New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix xss vulnerability in display class #2309
Conversation
super! 🌟 |
👍 |
fix xss vulnerability in display class
@nolman thank you for contribution 👍 |
Thanks for the fast merge! |
What's the best way to get this fix if I am using sidekiq-pro? |
Pull in the master branch in your Gemfile. There won't be a new release for a while.
|
This commit upgrades Sidekiq to 3.5.4, the latest version in the 3.X series (4.0 has come out a few months ago). It is necessary to upgrade because there are a couple of vulnerabilities reported in 2.X. The issues concerns these issues: - sidekiq/sidekiq#2422 - sidekiq/sidekiq#2330 - sidekiq/sidekiq#2309 As mentioned in the upgrade guide[1], we've upgradedA the Airbrake gem as well. Other items in the upgrade guide are not applicable. [1] https://github.com/mperham/sidekiq/blob/master/3.0-Upgrade.md
This commit upgrades Sidekiq to 3.5.4, the latest version in the 3.X series (4.0 has come out a few months ago). It is necessary to upgrade because there are a couple of vulnerabilities reported in 2.X. The issues concerns these issues: - sidekiq/sidekiq#2422 - sidekiq/sidekiq#2330 - sidekiq/sidekiq#2309 As mentioned in the upgrade guide[1], we've upgradedA the Airbrake gem as well. Other items in the upgrade guide are not applicable. [1] https://github.com/mperham/sidekiq/blob/master/3.0-Upgrade.md
This fixes the following vulnerabilities that bundler-audit warns us about: Name: sidekiq Version: 3.3.4 Advisory: 125675 Criticality: Unknown URL: sidekiq/sidekiq#2422 Title: Sidekiq Gem for Ruby Multiple Unspecified CSRF Solution: upgrade to >= 3.4.2 Name: sidekiq Version: 3.3.4 Advisory: 125676 Criticality: Unknown URL: sidekiq/sidekiq#2330 Title: Sidekiq Gem for Ruby web/views/queue.erb CurrentMessagesInQueue Element Reflected XSS Solution: upgrade to >= 3.4.0 Name: sidekiq Version: 3.3.4 Advisory: 125678 Criticality: Unknown URL: sidekiq/sidekiq#2309 Title: Sidekiq Gem for Ruby web/views/queue.erb msg.display_class Element XSS Solution: upgrade to >= 3.4.0
If any of the job args contain a script tag it will execute when you view:
/admin/sidekiq/queues/default
To reproduce:
Job.perform_later("aldfkjaf", "<script> alert('hi');</script>")