Add pessimistic regexp on queue name input to avoid XSS, fixes #4852

lib/sidekiq/web/action.rb

@@ -15,7 +15,7 @@ module Sidekiq
     end
 
     def halt(res)
-      throw :halt, res
+      throw :halt, [res, {"Content-Type" => "text/plain"}, [res.to_s]]
     end
 
     def redirect(location)

lib/sidekiq/web/application.rb

@@ -82,10 +82,12 @@ module Sidekiq
       erb(:queues)
     end
 
+    QUEUE_NAME = /\A[a-z_:.\-0-9]+\z/i
+
     get "/queues/:name" do
       @name = route_params[:name]
 
-      halt(404) unless @name
+      halt(404) if !@name || @name !~ QUEUE_NAME
 
       @count = (params["count"] || 25).to_i
       @queue = Sidekiq::Queue.new(@name)

test/test_web.rb

@@ -124,6 +124,13 @@ describe Sidekiq::Web do
   end
 
   it 'handles queue view' do
+    get '/queues/onmouseover=alert()'
+    assert_equal 404, last_response.status
+
+    get '/queues/foo_bar:123-wow.'
+    assert_equal 200, last_response.status
+    assert_match(/foo_bar:123-wow\./, last_response.body)
+
     get '/queues/default'
     assert_equal 200, last_response.status
   end