Merge pull request from GHSA-mp38-vprc-7hf5

Ref GHSA-mp38-vprc-7hf5

Author: stsewd

readthedocs/projects/models.py

@@ -1823,6 +1823,7 @@ def add_features(sender, **kwargs):
     ALLOW_FORCED_REDIRECTS = "allow_forced_redirects"
     DISABLE_PAGEVIEWS = "disable_pageviews"
     DISABLE_SPHINX_DOMAINS = "disable_sphinx_domains"
+    RESOLVE_PROJECT_FROM_HEADER = "resolve_project_from_header"
 
     # Versions sync related features
     SKIP_SYNC_TAGS = 'skip_sync_tags'
@@ -1844,6 +1845,7 @@ def add_features(sender, **kwargs):
     DEFAULT_TO_FUZZY_SEARCH = 'default_to_fuzzy_search'
     INDEX_FROM_HTML_FILES = 'index_from_html_files'
 
+    # Build related features
     LIST_PACKAGES_INSTALLED_ENV = "list_packages_installed_env"
     VCS_REMOTE_LISTING = "vcs_remote_listing"
     SPHINX_PARALLEL = "sphinx_parallel"
@@ -1933,6 +1935,10 @@ def add_features(sender, **kwargs):
             DISABLE_SPHINX_DOMAINS,
             _("Disable indexing of sphinx domains"),
         ),
+        (
+            RESOLVE_PROJECT_FROM_HEADER,
+            _("Allow usage of the X-RTD-Slug header"),
+        ),
 
         # Versions sync related features
         (

readthedocs/proxito/middleware.py

@@ -11,6 +11,7 @@
 
 import structlog
 from django.conf import settings
+from django.core.exceptions import SuspiciousOperation
 from django.http import Http404
 from django.shortcuts import redirect, render
 from django.urls import reverse
@@ -24,7 +25,7 @@
     unresolver,
 )
 from readthedocs.core.utils import get_cache_tag
-from readthedocs.projects.models import Domain, Project, ProjectRelationship
+from readthedocs.projects.models import Domain, Feature, Project, ProjectRelationship
 from readthedocs.proxito import constants
 
 log = structlog.get_logger(__name__)  # noqa
@@ -47,15 +48,26 @@ def map_host_to_project(request):  # pylint: disable=too-many-return-statements
     """
 
     host = unresolver.get_domain_from_host(request.get_host())
+    log.bind(host=host)
 
     # Explicit Project slug being passed in.
     if "HTTP_X_RTD_SLUG" in request.META:
         project_slug = request.headers["X-RTD-Slug"].lower()
-        project = Project.objects.filter(slug=project_slug).first()
+        project = Project.objects.filter(
+            slug=project_slug,
+            feature__feature_id=Feature.RESOLVE_PROJECT_FROM_HEADER,
+        ).first()
         if project:
             request.rtdheader = True
-            log.info('Setting project based on X_RTD_SLUG header.', project_slug=project_slug)
+            log.info(
+                "Setting project based on X_RTD_SLUG header.", project_slug=project_slug
+            )
             return project
+        log.warning(
+            "X-RTD-Header passed for project without it enabled.",
+            project_slug=project_slug,
+        )
+        raise SuspiciousOperation("Invalid X-RTD-Slug header.")
 
     try:
         project, domain_object, external_version_slug = unresolver.unresolve_domain(
@@ -248,15 +260,24 @@ def add_cache_headers(self, request, response):
 
         If privacy levels are enabled and the header isn't already present,
         set the cache level to private.
+        Or if the request was from the `X-RTD-Slug` header,
+        we don't cache the response, since we could be caching a response in another domain.
 
         We use ``CDN-Cache-Control``, to control caching at the CDN level only.
         This doesn't affect caching at the browser level (``Cache-Control``).
 
         See https://developers.cloudflare.com/cache/about/cdn-cache-control.
         """
+        header = "CDN-Cache-Control"
+        # Never trust projects resolving from the X-RTD-Slug header,
+        # we don't want to cache their content on domains from other
+        # projects, see GHSA-mp38-vprc-7hf5.
+        if hasattr(request, "rtdheader"):
+            response.headers[header] = "private"
+
         if settings.ALLOW_PRIVATE_REPOS:
             # Set the key to private only if it hasn't already been set by the view.
-            response.headers.setdefault('CDN-Cache-Control', 'private')
+            response.headers.setdefault(header, "private")
 
     def process_request(self, request):  # noqa
         skip = any(

readthedocs/proxito/tests/test_full.py

@@ -1457,6 +1457,21 @@ def test_cache_public_versions_custom_domain(self):
         self.assertEqual(resp.headers['CDN-Cache-Control'], 'public')
         self.assertEqual(resp.headers['Cache-Tag'], 'subproject,subproject:latest')
 
+    def test_cache_disable_on_rtd_header_resolved_project(self):
+        get(
+            Feature,
+            feature_id=Feature.RESOLVE_PROJECT_FROM_HEADER,
+            projects=[self.project],
+        )
+        resp = self.client.get(
+            "/en/latest/index.html",
+            secure=True,
+            HTTP_HOST="docs.example.com",
+            HTTP_X_RTD_SLUG=self.project.slug,
+        )
+        self.assertEqual(resp.headers["CDN-Cache-Control"], "private")
+        self.assertEqual(resp.headers["Cache-Tag"], "project,project:latest")
+
     def test_cache_on_plan(self):
         self.organization = get(Organization)
         self.plan = get(

readthedocs/proxito/tests/test_middleware.py

@@ -2,14 +2,15 @@
 from unittest import mock
 
 import pytest
+from django.core.exceptions import SuspiciousOperation
 from django.http import HttpRequest
 from django.test import TestCase
 from django.test.utils import override_settings
 from django_dynamic_fixture import get
 
 from readthedocs.builds.models import Version
 from readthedocs.projects.constants import PUBLIC
-from readthedocs.projects.models import Domain, Project, ProjectRelationship
+from readthedocs.projects.models import Domain, Feature, Project, ProjectRelationship
 from readthedocs.proxito.middleware import ProxitoMiddleware
 from readthedocs.rtd_tests.base import RequestFactoryTestMixin
 from readthedocs.rtd_tests.storage import BuildMediaFileSystemStorageTest
@@ -163,6 +164,9 @@ def test_subdomain_different_length(self):
         self.assertEqual(request.host_project_slug, 'pip')
 
     def test_request_header(self):
+        get(
+            Feature, feature_id=Feature.RESOLVE_PROJECT_FROM_HEADER, projects=[self.pip]
+        )
         request = self.request(
             method='get', path=self.url, HTTP_HOST='some.random.com', HTTP_X_RTD_SLUG='pip'
         )
@@ -171,6 +175,9 @@ def test_request_header(self):
         self.assertEqual(request.host_project_slug, 'pip')
 
     def test_request_header_uppercase(self):
+        get(
+            Feature, feature_id=Feature.RESOLVE_PROJECT_FROM_HEADER, projects=[self.pip]
+        )
         request = self.request(
             method='get', path=self.url, HTTP_HOST='some.random.com', HTTP_X_RTD_SLUG='PIP'
         )
@@ -179,6 +186,16 @@ def test_request_header_uppercase(self):
         self.assertEqual(request.rtdheader, True)
         self.assertEqual(request.host_project_slug, 'pip')
 
+    def test_request_header_not_allowed(self):
+        request = self.request(
+            method="get",
+            path=self.url,
+            HTTP_HOST="docs.example.com",
+            HTTP_X_RTD_SLUG="pip",
+        )
+        with pytest.raises(SuspiciousOperation):
+            self.run_middleware(request)
+
     def test_long_bad_subdomain(self):
         domain = 'www.pip.dev.readthedocs.io'
         request = self.request(method='get', path=self.url, HTTP_HOST=domain)

readthedocs/proxito/tests/test_old_redirects.py

@@ -16,6 +16,7 @@
 from django.urls import Resolver404
 
 from readthedocs.builds.models import Version
+from readthedocs.projects.models import Feature
 from readthedocs.redirects.models import Redirect
 
 from .base import BaseDocServing
@@ -513,6 +514,11 @@ def test_redirect_recognizes_custom_cname(self):
             from_url='/install.html',
             to_url='/tutorial/install.html',
         )
+        fixture.get(
+            Feature,
+            feature_id=Feature.RESOLVE_PROJECT_FROM_HEADER,
+            projects=[self.project],
+        )
         r = self.client.get(
             '/install.html',
             HTTP_HOST='docs.project.io',
@@ -850,6 +856,11 @@ def test_redirect_recognizes_custom_cname(self):
             to_url="/tutorial/install.html",
             force=True,
         )
+        fixture.get(
+            Feature,
+            feature_id=Feature.RESOLVE_PROJECT_FROM_HEADER,
+            projects=[self.project],
+        )
         r = self.client.get(
             "/en/latest/install.html",
             HTTP_HOST="docs.project.io",