SECURITY: 413 for GET, HEAD or DELETE requests with payload.

lib/middleware/anonymous_cache.rb

@@ -307,7 +307,15 @@ def initialize(app, settings = {})
       @app = app
     end
 
+    PAYLOAD_INVALID_REQUEST_METHODS = ["GET", "DELETE", "HEAD"]
+
     def call(env)
+      if PAYLOAD_INVALID_REQUEST_METHODS.include?(env[Rack::REQUEST_METHOD]) &&
+        env[Rack::RACK_INPUT].size > 0
+
+        return [413, {}, []]
+      end
+
       helper = Helper.new(env)
       force_anon = false
 

spec/components/middleware/anonymous_cache_spec.rb

@@ -195,6 +195,16 @@ def new_helper(opts = {})
     end
   end
 
+  context 'invalid request payload' do
+    it 'returns 413 for GET request with payload' do
+      status, _, _ = middleware.call(env.tap do |environment|
+        environment[Rack::RACK_INPUT].write("test")
+      end)
+
+      expect(status).to eq(413)
+    end
+  end
+
   context "crawler blocking" do
     let :non_crawler do
       {