From 4f03411fd07d714b525655e2457bbd761c9f03a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Wed, 5 Sep 2018 17:38:09 -0400 Subject: [PATCH] Do not deserialize GlobalID objects that were not generated by Active Job Trusting any GlobaID object when deserializing jobs can allow attackers to access information that should not be accessible to them. Fix CVE-2018-16476. --- activejob/lib/active_job/arguments.rb | 2 +- activejob/test/cases/argument_serialization_test.rb | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb index ecd81f2099..e33ee649cd 100644 --- a/activejob/lib/active_job/arguments.rb +++ b/activejob/lib/active_job/arguments.rb @@ -75,7 +75,7 @@ module ActiveJob def deserialize_argument(argument) case argument when String - GlobalID::Locator.locate(argument) || argument + argument when *TYPE_WHITELIST argument when Array diff --git a/activejob/test/cases/argument_serialization_test.rb b/activejob/test/cases/argument_serialization_test.rb index 1f11e916c4..058a828b86 100644 --- a/activejob/test/cases/argument_serialization_test.rb +++ b/activejob/test/cases/argument_serialization_test.rb @@ -35,6 +35,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase assert_arguments_roundtrip [@person] end + test "should keep Global IDs strings as they are" do + assert_arguments_roundtrip [@person.to_gid.to_s] + end + test 'should dive deep into arrays and hashes' do assert_arguments_roundtrip [3, [@person]] assert_arguments_roundtrip [{ 'a' => @person }] -- 2.18.0