From a6ee6920e28135c2673d71cd669afdef33a6edf2 Mon Sep 17 00:00:00 2001
From: "Matthew M. Keeler" <mkeeler@launchdarkly.com>
Date: Wed, 5 Feb 2025 13:04:51 -0500
Subject: [PATCH] fix: Mitigate web cache poisoning for `/sdk/goals` endpoint
 (#475)

Client SDKs communicating with the `/sdk/goals` endpoint rely on a
reverse proxy to our upstream endpoints. These requests make use of a
caching transport as a way to try and reduce traffic.

This cache was keyed solely on the request path, allowing a malicious
actor to "poison" the cache by making a request with a valid
`If-None-Match` header. The proxy would pass through the request as is,
receive a `304 NOT MODIFIED` from upstream, then dutifully cache the
response.

When a subsequent request came through, even without the `If-None-Match`
header, the cached response would be loaded, the previously seen `ETag`
header would be loaded and sent forward, resulting in an invalid `304
NOT MODIFIED` response.

To mitigate this, we are removing the intermediate caching transport.

Removing this seemingly would increase traffic to our upstream endpoints
as we are removing a caching layer. However, the `/sdk/goals` endpoint
returns a `Cache-Control: max-age=0`, which undermined the original
intent of the caching transport. As a result, all calls are being
directly proxied regardless.
---
 go.mod         | 2 +-
 relay/relay.go | 3 ---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/go.mod b/go.mod
index 4a340b4f..a92256ff 100644
--- a/go.mod
+++ b/go.mod
@@ -17,7 +17,7 @@ require (
 	github.com/gomodule/redigo v1.8.9
 	github.com/google/uuid v1.5.0 // indirect
 	github.com/gorilla/mux v1.8.0
-	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
+	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/hashicorp/consul/api v1.25.1
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-hclog v1.5.0 // indirect
diff --git a/relay/relay.go b/relay/relay.go
index db617e58..65b8be7c 100644
--- a/relay/relay.go
+++ b/relay/relay.go
@@ -14,7 +14,6 @@ import (
 
 	"github.com/launchdarkly/ld-relay/v8/internal/projmanager"
 
-	"github.com/gregjones/httpcache"
 	"github.com/launchdarkly/ld-relay/v8/config"
 	"github.com/launchdarkly/ld-relay/v8/internal/autoconfig"
 	"github.com/launchdarkly/ld-relay/v8/internal/basictypes"
@@ -416,7 +415,6 @@ func (r *Relay) addEnvironment(
 		jsClientContext.Origins = envConfig.AllowedOrigin.Values()
 		jsClientContext.Headers = envConfig.AllowedHeader.Values()
 
-		cachingTransport := httpcache.NewMemoryCacheTransport()
 		jsClientContext.Proxy = &httputil.ReverseProxy{
 			Director: func(req *http.Request) {
 				url := req.URL
@@ -433,7 +431,6 @@ func (r *Relay) addEnvironment(
 				}
 				return nil
 			},
-			Transport: cachingTransport,
 		}
 	}