POST method request will delete existing cache

[fdiary]

Hi,

POST method request will delete existing cache with the same URL, i.e. anyone can flush the cache of any URL by simply sending a POST method request, that is not an expected behaviour, I believe.

This is the behaviour with the configuration where proxy.config.http.cache.post_method is 0 (the default value).

$ curl -v --output /dev/null http://cacheable.example.com/ |& grep age:
age: 0 <-- initial request, thus fresh response
$ curl -v --output /dev/null http://cacheable.example.com/ |& grep age:
age: 1 <-- cached response
$ curl -X POST -v --output /dev/null http://cacheable.example.com/ |& grep age:
age: 0 <-- fresh response, because POST is not cachable
$ curl -v --output /dev/null http://cacheable.example.com/ |& grep age:
age: 0 <-- fresh response, because the existing cache was deleted by POST request above

This is because is_method_cacheable is false for POST method request

trafficserver/proxy/http/HttpTransactHeaders.cc

Line 44 in 3bb1ae9

HttpTransactHeaders::is_method_cacheable(const HttpConfigParams *http_config_param, const int method)

but does_method_require_cache_copy_deletion is true

trafficserver/proxy/http/HttpTransact.cc

Line 666 in 3bb1ae9

does_method_require_cache_copy_deletion(const HttpConfigParams *http_config_param, const int method)

that is called in issue_revalidate where the existing cache will be deleted.

trafficserver/proxy/http/HttpTransact.cc

Line 2419 in 3bb1ae9

if (does_method_require_cache_copy_deletion(s->http_config_param, s->method)) {

(does_method_require_cache_copy_deletion is also used in HandleCacheOpenReadMiss, where it just does CACHE_DO_NO_ACTION.)

trafficserver/proxy/http/HttpTransact.cc

Line 3262 in 3bb1ae9

if (does_method_require_cache_copy_deletion(s->http_config_param, s->method) && s->api_req_cacheable == false) {

For now I am not sure what is the right way to fix this issue. does_method_require_cache_copy_deletion should exclude cases where is_method_cacheable is true ? Or issue_revalidate should delete cache only when both is_method_cacheable and does_method_require_cache_copy_deletion are true ?

Thanks in advance !

Kazuhiko

[bryancall]

@fdiary We should delete the cache entry after receiving a 2xx response from the origin.

[fdiary]

@bryancall (by default) ATS does not cache POST request response. Why do you think we "should" delete the existing cache generated by GET request response with such non-cacheable request ?

[bneradt]

I've written an AuTest that reproduces this on a local branch. I'm now considering how ATS's behavior should change.

I agree with @bryancall 's comment: that is, we should delete the cached entry if a 2xx is received from the server to a POST. The problem with keeping the cached content valid is that the POST potentially invalidates the resource because POST is an unsafe method.

Consider this sequence:

1. A client performs a GET request for resource A.
2. The server responds and we cache the response.
3. A client performs a POST request for the same resource, resource A.
4. The server updates its state for A. Future GET requests for A now receive a different value from the server than the one responded to in step 1 above.
5. A client repeats step 1, performing a GET request for resource A.

How should ATS respond to this GET request? It should not serve out of the cache the response received from the server in step 2 since that response has been invalidated.

However, we don't want to invalidate such entries to previous GET requests if the POST failed (i.e., if the server responds with a non-2xx response). That would be too aggressive, and that is what we currently do.

The RFC seems to describe this proposed behavior here:

https://datatracker.ietf.org/doc/html/rfc7234#section-4.4

Because unsafe request methods (Section 4.2.1 of [RFC7231]) such as
PUT, POST or DELETE have the potential for changing state on the
origin server, intervening caches can use them to keep their contents
up to date.

...

A cache MUST invalidate the effective request URI (Section 5.5 of
[RFC7230]) when it receives a non-error response to a request with a
method whose safety is unknown.

Here, a "non-error response" is one with a 2xx (Successful) or 3xx
(Redirection) status code. "Invalidate" means that the cache will
either remove all stored responses related to the effective request
URI or will mark these as "invalid" and in need of a mandatory
validation before they can be sent in response to a subsequent
request.

[vpelletier]

While further investigating this issue with @fdiary, I noticed this part also in rfc7234 section-4.4 (emphasis mine):

A cache MUST invalidate the effective Request URI (Section 5.5 of
[RFC7230]) as well as the URI(s) in the Location and Content-Location
response header fields (if present) when a non-error status code is
received in response to an unsafe request method.

I was under the initial impression that POST responses should only invalidate the cache when they contain Location and/or Content-Location and then only the resources they identify would be invalidated (and not the Request URI).

We now believe the original reason for the present bug report was misguided: invalidating the Request URI of a POST request is RFC-compliant, and it is up to us to direct POSTs to URIs which we do not want to invalidate.

The efficiency of us changing our POST URIs kind of depends on error statuses not invalidating the resources, otherwise a malicious (...for a rather tame meaning of "malicious", I believe) client can evict arbitrary entries from the cache by sending POST requests on URIs not intended to receiving them even if they correctly reject the POST. Thanks a lot for spotting this.