Skip to content

Commit

Permalink
fix: backport xss and rce fixes to v7.1
Browse files Browse the repository at this point in the history
This was fixed in #829 and #833
  • Loading branch information
mhenrixon committed Feb 12, 2024
1 parent f65ecbc commit aaafaf9
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 17 deletions.
31 changes: 16 additions & 15 deletions lib/sidekiq_unique_jobs/web.rb
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
end

app.get "/changelogs" do
@filter = params[:filter] || "*"
@filter = h(params[:filter] || "*")
@filter = "*" if @filter == ""
@count = (params[:count] || 100).to_i
@current_cursor = params[:cursor]
@prev_cursor = params[:prev_cursor]
@count = h(params[:count] || 100).to_i
@current_cursor = h(params[:cursor])
@prev_cursor = h(params[:prev_cursor])
@total_size, @next_cursor, @changelogs = changelog.page(
cursor: @current_cursor,
pattern: @filter,
Expand All @@ -34,11 +34,11 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
end

app.get "/locks" do
@filter = params[:filter] || "*"
@filter = h(params[:filter] || "*")
@filter = "*" if @filter == ""
@count = (params[:count] || 100).to_i
@current_cursor = params[:cursor]
@prev_cursor = params[:prev_cursor]
@count = h(params[:count] || 100).to_i
@current_cursor = h(params[:cursor])
@prev_cursor = h(params[:prev_cursor])

@total_size, @next_cursor, @locks = digests.page(
cursor: @current_cursor,
Expand All @@ -50,11 +50,11 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
end

app.get "/expiring_locks" do
@filter = params[:filter] || "*"
@filter = h(params[:filter] || "*")
@filter = "*" if @filter == ""
@count = (params[:count] || 100).to_i
@current_cursor = params[:cursor]
@prev_cursor = params[:prev_cursor]
@count = h(params[:count] || 100).to_i
@current_cursor = h(params[:cursor])
@prev_cursor = h(params[:prev_cursor])

@total_size, @next_cursor, @locks = expiring_digests.page(
cursor: @current_cursor,
Expand All @@ -72,7 +72,7 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
end

app.get "/locks/:digest" do
@digest = params[:digest]
@digest = h(params[:digest])
@lock = SidekiqUniqueJobs::Lock.new(@digest)

erb(unique_template(:lock))
Expand All @@ -85,9 +85,10 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
end

app.get "/locks/:digest/jobs/:job_id/delete" do
@digest = params[:digest]
@digest = h(params[:digest])
@job_id = h(params[:job_id])
@lock = SidekiqUniqueJobs::Lock.new(@digest)
@lock.unlock(params[:job_id])
@lock.unlock(@job_id)

redirect_to "locks/#{@lock.key}"
end
Expand Down
4 changes: 2 additions & 2 deletions spec/sidekiq_unique_jobs/web_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ def app
domain: "foo.com",
path: "/",
expire_after: 2_592_000,
secret: "change_me",
old_secret: "also_change_me"
secret: "change_me" * 16,
old_secret: "also_change_me" * 16

run Sidekiq::Web
end
Expand Down

0 comments on commit aaafaf9

Please # to comment.