Skip to content

Commit

Permalink
fix: backport xss and rce fixes to v7.1
Browse files Browse the repository at this point in the history
This was fixed in #829 and #833
  • Loading branch information
mhenrixon committed Feb 12, 2024
1 parent 81cc875 commit 9f01e23
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 22 deletions.
31 changes: 16 additions & 15 deletions lib/sidekiq_unique_jobs/web.rb
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
end

app.get "/changelogs" do
@filter = params[:filter] || "*"
@filter = h(params[:filter] || "*")
@filter = "*" if @filter == ""
@count = (params[:count] || 100).to_i
@current_cursor = params[:cursor]
@prev_cursor = params[:prev_cursor]
@count = h(params[:count] || 100).to_i
@current_cursor = h(params[:cursor])
@prev_cursor = h(params[:prev_cursor])
@total_size, @next_cursor, @changelogs = changelog.page(
cursor: @current_cursor,
pattern: @filter,
Expand All @@ -34,11 +34,11 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
end

app.get "/locks" do
@filter = params[:filter] || "*"
@filter = h(params[:filter] || "*")
@filter = "*" if @filter == ""
@count = (params[:count] || 100).to_i
@current_cursor = params[:cursor]
@prev_cursor = params[:prev_cursor]
@count = h(params[:count] || 100).to_i
@current_cursor = h(params[:cursor])
@prev_cursor = h(params[:prev_cursor])

@total_size, @next_cursor, @locks = digests.page(
cursor: @current_cursor,
Expand All @@ -50,11 +50,11 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
end

app.get "/expiring_locks" do
@filter = params[:filter] || "*"
@filter = h(params[:filter] || "*")
@filter = "*" if @filter == ""
@count = (params[:count] || 100).to_i
@current_cursor = params[:cursor]
@prev_cursor = params[:prev_cursor]
@count = h(params[:count] || 100).to_i
@current_cursor = h(params[:cursor])
@prev_cursor = h(params[:prev_cursor])

@total_size, @next_cursor, @locks = expiring_digests.page(
cursor: @current_cursor,
Expand All @@ -72,7 +72,7 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
end

app.get "/locks/:digest" do
@digest = params[:digest]
@digest = h(params[:digest])
@lock = SidekiqUniqueJobs::Lock.new(@digest)

erb(unique_template(:lock))
Expand All @@ -85,9 +85,10 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
end

app.get "/locks/:digest/jobs/:job_id/delete" do
@digest = params[:digest]
@digest = h(params[:digest])
@job_id = h(params[:job_id])
@lock = SidekiqUniqueJobs::Lock.new(@digest)
@lock.unlock(params[:job_id])
@lock.unlock(@job_id)

redirect_to "locks/#{@lock.key}"
end
Expand Down
10 changes: 5 additions & 5 deletions spec/sidekiq_unique_jobs/cli_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,9 @@
jobs del PATTERN
Options:
d, [--dry-run], [--no-dry-run] # set to false to perform deletion
c, [--count=N] # The max number of digests to return
# Default: 1000
-d, [--dry-run], [--no-dry-run] # set to false to perform deletion
-c, [--count=N] # The max number of digests to return
# Default: 1000
deletes unique digests from redis by pattern
HEADER
Expand All @@ -55,8 +55,8 @@
jobs list PATTERN
Options:
c, [--count=N] # The max number of digests to return
# Default: 1000
-c, [--count=N] # The max number of digests to return
# Default: 1000
list all unique digests and their expiry time
HEADER
Expand Down
4 changes: 2 additions & 2 deletions spec/sidekiq_unique_jobs/web_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ def app
domain: "foo.com",
path: "/",
expire_after: 2_592_000,
secret: "change_me",
old_secret: "also_change_me"
secret: "change_me" * 16,
old_secret: "also_change_me" * 16

run Sidekiq::Web
end
Expand Down

0 comments on commit 9f01e23

Please # to comment.