Cache Laravel Package

Getting Started

Minimal Setup

1. Installation (updated for security):

   composer require symfony/cache:^8.1.0-BETA3
   

2. Basic PSR-6 Cache Pool (unchanged):

   use Symfony\Component\Cache\Adapter\FilesystemAdapter;
   
   $cache = new FilesystemAdapter(); // Defaults to `/dev/shm/` or `/tmp/` on Unix
   $cache->set('foo', 'bar', 3600); // Cache for 1 hour
   $value = $cache->get('foo'); // Returns 'bar' or null
   

3. First Use Case (unchanged):

   use Symfony\Component\Cache\Adapter\RedisAdapter;
   
   $redis = new RedisAdapter();
   $cacheKey = 'user_'.$userId;
   
   $data = $redis->get($cacheKey);
   if (!$data) {
       $data = User::find($userId)->toArray();
       $redis->set($cacheKey, $data, 300); // Cache for 5 minutes
   }
   

Implementation Patterns

Core Workflows

1. Adapter Selection (unchanged)

(See previous assessment for table and examples)

2. Tag-Based Invalidation (unchanged)

(See previous assessment for example)

3. Chaining Adapters (unchanged)

(See previous assessment for example, now with resolved expiry propagation)

4. PSR-16 Simple Cache (unchanged)

(See previous assessment for example, now with fixed getMultiple())

5. Locking (unchanged)

(See previous assessment for example)

6. Security: Prefix Validation (NEW)

Critical Fix: The AbstractAdapter::clear() method now validates prefixes to prevent potential security issues (CVE-2026-45073). Ensure your code doesn’t pass unsafe prefixes:

use Symfony\Component\Cache\Adapter\FilesystemAdapter;

// Safe: Uses default prefix
$cache = new FilesystemAdapter();
$cache->clear(); // Validates prefix automatically

// Safe: Custom prefix (validated)
$cache = new FilesystemAdapter('', 3600, 'myapp_');
$cache->clear(); // Validates 'myapp_' prefix

// Unsafe (throws exception in v8.1.0-BETA3+):
// $cache = new FilesystemAdapter('', 3600, '../malicious_prefix');
// $cache->clear(); // Throws InvalidArgumentException

Laravel-Specific Patterns

1. Cache Facade Integration (unchanged)

(See previous assessment for example)

2. Event Caching (unchanged)

(See previous assessment for example)

3. Tag-Aware Cache in Eloquent (unchanged)

(See previous assessment for example, now with fixed reset())

4. Cache Warmup (unchanged)

(See previous assessment for example)

5. Cache Debugging (updated)

Enhanced Stats Collection (unchanged):

use Symfony\Component\Cache\Stats\StatsCollector;

$statsAdapter = new StatsAdapter(new FilesystemAdapter());
$statsAdapter->set('key', 'value', 3600);
$stats = $statsAdapter->getStats(); // Includes hit/miss counts, latency, and memory usage

6. Security: Prefix Validation in Laravel

Laravel-Specific Tip: When using custom cache prefixes in Laravel’s Cache::store() or Cache::prefix(), ensure they comply with Symfony’s validation:

// Safe in Laravel (validated by Symfony under the hood)
Cache::store('redis')->prefix('myapp_')->set('key', 'value');

// Avoid unsafe prefixes (will throw in v8.1.0-BETA3+):
// Cache::store('redis')->prefix('../malicious_')->set('key', 'value');

Gotchas and Tips

Pitfalls

1. Tag Invalidation Race Conditions (unchanged) (See previous assessment for workaround)

2. Expiry in Chained Adapters (resolved) (See previous assessment for fix)

3. Redis Connection Pooling (unchanged) (See previous assessment for fix)

4. APCu Limitations (unchanged) (See previous assessment for fix)

5. Doctrine DBAL Transactions (unchanged) (See previous assessment for fix)

6. PSR-16 getMultiple() (resolved) (See previous assessment for fix)

7. Prefix Validation Security Risk (NEW)

   • Issue: Passing unsafe prefixes (e.g., ../, absolute paths) to AbstractAdapter::clear() can lead to cache directory traversal or other security issues.
   • Fix: Upgrade to v8.1.0-BETA3—Symfony now validates prefixes and throws InvalidArgumentException for unsafe values.
   • Impact: Code using clear() with custom prefixes must ensure they are safe (e.g., alphanumeric + underscores).
   • Example of unsafe code (now throws):

     $cache = new FilesystemAdapter('', 3600, '../malicious_prefix');
     $cache->clear(); // Throws InvalidArgumentException
     

Debugging Tips

1. Enable Cache Logging (unchanged) (See previous assessment for example)

2. Check Cache Hit/Miss Ratios (unchanged) (See previous assessment for example)

3. Validate Redis Keys (unchanged) (See previous assessment for example)

4. Inspect Tag Operations (unchanged) (See previous assessment for example)

5. New: Prefix Validation Debugging If your application uses custom prefixes and encounters InvalidArgumentException in clear(), validate the prefix format:

   $prefix = 'myapp_';
   if (!preg_match('/^[a-zA-Z0-9_\-]+$/', $prefix)) {
       throw new InvalidArgumentException("Invalid cache prefix: {$prefix}");
   }
   

6. Memory Usage Tracking (unchanged) (See previous assessment for example)

Key Changes in v8.1.0-BETA3:

• Security Fix: Added prefix validation in AbstractAdapter::clear() to prevent CVE-2026-45073.
• No breaking changes for normal usage (only affects unsafe prefix handling in clear()).
• Recommended Action: Upgrade to v8.1.0-BETA3 for security hardening, especially if your application uses custom prefixes with clear().