Skip to content

Commit

Permalink
Trim :period parameter to two characters and escape the value
Browse files Browse the repository at this point in the history
  • Loading branch information
mperham committed Apr 5, 2023
1 parent cf686d4 commit 458fdf7
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 5 deletions.
7 changes: 5 additions & 2 deletions Changes.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,13 @@

[Sidekiq Changes](https://github.com/sidekiq/sidekiq/blob/main/Changes.md) | [Sidekiq Pro Changes](https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md) | [Sidekiq Enterprise Changes](https://github.com/sidekiq/sidekiq/blob/main/Ent-Changes.md)

HEAD
7.0.8
----------

- Add job hash as another parameter to any `sidekiq_retry_in` block.
- **SECURITY** Sanitize `period` input parameter on Metrics pages.
Specially crafted values can lead to XSS. This functionality
was introduced in 7.0.4. Thank you to spercex @ huntr.dev [#5694]
- Add job hash as 3rd parameter to the `sidekiq_retry_in` block.

7.0.7
----------
Expand Down
2 changes: 1 addition & 1 deletion lib/sidekiq/version.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# frozen_string_literal: true

module Sidekiq
VERSION = "7.0.7"
VERSION = "7.0.8"
MAJOR = 7
end
4 changes: 2 additions & 2 deletions lib/sidekiq/web/application.rb
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ def self.set(key, val)

get "/metrics" do
q = Sidekiq::Metrics::Query.new
@period = params[:period]
@period = h((params[:period] || "")[0..1])
@periods = METRICS_PERIODS
minutes = @periods.fetch(@period, @periods.values.first)
@query_result = q.top_jobs(minutes: minutes)
Expand All @@ -77,7 +77,7 @@ def self.set(key, val)

get "/metrics/:name" do
@name = route_params[:name]
@period = params[:period]
@period = h((params[:period] || "")[0..1])
q = Sidekiq::Metrics::Query.new
@periods = METRICS_PERIODS
minutes = @periods.fetch(@period, @periods.values.first)
Expand Down

1 comment on commit 458fdf7

@mckramer
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mperham, great job fixing this. The CVE was published via huntr.dev with incorrect affect range. I posted comment on https://huntr.dev/bounties/e35e5653-c429-4fb8-94a3-cbc123ae4777/. I'm not sure if you are able to change the affected range to >=7.0.4, < 7.0.8.

Please sign in to comment.