Fix CVE-2017-12097

[jankeesvw]

From https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0449

An exploitable XSS vulnerability exists in the filter functionality of the
delayed_job_web rails gem version 1.4. A specially crafted URL can cause an
XSS flaw resulting in an attacker being able to execute arbitrary javascript
on the victim’s browser. An attacker can phish an authenticated user to
trigger this vulnerability.

The delayed_job_web gem allows users to filter output based on the query
string of the GET request. This looks similar to.

localhost:3000/delayed_job/overview?queues=">+<script>alert(1)<%2Fscript>

This URL can them be used to phish an authenticated user and execute arbitrary
javascript on their behalf. This vulnerability is caught by the built in XSS
protections of Safari and Chrome., however it is exploitable using Firefox.

Fixes #101

[andyatkinson]

@jankeesvw Thank you for submitting this. Were you able to run bundle or bundle update locally with success? I pulled your branch and am running into version conflicts.

[jankeesvw]

I ran bundle update in my project with a reference to my fork, that worked just fine.

What output did you get? I’ll check it again tomorrow.

[jankeesvw]

Ah yes, I see the errors, do you have any idea how to resolve it?

Bundler could not find compatible versions for gem "activerecord":
  In Gemfile:
    delayed_job_web was resolved to 1.4, which depends on
      activerecord (> 3.0.0)

    rails (~> 4.0) was resolved to 4.0.0, which depends on
      activerecord (= 4.0.0)

Bundler could not find compatible versions for gem "activesupport":
  In Gemfile:
    delayed_job_web was resolved to 1.4, which depends on
      delayed_job (> 2.0.3) was resolved to 4.1.4, which depends on
        activesupport (< 5.2, >= 3.0)

    rails (~> 4.0) was resolved to 4.0.0, which depends on
      activesupport (= 4.0.0)

Bundler could not find compatible versions for gem "rack":
  In Gemfile:
    rails (~> 4.0) was resolved to 4.0.0, which depends on
      actionpack (= 4.0.0) was resolved to 4.0.0, which depends on
        rack (~> 1.5.2)

    delayed_job_web was resolved to 1.4, which depends on
      sinatra (>= 2.0.1) was resolved to 2.0.1, which depends on
        rack (~> 2.0)

Bundler could not find compatible versions for gem "rails":
  In Gemfile:
    rails (~> 4.0)

Could not find gem 'rails (~> 4.0)' in any of the sources.

[jankeesvw]

I think it works on my project because it relies on Rails 5.

[andyatkinson]

@jankeesvw I think it makes sense that new versions of this gem would depend on Rails 5. If you can configure the dependencies so that bundle works and you can confirm that version of this gem works in your Rails 5 app (bundling your local gem in your app), then that would be a good verification. Sound good?

[jankeesvw]

I'm sorry, I was trying to fix CVE-2018-7212, which is different than the subject of this issue.

[jankeesvw]

Replaced by #103.