Add pessimistic regexp on queue name input to avoid XSS, fixes #4852

sidekiq · Mar 25, 2021 · 64f7033 · 64f7033
1 parent 2a57abc
commit 64f7033
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/lib/sidekiq/web/action.rb b/lib/sidekiq/web/action.rb
@@ -15,7 +15,7 @@ def request
     end
 
     def halt(res)
-      throw :halt, res
+      throw :halt, [res, {"Content-Type" => "text/plain"}, [res.to_s]]
     end
 
     def redirect(location)

diff --git a/lib/sidekiq/web/application.rb b/lib/sidekiq/web/application.rb
@@ -82,10 +82,12 @@ def self.set(key, val)
       erb(:queues)
     end
 
+    QUEUE_NAME = /\A[a-z_:.\-0-9]+\z/i
+
     get "/queues/:name" do
       @name = route_params[:name]
 
-      halt(404) unless @name
+      halt(404) if !@name || @name !~ QUEUE_NAME
 
       @count = (params["count"] || 25).to_i
       @queue = Sidekiq::Queue.new(@name)

diff --git a/test/test_web.rb b/test/test_web.rb
@@ -124,6 +124,13 @@ def perform(a, b)
   end
 
   it 'handles queue view' do
+    get '/queues/onmouseover=alert()'
+    assert_equal 404, last_response.status
+
+    get '/queues/foo_bar:123-wow.'
+    assert_equal 200, last_response.status
+    assert_match(/foo_bar:123-wow\./, last_response.body)
+
     get '/queues/default'
     assert_equal 200, last_response.status
   end