caching user markdown by hashcode is unsafe

collisions could be used to replace someone else's text thanks @revoof
2021-09-02 11:47:38 +02:00 · 2021-09-02 11:47:38 +02:00 · 305cf31454
parent 967fb3b430
commit 305cf31454
6 changed files with 11 additions and 13 deletions
--- a/app/views/event.scala
+++ b/app/views/event.scala
@ -79,11 +79,11 @@ object event {
  private object markdown {
    import scala.concurrent.duration._
    private val renderer = new lila.common.Markdown(table = true, list = true)
+    // hashcode caching is safe for official events
    private val cache = lila.memo.CacheApi.scaffeineNoScheduler
      .expireAfterAccess(10 minutes)
      .maximumSize(64)
      .build[Int, String]()
-
    def apply(text: String): Frag = raw(cache.get(text.hashCode, _ => renderer("event")(text)))
  }

--- a/app/views/team/show.scala
+++ b/app/views/team/show.scala
@ -240,9 +240,8 @@ object show {
    private val cache = lila.memo.CacheApi.scaffeineNoScheduler
      .expireAfterAccess(10 minutes)
      .maximumSize(1024)
-      .build[Int, String]()
-
-    def apply(text: String): Frag = raw(cache.get(text.hashCode, _ => renderer("team")(text)))
+      .build[String, String]()
+    def apply(text: String): Frag = raw(cache.get(text, renderer("team")))
  }

  // handle special teams here
--- a/modules/blog/src/main/BlogTransform.scala
+++ b/modules/blog/src/main/BlogTransform.scala
@ -17,6 +17,8 @@ object BlogTransform {

    private val renderer = new lila.common.Markdown(table = true)

+    // hash code collisions can't be a vector of attack here,
+    // since only lichess team members can write these blog posts
    private val cache = lila.memo.CacheApi.scaffeineNoScheduler
      .expireAfterAccess(20 minutes)
      .maximumSize(64)
--- a/modules/clas/src/main/ClasMarkup.scala
+++ b/modules/clas/src/main/ClasMarkup.scala
@ -15,8 +15,7 @@ final class ClasMarkup {
  private val cache = lila.memo.CacheApi.scaffeineNoScheduler
    .expireAfterAccess(20 minutes)
    .maximumSize(512)
-    .build[Int, String]()
+    .build[String, String]()

-  def apply(clas: Clas): String =
-    cache.get(clas.wall.hashCode, _ => renderer(s"clas:${clas.id}")(clas.wall))
+  def apply(clas: Clas): String = cache.get(clas.wall, renderer(s"clas:${clas.id}"))
 }
--- a/modules/relay/src/main/RelayMarkup.scala
+++ b/modules/relay/src/main/RelayMarkup.scala
@ -16,8 +16,7 @@ final class RelayMarkup {
  private val cache = lila.memo.CacheApi.scaffeineNoScheduler
    .expireAfterAccess(20 minutes)
    .maximumSize(256)
-    .build[Int, String]()
+    .build[String, String]()

-  def apply(tour: RelayTour)(markup: String): String =
-    cache.get(markup.hashCode, _ => renderer(s"relay:${tour.id}")(markup))
+  def apply(tour: RelayTour)(markup: String): String = cache.get(markup, renderer(s"relay:${tour.id}"))
 }
--- a/modules/ublog/src/main/UblogMarkup.scala
+++ b/modules/ublog/src/main/UblogMarkup.scala
@ -18,8 +18,7 @@ final class UblogMarkup {
  private val cache = lila.memo.CacheApi.scaffeineNoScheduler
    .expireAfterAccess(20 minutes)
    .maximumSize(1024)
-    .build[Int, String]()
+    .build[String, String]()

-  def apply(post: UblogPost): String =
-    cache.get(post.markdown.hashCode, _ => renderer(s"ublog:${post.id}")(post.markdown))
+  def apply(post: UblogPost): String = cache.get(post.markdown, renderer(s"ublog:${post.id}"))
 }