kotovalexarian-likes-github/mperham--sidekiq
1
0
Fork 0
mirror of https://github.com/mperham/sidekiq.git synced 2022-11-09 13:52:34 -05:00
Code Releases Activity

Add pessimistic regexp on queue name input to avoid XSS, fixes #4852

Browse source
This commit is contained in:
Mike Perham 2021-03-25 16:16:55 -07:00
parent 2a57abc5e5
commit 64f70339d1
3 changed files with 11 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/sidekiq/web/action.rb
View file

@ -15,7 +15,7 @@ module Sidekiq
end end
def halt(res) def halt(res)
throw :halt, res throw :halt, [res, {"Content-Type" => "text/plain"}, [res.to_s]]
end end
def redirect(location) def redirect(location)

4
lib/sidekiq/web/application.rb
View file

@ -82,10 +82,12 @@ module Sidekiq
erb(:queues) erb(:queues)
end end
QUEUE_NAME = /\A[a-z_:.\-0-9]+\z/i
get "/queues/:name" do get "/queues/:name" do
@name = route_params[:name] @name = route_params[:name]
halt(404) unless @name halt(404) if !@name || @name !~ QUEUE_NAME
@count = (params["count"] || 25).to_i @count = (params["count"] || 25).to_i
@queue = Sidekiq::Queue.new(@name) @queue = Sidekiq::Queue.new(@name)

7
test/test_web.rb
View file

@ -124,6 +124,13 @@ describe Sidekiq::Web do
end end
it 'handles queue view' do it 'handles queue view' do
get '/queues/onmouseover=alert()'
assert_equal 404, last_response.status
get '/queues/foo_bar:123-wow.'
assert_equal 200, last_response.status
assert_match(/foo_bar:123-wow\./, last_response.body)
get '/queues/default' get '/queues/default'
assert_equal 200, last_response.status assert_equal 200, last_response.status
end end