Do not deserialize GlobalID objects that were not generated by Active…

… Job Trusting any GlobaID object when deserializing jobs can allow attackers to access information that should not be accessible to them. Fix CVE-2018-16476.
rails · Nov 27, 2018 · 6c8eabb · 6c8eabb
1 parent 0ae59ea
commit 6c8eabb
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb
@@ -75,7 +75,7 @@ def serialize_argument(argument)
       def deserialize_argument(argument)
         case argument
         when String
-          GlobalID::Locator.locate(argument) || argument
+          argument
         when *TYPE_WHITELIST
           argument
         when Array

diff --git a/activejob/test/cases/argument_serialization_test.rb b/activejob/test/cases/argument_serialization_test.rb
@@ -35,6 +35,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase
     assert_arguments_roundtrip [@person]
   end
 
+  test "should keep Global IDs strings as they are" do
+    assert_arguments_roundtrip [@person.to_gid.to_s]
+  end
+
   test "should dive deep into arrays and hashes" do
     assert_arguments_roundtrip [3, [@person]]
     assert_arguments_roundtrip [{ "a" => @person }]