search

CruGlobal / cru_lib

MIT License
1 stars 0 forks source link

Job arguments to Person must be native JSON types warning #16

Open andrewroth opened 2 years ago

andrewroth commented 2 years ago

@knutsenm @jbirdjavi @dbenton9 @twinge @Omicron7

This morning, working on OneApp, I got:

$ bundle exec bundle audit check --update --ignore CVE-2015-9284
Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Already up to date.
Updated ruby-advisory-db
ruby-advisory-db: 541 advisories
Name: sidekiq
Version: 6.2.2
Advisory: CVE-2022-23837
Criticality: High
URL: https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956
Title: Denial of service in sidekiq
Solution: upgrade to >= 6.4.0, ~> 5.2.10

Vulnerabilities found!

Upgrading to 6.4.0, I get:

  1) Person#last_mpd_report works
     Failure/Error: p = create(:person)

     ArgumentError:
       Job arguments to Person must be native JSON types, see https://github.com/mperham/sidekiq/wiki/Best-Practices.
       To disable this error, remove `Sidekiq.strict_args!` from your initializer.
     # ./spec/models/person_spec.rb:167:in `block (3 levels) in <top (required)>'

On any Person test. I trade it to CruLib::GlobalRegistryMasterPersonMethods. We're using gem "cru_lib", github: "CruGlobal/cru_lib", tag: "v0.1.1". The same warning appears on any Person save.

I suspect this will be an issue for many of the rails apps.

Has anyone come across this before, and if so is there a fix or workaround, or is it worth having me take some time to try to update cru_lib to avoid the warning?

jbirdjavi commented 2 years ago

@andrewroth For now I'd probably do what the error says and remove Sidekiq.strict_args! from any initializer. When someone has a chance we can probably figure out what needs to happen to make it work without warnings.

andrewroth commented 2 years ago

Sorry, I'd pasted the code with strict_args! added by me in my local dev codebase.

Without it, I get:

2022-02-09T20:32:37.480Z pid=66043 tid=1ka3 WARN: Job arguments to Person do not serialize to JSON safely. This will raise an error in
Sidekiq 7.0. See https://github.com/mperham/sidekiq/wiki/Best-Practices or raise an error today
by calling `Sidekiq.strict_args!` during Sidekiq initialization.

And this causes hundreds of such messages on tests because it happens on every person saved to the test db.

jbirdjavi commented 2 years ago

Yeah that sounds right. It's been happening on at least MPDX and SMT. If you want to look into fixing it, feel free! Otherwise it's on my todo list.

andrewroth commented 2 years ago

Ah ok, fair enough. Thanks for the confirmation