SECURITY: theme key should be an anon cache breaker

lib/middleware/anonymous_cache.rb

@@ -15,6 +15,7 @@ class Helper
 
       def initialize(env)
         @env = env
+        @request = Rack::Request.new(env)
       end
 
       def is_mobile=(val)
@@ -54,7 +55,16 @@ def is_crawler?
       end
 
       def cache_key
-        @cache_key ||= "ANON_CACHE_#{@env["HTTP_ACCEPT"]}_#{@env["HTTP_HOST"]}#{@env["REQUEST_URI"]}|m=#{is_mobile?}|c=#{is_crawler?}|b=#{has_brotli?}"
+        @cache_key ||= "ANON_CACHE_#{@env["HTTP_ACCEPT"]}_#{@env["HTTP_HOST"]}#{@env["REQUEST_URI"]}|m=#{is_mobile?}|c=#{is_crawler?}|b=#{has_brotli?}|t=#{theme_key}"
+      end
+
+      def theme_key
+        key = @request.cookies['theme_key']
+        if key && Guardian.new.allow_theme?(key)
+          key
+        else
+          nil
+        end
       end
 
       def cache_key_body

spec/components/middleware/anonymous_cache_spec.rb

@@ -31,6 +31,21 @@ def new_helper(opts={})
     end
   end
 
+  context "per theme cache" do
+    it "handles theme keys" do
+      theme = Theme.create(name: "test", user_id: -1, user_selectable: true)
+
+      with_bad_theme_key = new_helper("HTTP_COOKIE" => "theme_key=abc").cache_key
+      with_no_theme_key = new_helper().cache_key
+
+      expect(with_bad_theme_key).to eq(with_no_theme_key)
+
+      with_good_theme_key = new_helper("HTTP_COOKIE" => "theme_key=#{theme.key}").cache_key
+
+      expect(with_good_theme_key).not_to eq(with_no_theme_key)
+    end
+  end
+
   context "cached" do
     let!(:helper) do
       new_helper("ANON_CACHE_DURATION" => 10)