From aaafaf94ae25904f26c0e42c013366fb46b513ad Mon Sep 17 00:00:00 2001 From: mhenrixon Date: Mon, 12 Feb 2024 21:11:38 +0200 Subject: [PATCH] fix: backport xss and rce fixes to v7.1 This was fixed in #829 and #833 --- lib/sidekiq_unique_jobs/web.rb | 31 ++++++++++++++-------------- spec/sidekiq_unique_jobs/web_spec.rb | 4 ++-- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/lib/sidekiq_unique_jobs/web.rb b/lib/sidekiq_unique_jobs/web.rb index 06a2d21a3..be14cbb5c 100644 --- a/lib/sidekiq_unique_jobs/web.rb +++ b/lib/sidekiq_unique_jobs/web.rb @@ -14,11 +14,11 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize end app.get "/changelogs" do - @filter = params[:filter] || "*" + @filter = h(params[:filter] || "*") @filter = "*" if @filter == "" - @count = (params[:count] || 100).to_i - @current_cursor = params[:cursor] - @prev_cursor = params[:prev_cursor] + @count = h(params[:count] || 100).to_i + @current_cursor = h(params[:cursor]) + @prev_cursor = h(params[:prev_cursor]) @total_size, @next_cursor, @changelogs = changelog.page( cursor: @current_cursor, pattern: @filter, @@ -34,11 +34,11 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize end app.get "/locks" do - @filter = params[:filter] || "*" + @filter = h(params[:filter] || "*") @filter = "*" if @filter == "" - @count = (params[:count] || 100).to_i - @current_cursor = params[:cursor] - @prev_cursor = params[:prev_cursor] + @count = h(params[:count] || 100).to_i + @current_cursor = h(params[:cursor]) + @prev_cursor = h(params[:prev_cursor]) @total_size, @next_cursor, @locks = digests.page( cursor: @current_cursor, @@ -50,11 +50,11 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize end app.get "/expiring_locks" do - @filter = params[:filter] || "*" + @filter = h(params[:filter] || "*") @filter = "*" if @filter == "" - @count = (params[:count] || 100).to_i - @current_cursor = params[:cursor] - @prev_cursor = params[:prev_cursor] + @count = h(params[:count] || 100).to_i + @current_cursor = h(params[:cursor]) + @prev_cursor = h(params[:prev_cursor]) @total_size, @next_cursor, @locks = expiring_digests.page( cursor: @current_cursor, @@ -72,7 +72,7 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize end app.get "/locks/:digest" do - @digest = params[:digest] + @digest = h(params[:digest]) @lock = SidekiqUniqueJobs::Lock.new(@digest) erb(unique_template(:lock)) @@ -85,9 +85,10 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize end app.get "/locks/:digest/jobs/:job_id/delete" do - @digest = params[:digest] + @digest = h(params[:digest]) + @job_id = h(params[:job_id]) @lock = SidekiqUniqueJobs::Lock.new(@digest) - @lock.unlock(params[:job_id]) + @lock.unlock(@job_id) redirect_to "locks/#{@lock.key}" end diff --git a/spec/sidekiq_unique_jobs/web_spec.rb b/spec/sidekiq_unique_jobs/web_spec.rb index f0801806a..c005817b2 100644 --- a/spec/sidekiq_unique_jobs/web_spec.rb +++ b/spec/sidekiq_unique_jobs/web_spec.rb @@ -15,8 +15,8 @@ def app domain: "foo.com", path: "/", expire_after: 2_592_000, - secret: "change_me", - old_secret: "also_change_me" + secret: "change_me" * 16, + old_secret: "also_change_me" * 16 run Sidekiq::Web end