Trim :period parameter to two characters and escape the value

sidekiq · Apr 5, 2023 · 458fdf7 · 458fdf7 · mckramer · Apr 12, 2023
1 parent cf686d4
commit 458fdf7
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 5 deletions.
diff --git a/Changes.md b/Changes.md
@@ -2,10 +2,13 @@
 
 [Sidekiq Changes](https://github.com/sidekiq/sidekiq/blob/main/Changes.md) | [Sidekiq Pro Changes](https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md) | [Sidekiq Enterprise Changes](https://github.com/sidekiq/sidekiq/blob/main/Ent-Changes.md)
 
-HEAD
+7.0.8
 ----------
 
-- Add job hash as another parameter to any `sidekiq_retry_in` block.
+- **SECURITY** Sanitize `period` input parameter on Metrics pages.
+  Specially crafted values can lead to XSS. This functionality
+  was introduced in 7.0.4. Thank you to spercex @ huntr.dev [#5694]
+- Add job hash as 3rd parameter to the `sidekiq_retry_in` block.
 
 7.0.7
 ----------

diff --git a/lib/sidekiq/version.rb b/lib/sidekiq/version.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
 module Sidekiq
-  VERSION = "7.0.7"
+  VERSION = "7.0.8"
   MAJOR = 7
 end
diff --git a/lib/sidekiq/web/application.rb b/lib/sidekiq/web/application.rb
@@ -68,7 +68,7 @@ def self.set(key, val)
 
     get "/metrics" do
       q = Sidekiq::Metrics::Query.new
-      @period = params[:period]
+      @period = h((params[:period] || "")[0..1])
       @periods = METRICS_PERIODS
       minutes = @periods.fetch(@period, @periods.values.first)
       @query_result = q.top_jobs(minutes: minutes)
@@ -77,7 +77,7 @@ def self.set(key, val)
 
     get "/metrics/:name" do
       @name = route_params[:name]
-      @period = params[:period]
+      @period = h((params[:period] || "")[0..1])
       q = Sidekiq::Metrics::Query.new
       @periods = METRICS_PERIODS
       minutes = @periods.fetch(@period, @periods.values.first)