From 6db12e64c7c4e0c6d479244359f44355c4b1ca41 Mon Sep 17 00:00:00 2001
From: Julian Langschaedel <meta.rb@gmail.com>
Date: Wed, 30 Oct 2013 23:12:26 +0100
Subject: [PATCH] Sidekiq::Web add testcase for escaping

---
 Changes.md       |  4 ++++
 test/test_web.rb | 57 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+)

diff --git a/Changes.md b/Changes.md
index 550cc0d4..bf794f22 100644
--- a/Changes.md
+++ b/Changes.md
@@ -1,3 +1,7 @@
+HEAD
+-----------
+- Sidekiq::Web add tests for escaping job args and error messages. [#1299, lian]
+
 2.16.0
 -----------
 
diff --git a/test/test_web.rb b/test/test_web.rb
index 9ad66857..bfda7031 100644
--- a/test/test_web.rb
+++ b/test/test_web.rb
@@ -265,6 +265,47 @@ class TestWeb < Sidekiq::Test
       assert_match /#{msg['args'][2]}/, last_response.body
     end
 
+    it 'escape job args and error messages' do
+      # on /retries page
+      params = add_xss_retry
+      get '/retries'
+      assert_equal 200, last_response.status
+      assert_match /FailWorker/, last_response.body
+
+      assert last_response.body.include?( "fail message: &lt;a&gt;hello&lt;&#x2F;a&gt;" )
+      assert !last_response.body.include?( "fail message: <a>hello</a>" )
+
+      assert last_response.body.include?( "args\">&quot;&lt;a&gt;hello&lt;&#x2F;a&gt;&quot;<" )
+      assert !last_response.body.include?( "args\"><a>hello</a><" )
+
+
+      # on /workers page
+      Sidekiq.redis do |conn|
+        identity = 'foo:1234-123abc:default'
+        conn.sadd('workers', identity)
+        conn.setex("worker:#{identity}:started", 10, Time.now.to_s)
+        hash = {:queue => 'critical', :payload => { 'class' => "FailWorker", 'args' => ["<a>hello</a>"] }, :run_at => Time.now.to_i }
+        conn.setex("worker:#{identity}", 10, Sidekiq.dump_json(hash))
+      end
+
+      get '/workers'
+      assert_equal 200, last_response.status
+      assert_match /FailWorker/, last_response.body
+      assert last_response.body.include?( "&lt;a&gt;hello&lt;&#x2F;a&gt;" )
+      assert !last_response.body.include?( "<a>hello</a>" )
+
+
+      # on /queues page
+      params = add_xss_retry # sorry, don't know how to easily make this show up on queues page otherwise.
+      post "/retries/#{job_params(*params)}", 'retry' => 'Retry'
+      assert_equal 302, last_response.status
+
+      get '/queues/foo'
+      assert_equal 200, last_response.status
+      assert last_response.body.include?( "&lt;a&gt;hello&lt;&#x2F;a&gt;" )
+      assert !last_response.body.include?( "<a>hello</a>" )
+    end
+
     it 'can show user defined tab' do
       begin
         Sidekiq::Web.tabs['Custom Tab'] = '/custom'
@@ -380,6 +421,22 @@ class TestWeb < Sidekiq::Test
       [msg, score]
     end
 
+    def add_xss_retry
+      msg = { 'class' => 'FailWorker',
+              'args' => ['<a>hello</a>'],
+              'queue' => 'foo',
+              'error_message' => 'fail message: <a>hello</a>',
+              'error_class' => 'RuntimeError',
+              'retry_count' => 0,
+              'failed_at' => Time.now.utc,
+              'jid' => 'f39af2a05e8f4b24dbc0f1e4'}
+      score = Time.now.to_f
+      Sidekiq.redis do |conn|
+        conn.zadd('retry', score, Sidekiq.dump_json(msg))
+      end
+      [msg, score]
+    end
+
     def add_worker
       process_id = rand(1000)
       msg = "{\"queue\":\"default\",\"payload\":{\"retry\":true,\"queue\":\"default\",\"timeout\":20,\"backtrace\":5,\"class\":\"HardWorker\",\"args\":[\"bob\",10,5],\"jid\":\"2b5ad2b016f5e063a1c62872\"},\"run_at\":1361208995}"