fix: Accidental cache read via key construction (casbin#330)

* fix: Accidental cache read via key construction Signed-off-by: Tan <2912363476@qq.com> * fix: separator changed from $ to $$ Signed-off-by: Tan <2912363476@qq.com> --------- Signed-off-by: Tan <2912363476@qq.com>
dacongda · Aug 19, 2023 · e36209e · e36209e
1 parent 0eb65c6
commit e36209e
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/Casbin.UnitTests/ModelTests/ModelTest.cs b/Casbin.UnitTests/ModelTests/ModelTest.cs
@@ -719,6 +719,16 @@ public void TestBackslashLineFeed()
         TestEnforce(e, "bob", "data2", "write", true);
     }
 
+    [Fact]
+    public void TestAccidentalCacheRead()
+    {
+        Enforcer e = new(_testModelFixture.GetBasicTestModel());
+
+        TestEnforce(e, "alice", "data1", "read", true);
+        TestEnforce(e, "aliced", "ata1", "read", false);
+        TestEnforce(e, "alice", "data", "1read", false);
+    }
+
     public class TestResource
     {
         public TestResource(string name, string owner)

diff --git a/Casbin/Model/Request.cs b/Casbin/Model/Request.cs
@@ -129,7 +129,7 @@ public static bool TryGetStringKey<TRequest>(TRequest requestValues, out string
                     return false;
                 }
 
-                key = string.Concat(values2.Value1, values2.Value2);
+                key = string.Concat(values2.Value1, "$$", values2.Value2);
                 return true;
             case 3:
                 if (requestValues is not RequestValues<string, string, string> values3)
@@ -138,7 +138,7 @@ public static bool TryGetStringKey<TRequest>(TRequest requestValues, out string
                     return false;
                 }
 
-                key = string.Concat(values3.Value1, values3.Value2, values3.Value3);
+                key = string.Concat(values3.Value1, "$$", values3.Value2, "$$", values3.Value3);
                 return true;
             case 4:
                 if (requestValues is not RequestValues<string, string, string, string> values4)
@@ -147,7 +147,7 @@ public static bool TryGetStringKey<TRequest>(TRequest requestValues, out string
                     return false;
                 }
 
-                key = string.Concat(values4.Value1, values4.Value2, values4.Value3, values4.Value4);
+                key = string.Concat(values4.Value1, "$$", values4.Value2, "$$", values4.Value3, "$$", values4.Value4);
                 return true;
         }