caching user markdown by hashcode is unsafe
collisions could be used to replace someone else's text thanks @revoofpull/9707/head
parent
967fb3b430
commit
305cf31454
|
@ -79,11 +79,11 @@ object event {
|
|||
private object markdown {
|
||||
import scala.concurrent.duration._
|
||||
private val renderer = new lila.common.Markdown(table = true, list = true)
|
||||
// hashcode caching is safe for official events
|
||||
private val cache = lila.memo.CacheApi.scaffeineNoScheduler
|
||||
.expireAfterAccess(10 minutes)
|
||||
.maximumSize(64)
|
||||
.build[Int, String]()
|
||||
|
||||
def apply(text: String): Frag = raw(cache.get(text.hashCode, _ => renderer("event")(text)))
|
||||
}
|
||||
|
||||
|
|
|
@ -240,9 +240,8 @@ object show {
|
|||
private val cache = lila.memo.CacheApi.scaffeineNoScheduler
|
||||
.expireAfterAccess(10 minutes)
|
||||
.maximumSize(1024)
|
||||
.build[Int, String]()
|
||||
|
||||
def apply(text: String): Frag = raw(cache.get(text.hashCode, _ => renderer("team")(text)))
|
||||
.build[String, String]()
|
||||
def apply(text: String): Frag = raw(cache.get(text, renderer("team")))
|
||||
}
|
||||
|
||||
// handle special teams here
|
||||
|
|
|
@ -17,6 +17,8 @@ object BlogTransform {
|
|||
|
||||
private val renderer = new lila.common.Markdown(table = true)
|
||||
|
||||
// hash code collisions can't be a vector of attack here,
|
||||
// since only lichess team members can write these blog posts
|
||||
private val cache = lila.memo.CacheApi.scaffeineNoScheduler
|
||||
.expireAfterAccess(20 minutes)
|
||||
.maximumSize(64)
|
||||
|
|
|
@ -15,8 +15,7 @@ final class ClasMarkup {
|
|||
private val cache = lila.memo.CacheApi.scaffeineNoScheduler
|
||||
.expireAfterAccess(20 minutes)
|
||||
.maximumSize(512)
|
||||
.build[Int, String]()
|
||||
.build[String, String]()
|
||||
|
||||
def apply(clas: Clas): String =
|
||||
cache.get(clas.wall.hashCode, _ => renderer(s"clas:${clas.id}")(clas.wall))
|
||||
def apply(clas: Clas): String = cache.get(clas.wall, renderer(s"clas:${clas.id}"))
|
||||
}
|
||||
|
|
|
@ -16,8 +16,7 @@ final class RelayMarkup {
|
|||
private val cache = lila.memo.CacheApi.scaffeineNoScheduler
|
||||
.expireAfterAccess(20 minutes)
|
||||
.maximumSize(256)
|
||||
.build[Int, String]()
|
||||
.build[String, String]()
|
||||
|
||||
def apply(tour: RelayTour)(markup: String): String =
|
||||
cache.get(markup.hashCode, _ => renderer(s"relay:${tour.id}")(markup))
|
||||
def apply(tour: RelayTour)(markup: String): String = cache.get(markup, renderer(s"relay:${tour.id}"))
|
||||
}
|
||||
|
|
|
@ -18,8 +18,7 @@ final class UblogMarkup {
|
|||
private val cache = lila.memo.CacheApi.scaffeineNoScheduler
|
||||
.expireAfterAccess(20 minutes)
|
||||
.maximumSize(1024)
|
||||
.build[Int, String]()
|
||||
.build[String, String]()
|
||||
|
||||
def apply(post: UblogPost): String =
|
||||
cache.get(post.markdown.hashCode, _ => renderer(s"ublog:${post.id}")(post.markdown))
|
||||
def apply(post: UblogPost): String = cache.get(post.markdown, renderer(s"ublog:${post.id}"))
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue