mirror of
https://github.com/mperham/sidekiq.git
synced 2022-11-09 13:52:34 -05:00
escape page and poll parameters for safety
This commit is contained in:
Mike Perham
parent
2a07a551aa
commit
cfc3f314e4
2 changed files with 8 additions and 1 deletions
|
|
@ -2,6 +2,7 @@
|
|||
require 'uri'
|
||||
require 'set'
|
||||
require 'yaml'
|
||||
require 'cgi'
|
||||
|
||||
module Sidekiq
|
||||
# This is not a public API
|
||||
|
|
@ -161,7 +162,7 @@ module Sidekiq
|
|||
def qparams(options)
|
||||
options = options.stringify_keys
|
||||
params.merge(options).map do |key, value|
|
||||
SAFE_QPARAMS.include?(key) ? "#{key}=#{value}" : next
|
||||
SAFE_QPARAMS.include?(key) ? "#{key}=#{CGI.escape(value.to_s)}" : next
|
||||
end.compact.join("&")
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -557,6 +557,12 @@ class TestWeb < Sidekiq::Test
|
|||
assert_equal 200, last_response.status
|
||||
assert_match(/#{params.first['args'][2]}/, last_response.body)
|
||||
end
|
||||
|
||||
it 'handles bad query input' do
|
||||
get '/queues/foo?page=B<H'
|
||||
assert_equal 200, last_response.status
|
||||
assert_match(/B%3CH/, last_response.body)
|
||||
end
|
||||
end
|
||||
|
||||
def add_scheduled(job_id=SecureRandom.hex(12))
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue