From ec3afd920c1b55843c72f748a87baac7f8be82ed Mon Sep 17 00:00:00 2001 From: Mikael Henriksson Date: Mon, 5 Feb 2024 17:15:06 +0200 Subject: [PATCH] fix(xss): sanitize parameters (#829) --- lib/sidekiq_unique_jobs/web.rb | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/lib/sidekiq_unique_jobs/web.rb b/lib/sidekiq_unique_jobs/web.rb index ed68a572c..bf515e848 100644 --- a/lib/sidekiq_unique_jobs/web.rb +++ b/lib/sidekiq_unique_jobs/web.rb @@ -13,11 +13,11 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize end app.get "/changelogs" do - @filter = params[:filter] || "*" + @filter = h(params[:filter] || "*") @filter = "*" if @filter == "" - @count = (params[:count] || 100).to_i - @current_cursor = params[:cursor].to_i - @prev_cursor = params[:prev_cursor].to_i + @count = h(params[:count] || 100).to_i + @current_cursor = h(params[:cursor]).to_i + @prev_cursor = h(params[:prev_cursor]).to_i @total_size, @next_cursor, @changelogs = changelog.page( cursor: @current_cursor, pattern: @filter, @@ -33,11 +33,11 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize end app.get "/locks" do - @filter = params[:filter] || "*" + @filter = h(params[:filter]) || "*" @filter = "*" if @filter == "" - @count = (params[:count] || 100).to_i - @current_cursor = params[:cursor].to_i - @prev_cursor = params[:prev_cursor].to_i + @count = h(params[:count] || 100).to_i + @current_cursor = h(params[:cursor]).to_i + @prev_cursor = h(params[:prev_cursor]).to_i @total_size, @next_cursor, @locks = digests.page( cursor: @current_cursor, @@ -49,11 +49,11 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize end app.get "/expiring_locks" do - @filter = params[:filter] || "*" + @filter = h(params[:filter]) || "*" @filter = "*" if @filter == "" - @count = (params[:count] || 100).to_i - @current_cursor = params[:cursor].to_i - @prev_cursor = params[:prev_cursor].to_i + @count = h(params[:count] || 100).to_i + @current_cursor = h(params[:cursor]).to_i + @prev_cursor = h(params[:prev_cursor]).to_i @total_size, @next_cursor, @locks = expiring_digests.page( cursor: @current_cursor, @@ -71,20 +71,20 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize end app.get "/locks/:digest" do - @digest = params[:digest] + @digest = h(params[:digest]) @lock = SidekiqUniqueJobs::Lock.new(@digest) erb(unique_template(:lock)) end app.get "/locks/:digest/delete" do - digests.delete_by_digest(params[:digest]) - expiring_digests.delete_by_digest(params[:digest]) + digests.delete_by_digest(h(params[:digest])) + expiring_digests.delete_by_digest(h(params[:digest])) redirect_to :locks end app.get "/locks/:digest/jobs/:job_id/delete" do - @digest = params[:digest] + @digest = h(params[:digest]) @lock = SidekiqUniqueJobs::Lock.new(@digest) @lock.unlock(params[:job_id])