From 6c8eabbe50ce5b6afc502680e099b39a64b07458 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Wed, 5 Sep 2018 17:38:09 -0400 Subject: [PATCH] Do not deserialize GlobalID objects that were not generated by Active Job Trusting any GlobaID object when deserializing jobs can allow attackers to access information that should not be accessible to them. Fix CVE-2018-16476. --- activejob/lib/active_job/arguments.rb | 2 +- activejob/test/cases/argument_serialization_test.rb | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb index 523a0e7f336e3..d936b369ca231 100644 --- a/activejob/lib/active_job/arguments.rb +++ b/activejob/lib/active_job/arguments.rb @@ -75,7 +75,7 @@ def serialize_argument(argument) def deserialize_argument(argument) case argument when String - GlobalID::Locator.locate(argument) || argument + argument when *TYPE_WHITELIST argument when Array diff --git a/activejob/test/cases/argument_serialization_test.rb b/activejob/test/cases/argument_serialization_test.rb index 7934d8e55640d..dac04adb114bc 100644 --- a/activejob/test/cases/argument_serialization_test.rb +++ b/activejob/test/cases/argument_serialization_test.rb @@ -35,6 +35,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase assert_arguments_roundtrip [@person] end + test "should keep Global IDs strings as they are" do + assert_arguments_roundtrip [@person.to_gid.to_s] + end + test "should dive deep into arrays and hashes" do assert_arguments_roundtrip [3, [@person]] assert_arguments_roundtrip [{ "a" => @person }]