-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross-Site Scripting(XSS) issue #2330
Comments
I can't reproduce. When I hit http://localhost:3000/sidekiq/queues/%3c%69%4d%67%20%53%72%43%3d%78%20%4f%6e%45%72%52%6f%52%3d%61%6c%65%72%74%28%34%38%34%37%33%29%3e I just get an empty page. For everyone else, the URL is actually |
Ok, chrome ignored it but firefox reproduced it. |
Yap Firefox,
|
thank you! is working & more security now ! |
In case anyone is wondering, Chrome has some XSS security built into it where it will detect if pieces of the URL show up as HTML/DOM elements. (Not really sure why Firefox doesn't have it...) |
This commit upgrades Sidekiq to 3.5.4, the latest version in the 3.X series (4.0 has come out a few months ago). It is necessary to upgrade because there are a couple of vulnerabilities reported in 2.X. The issues concerns these issues: - sidekiq/sidekiq#2422 - sidekiq/sidekiq#2330 - sidekiq/sidekiq#2309 As mentioned in the upgrade guide[1], we've upgradedA the Airbrake gem as well. Other items in the upgrade guide are not applicable. [1] https://github.com/mperham/sidekiq/blob/master/3.0-Upgrade.md
This commit upgrades Sidekiq to 3.5.4, the latest version in the 3.X series (4.0 has come out a few months ago). It is necessary to upgrade because there are a couple of vulnerabilities reported in 2.X. The issues concerns these issues: - sidekiq/sidekiq#2422 - sidekiq/sidekiq#2330 - sidekiq/sidekiq#2309 As mentioned in the upgrade guide[1], we've upgradedA the Airbrake gem as well. Other items in the upgrade guide are not applicable. [1] https://github.com/mperham/sidekiq/blob/master/3.0-Upgrade.md
This fixes the following vulnerabilities that bundler-audit warns us about: Name: sidekiq Version: 3.3.4 Advisory: 125675 Criticality: Unknown URL: sidekiq/sidekiq#2422 Title: Sidekiq Gem for Ruby Multiple Unspecified CSRF Solution: upgrade to >= 3.4.2 Name: sidekiq Version: 3.3.4 Advisory: 125676 Criticality: Unknown URL: sidekiq/sidekiq#2330 Title: Sidekiq Gem for Ruby web/views/queue.erb CurrentMessagesInQueue Element Reflected XSS Solution: upgrade to >= 3.4.0 Name: sidekiq Version: 3.3.4 Advisory: 125678 Criticality: Unknown URL: sidekiq/sidekiq#2309 Title: Sidekiq Gem for Ruby web/views/queue.erb msg.display_class Element XSS Solution: upgrade to >= 3.4.0
when page queues page
using bellow url will can cause Cross-Site Scripting(XSS)
%url%/sidekiq/queues/%3c%69%4d%67%20%53%72%43%3d%78%20%4f%6e%45%72%52%6f%52%3d%61%6c%65%72%74%28%34%38%34%37%33%29%3e
The text was updated successfully, but these errors were encountered: