Validate days parameter to avoid possible DoS in Web UI

Thank you to Sergey Shpakov of http://tutum.space for reporting.
sidekiq · Jan 20, 2022 · 7785ac1 · 7785ac1 · nfedyashev · Mar 21, 2022
1 parent 0a4de94
commit 7785ac1
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 2 deletions.
diff --git a/lib/sidekiq/api.rb b/lib/sidekiq/api.rb
@@ -161,6 +161,8 @@ def lengths
 
  class History
  def initialize(days_previous, start_date = nil)
+ # we only store five years of data in Redis
+ raise ArgumentError if days_previous < 1 || days_previous > (5 * 365)
  @days_previous = days_previous
  @start_date = start_date || Time.now.utc.to_date
  end

diff --git a/lib/sidekiq/web/application.rb b/lib/sidekiq/web/application.rb
@@ -50,7 +50,10 @@ def self.set(key, val)
 
  get "/" do
  @redis_info = redis_info.select { |k, v| REDIS_KEYS.include? k }
- stats_history = Sidekiq::Stats::History.new((params["days"] || 30).to_i)
+ days = (params["days"] || 30).to_i
+ return halt(401) if days < 1 || days > 180
+
+ stats_history = Sidekiq::Stats::History.new(days)
  @processed_history = stats_history.processed
  @failed_history = stats_history.failed
 

diff --git a/test/test_api.rb b/test/test_api.rb
@@ -156,6 +156,15 @@
  Time::DATE_FORMATS[:default] = @before
  end
 
+ describe "history" do
+ it "does not allow invalid input" do
+ assert_raises(ArgumentError) { Sidekiq::Stats::History.new(-1) }
+ assert_raises(ArgumentError) { Sidekiq::Stats::History.new(0) }
+ assert_raises(ArgumentError) { Sidekiq::Stats::History.new(2000) }
+ assert Sidekiq::Stats::History.new(200)
+ end
+ end
+
  describe "processed" do
  it 'retrieves hash of dates' do
  Sidekiq.redis do |c|

diff --git a/test/test_web.rb b/test/test_web.rb
@@ -748,8 +748,9 @@ def app
  basic_authorize 'a', 'b'
 
  get '/'
-
  assert_equal 200, last_response.status
+ get '/?days=1000000'
+ assert_equal 401, last_response.status
  end
  end