fix: backport xss and rce fixes to v7.1 (#834)

* fix: backport xss and rce fixes to v7.1

This was fixed in #829 and #833

* chore(lint): lint'em real good

* chore: remove reek

Author: mhenrixon

.github/workflows/lint.yml

@@ -18,18 +18,3 @@ jobs:
           bundler-cache: true
       - run: bin/bundle --jobs=$(nproc) --retry=$(nproc)
       - run: bin/rubocop -P
-
-  reek:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: true
-
-    steps:
-      - uses: actions/checkout@v3
-      - uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: 3.1
-          bundler: 2.4.12
-          bundler-cache: true
-      - run: bin/bundle --jobs=$(nproc) --retry=$(nproc)
-      - run: bin/reek .

.rubocop.yml

@@ -135,6 +135,13 @@ RSpec/RepeatedExample:
   Exclude:
     - spec/sidekiq_unique_jobs/unique_args_spec.rb
 
+RSpec/SpecFilePathFormat:
+  Exclude:
+    - spec/performance/lock_digest_spec.rb
+    - spec/performance/locksmith_spec.rb
+    - spec/sidekiq_unique_jobs/configuration_spec.rb
+    - spec/sidekiq_unique_jobs/middleware/server/until_and_while_executing_spec.rb
+
 Style/Documentation:
   Enabled: true
   Exclude:

lib/sidekiq_unique_jobs/sidekiq_unique_jobs.rb

@@ -186,7 +186,7 @@ def configure(options = {})
       yield config
     else
       options.each do |key, val|
-        config.send("#{key}=", val)
+        config.send(:"#{key}=", val)
       end
     end
   end

lib/sidekiq_unique_jobs/web.rb

@@ -14,11 +14,11 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
       end
 
       app.get "/changelogs" do
-        @filter         = params[:filter] || "*"
+        @filter         = h(params[:filter] || "*")
         @filter         = "*" if @filter == ""
-        @count          = (params[:count] || 100).to_i
-        @current_cursor = params[:cursor]
-        @prev_cursor    = params[:prev_cursor]
+        @count          = h(params[:count] || 100).to_i
+        @current_cursor = h(params[:cursor])
+        @prev_cursor    = h(params[:prev_cursor])
         @total_size, @next_cursor, @changelogs = changelog.page(
           cursor: @current_cursor,
           pattern: @filter,
@@ -34,11 +34,11 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
       end
 
       app.get "/locks" do
-        @filter         = params[:filter] || "*"
+        @filter         = h(params[:filter] || "*")
         @filter         = "*" if @filter == ""
-        @count          = (params[:count] || 100).to_i
-        @current_cursor = params[:cursor]
-        @prev_cursor    = params[:prev_cursor]
+        @count          = h(params[:count] || 100).to_i
+        @current_cursor = h(params[:cursor])
+        @prev_cursor    = h(params[:prev_cursor])
 
         @total_size, @next_cursor, @locks = digests.page(
           cursor: @current_cursor,
@@ -50,11 +50,11 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
       end
 
       app.get "/expiring_locks" do
-        @filter         = params[:filter] || "*"
+        @filter         = h(params[:filter] || "*")
         @filter         = "*" if @filter == ""
-        @count          = (params[:count] || 100).to_i
-        @current_cursor = params[:cursor]
-        @prev_cursor    = params[:prev_cursor]
+        @count          = h(params[:count] || 100).to_i
+        @current_cursor = h(params[:cursor])
+        @prev_cursor    = h(params[:prev_cursor])
 
         @total_size, @next_cursor, @locks = expiring_digests.page(
           cursor: @current_cursor,
@@ -72,7 +72,7 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
       end
 
       app.get "/locks/:digest" do
-        @digest = params[:digest]
+        @digest = h(params[:digest])
         @lock   = SidekiqUniqueJobs::Lock.new(@digest)
 
         erb(unique_template(:lock))
@@ -85,9 +85,10 @@ def self.registered(app) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
       end
 
       app.get "/locks/:digest/jobs/:job_id/delete" do
-        @digest = params[:digest]
+        @digest = h(params[:digest])
+        @job_id = h(params[:job_id])
         @lock   = SidekiqUniqueJobs::Lock.new(@digest)
-        @lock.unlock(params[:job_id])
+        @lock.unlock(@job_id)
 
         redirect_to "locks/#{@lock.key}"
       end

spec/performance/lock_digest_spec.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-RSpec.describe SidekiqUniqueJobs::LockDigest, perf: true do
+RSpec.describe SidekiqUniqueJobs::LockDigest, :perf do
   let(:lock_digest)  { described_class.new(item) }
   let(:job_class)    { UntilExecutedJob }
   let(:class_name)   { worker_class.to_s }

spec/performance/locksmith_spec.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-RSpec.describe SidekiqUniqueJobs::Locksmith, perf: true do
+RSpec.describe SidekiqUniqueJobs::Locksmith, :perf do
   let(:locksmith_one)   { described_class.new(item_one) }
   let(:locksmith_two)   { described_class.new(item_two) }
 

spec/sidekiq_unique_jobs/changelog_spec.rb

@@ -39,14 +39,14 @@
 
       it "clears out all entries" do
         expect { clear }.to change { entity.entries.size }.by(-1)
-        expect(clear).to be == 1
+        expect(clear).to eq 1
       end
     end
 
     context "without entries" do
       it "returns 0 (zero)" do
         expect { clear }.not_to change { entity.entries.size }
-        expect(clear).to be == 0
+        expect(clear).to eq 0
       end
     end
   end
@@ -55,27 +55,27 @@
     subject(:exist?) { entity.exist? }
 
     context "when no entries exist" do
-      it { is_expected.to be == false }
+      it { is_expected.to be false }
     end
 
     context "when entries exist" do
       before { simulate_lock(key, job_id) }
 
-      it { is_expected.to be == true }
+      it { is_expected.to be true }
     end
   end
 
   describe "#pttl" do
     subject(:pttl) { entity.pttl }
 
     context "when no entries exist" do
-      it { is_expected.to be == -2 }
+      it { is_expected.to eq(-2) }
     end
 
     context "when entries exist without expiration" do
       before { simulate_lock(key, job_id) }
 
-      it { is_expected.to be == -1 }
+      it { is_expected.to eq(-1) }
     end
 
     context "when entries exist with expiration" do
@@ -92,13 +92,13 @@
     subject(:ttl) { entity.ttl }
 
     context "when no entries exist" do
-      it { is_expected.to be == -2 }
+      it { is_expected.to eq(-2) }
     end
 
     context "when entries exist without expiration" do
       before { simulate_lock(key, job_id) }
 
-      it { is_expected.to be == -1 }
+      it { is_expected.to eq(-1) }
     end
 
     context "when entries exist with expiration" do
@@ -107,15 +107,15 @@
         expire(key.changelog, 600)
       end
 
-      it { is_expected.to be == 600 }
+      it { is_expected.to eq 600 }
     end
   end
 
   describe "#expires?" do
     subject(:expires?) { entity.expires? }
 
     context "when no entries exist" do
-      it { is_expected.to be == false }
+      it { is_expected.to be false }
     end
 
     context "when entries exist" do
@@ -124,21 +124,21 @@
         expire(key.changelog, 600)
       end
 
-      it { is_expected.to be == true }
+      it { is_expected.to be true }
     end
   end
 
   describe "#count" do
     subject(:count) { entity.count }
 
     context "when no entries exist" do
-      it { is_expected.to be == 0 }
+      it { is_expected.to eq 0 }
     end
 
     context "when entries exist" do
       before { simulate_lock(key, job_id) }
 
-      it { is_expected.to be == 2 }
+      it { is_expected.to eq 2 }
     end
   end
 

spec/sidekiq_unique_jobs/cli_spec.rb

@@ -37,9 +37,9 @@
             jobs  del PATTERN
 
           Options:
-            d, [--dry-run], [--no-dry-run]  # set to false to perform deletion
-            c, [--count=N]                  # The max number of digests to return
-                                            # Default: 1000
+            -d, [--dry-run], [--no-dry-run]  # set to false to perform deletion
+            -c, [--count=N]                  # The max number of digests to return
+                                             # Default: 1000
 
           deletes unique digests from redis by pattern
         HEADER
@@ -55,8 +55,8 @@
             jobs  list PATTERN
 
           Options:
-            c, [--count=N]  # The max number of digests to return
-                            # Default: 1000
+            -c, [--count=N]  # The max number of digests to return
+                             # Default: 1000
 
           list all unique digests and their expiry time
         HEADER

spec/sidekiq_unique_jobs/lua/delete_by_digest_spec.rb

@@ -40,12 +40,12 @@
   it "deletes the expected keys from redis" do
     expect(delete_by_digest).to eq(8)
 
-    expect(queued.count).to be == 0
-    expect(primed.count).to be == 0
-    expect(locked.count).to be == 0
+    expect(queued.count).to eq 0
+    expect(primed.count).to eq 0
+    expect(locked.count).to eq 0
 
-    expect(run_queued.count).to be == 0
-    expect(run_primed.count).to be == 0
-    expect(run_locked.count).to be == 0
+    expect(run_queued.count).to eq 0
+    expect(run_primed.count).to eq 0
+    expect(run_locked.count).to eq 0
   end
 end

spec/sidekiq_unique_jobs/lua/lock_spec.rb

@@ -20,7 +20,7 @@
   let(:now_f)      { SidekiqUniqueJobs.now_f }
   let(:lock_limit) { 1 }
 
-  shared_context "with a primed key", with_primed_key: true do
+  shared_context "with a primed key", :with_primed_key do
     before do
       call_script(:queue, key.to_a, argv_one)
       rpoplpush(key.queued, key.primed)