Do not deserialize GlobalID objects that were not generated by Active Job

Trusting any GlobaID object when deserializing jobs can allow attackers to access information that should not be accessible to them. Fix CVE-2018-16476.

Do not deserialize GlobalID objects that were not generated by Active Job
Trusting any GlobaID object when deserializing jobs can allow attackers to access information that should not be accessible to them. Fix CVE-2018-16476.
970b0d75 · Rafael Mendonça França · fc5dd0b8 · 970b0d75 · 970b0d75
Showing with 5 addition and 1 deletion

activejob/lib/active_job/arguments.rb activejob/lib/active_job/arguments.rb +1 -1

activejob/test/cases/argument_serialization_test.rb activejob/test/cases/argument_serialization_test.rb +4 -0

未找到文件。
--- a/activejob/lib/active_job/arguments.rb
+++ b/activejob/lib/active_job/arguments.rb
@@ -77,7 +77,7 @@ def serialize_argument(argument)
      def deserialize_argument(argument)
        case argument
        when String
-          GlobalID::Locator.locate(argument) || argument
+          argument
        when *TYPE_WHITELIST
          argument
        when Array

--- a/activejob/test/cases/argument_serialization_test.rb
+++ b/activejob/test/cases/argument_serialization_test.rb
@@ -37,6 +37,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase
    assert_arguments_roundtrip [@person]
  end

+  test "should keep Global IDs strings as they are" do
+    assert_arguments_roundtrip [@person.to_gid.to_s]
+  end
+
  test "should dive deep into arrays and hashes" do
    assert_arguments_roundtrip [3, [@person]]
    assert_arguments_roundtrip [{ "a" => @person }]