +137,18 @@ RSpec.describe Projects::RepositoriesController do
            expect(response.header['ETag']).to be_present
            expect(response.header['Cache-Control']).to include('max-age=60, public')
          end
+
+          context 'and repo is private' do
+            let(:project) { create(:project, :repository, :public, :repository_private) }
+
+            it 'sets appropriate caching headers' do
+              get_archive
+
+              expect(response).to have_gitlab_http_status(:ok)
+              expect(response.header['ETag']).to be_present
+              expect(response.header['Cache-Control']).to include('max-age=60, private')
+            end
+          end
        end

        context 'when ref is a commit SHA' do