Sidekiq::Web add testcase for escaping

2022-11-09 13:52:34 -05:00 · 2013-10-30 23:12:26 +01:00 · 2013-10-30 23:12:26 +01:00 · 6db12e64c7
commit 6db12e64c7
parent 104bc8a9c8
2 changed files with 61 additions and 0 deletions
--- a/Changes.md
+++ b/Changes.md
@ -1,3 +1,7 @@
+HEAD
+-----------
+- Sidekiq::Web add tests for escaping job args and error messages. [#1299, lian]
+
 2.16.0
 -----------

--- a/test/test_web.rb
+++ b/test/test_web.rb
@ -265,6 +265,47 @@ class TestWeb < Sidekiq::Test
      assert_match /#{msg['args'][2]}/, last_response.body
    end

+    it 'escape job args and error messages' do
+      # on /retries page
+      params = add_xss_retry
+      get '/retries'
+      assert_equal 200, last_response.status
+      assert_match /FailWorker/, last_response.body
+
+      assert last_response.body.include?( "fail message: &lt;a&gt;hello&lt;&#x2F;a&gt;" )
+      assert !last_response.body.include?( "fail message: <a>hello</a>" )
+
+      assert last_response.body.include?( "args\">&quot;&lt;a&gt;hello&lt;&#x2F;a&gt;&quot;<" )
+      assert !last_response.body.include?( "args\"><a>hello</a><" )
+
+
+      # on /workers page
+      Sidekiq.redis do |conn|
+        identity = 'foo:1234-123abc:default'
+        conn.sadd('workers', identity)
+        conn.setex("worker:#{identity}:started", 10, Time.now.to_s)
+        hash = {:queue => 'critical', :payload => { 'class' => "FailWorker", 'args' => ["<a>hello</a>"] }, :run_at => Time.now.to_i }
+        conn.setex("worker:#{identity}", 10, Sidekiq.dump_json(hash))
+      end
+
+      get '/workers'
+      assert_equal 200, last_response.status
+      assert_match /FailWorker/, last_response.body
+      assert last_response.body.include?( "&lt;a&gt;hello&lt;&#x2F;a&gt;" )
+      assert !last_response.body.include?( "<a>hello</a>" )
+
+
+      # on /queues page
+      params = add_xss_retry # sorry, don't know how to easily make this show up on queues page otherwise.
+      post "/retries/#{job_params(*params)}", 'retry' => 'Retry'
+      assert_equal 302, last_response.status
+
+      get '/queues/foo'
+      assert_equal 200, last_response.status
+      assert last_response.body.include?( "&lt;a&gt;hello&lt;&#x2F;a&gt;" )
+      assert !last_response.body.include?( "<a>hello</a>" )
+    end
+
    it 'can show user defined tab' do
      begin
        Sidekiq::Web.tabs['Custom Tab'] = '/custom'
@ -380,6 +421,22 @@ class TestWeb < Sidekiq::Test
      [msg, score]
    end

+    def add_xss_retry
+      msg = { 'class' => 'FailWorker',
+              'args' => ['<a>hello</a>'],
+              'queue' => 'foo',
+              'error_message' => 'fail message: <a>hello</a>',
+              'error_class' => 'RuntimeError',
+              'retry_count' => 0,
+              'failed_at' => Time.now.utc,
+              'jid' => 'f39af2a05e8f4b24dbc0f1e4'}
+      score = Time.now.to_f
+      Sidekiq.redis do |conn|
+        conn.zadd('retry', score, Sidekiq.dump_json(msg))
+      end
+      [msg, score]
+    end
+
    def add_worker
      process_id = rand(1000)
      msg = "{\"queue\":\"default\",\"payload\":{\"retry\":true,\"queue\":\"default\",\"timeout\":20,\"backtrace\":5,\"class\":\"HardWorker\",\"args\":[\"bob\",10,5],\"jid\":\"2b5ad2b016f5e063a1c62872\"},\"run_at\":1361208995}"