petakopi.my
petakopi.my copied to clipboard
petakopi
🚨 [security] [ruby] Update sidekiq 7.2.1 → 7.2.4 (patch)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ sidekiq (7.2.1 → 7.2.4) · Repo · Changelog
Security Advisories 🚨
🚨 Sidekiq vulnerable to a Reflected XSS in Queues Web Page
Description:
During the source Code Review of the metrics.erb view of the Sidekiq Web UI, A reflected XSS vulnerability is discovered. The value of substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application.
This vulnerability can be exploited to target the users of the application, and users of other applications deployed on the same domain or website as that of the Sidekiq website. Successful exploit results may result in compromise of user accounts and user data.
Impact:
The impact of this vulnerability can be severe. An attacker could exploit it to target users of the Sidekiq Web UI. Moreover, if other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope of compromise. Potentially compromising their accounts, forcing the users to perform sensitive actions, stealing sensitive data, performing CORS attacks, defacement of the web application, etc.
Mitigation:
Encode all output data before rendering it in the response to prevent XSS attacks.
Steps to Reproduce:
- Go to the following URL of the sidekiq Web UI:
https://{host}/sidekiq/metrics?substr=beret%22%3E%3Cscript%20src=%22https://cheemahq.vercel.app/a.js%22%20/%3E- XSS payload will be executed, causing a popup.
Evidence:
Figure 1: Source Code Vulnerable to XSS
Figure 2: XSS payload triggered
Release Notes
7.2.2 (from changelog)
- Add
Process.warmupcall in Ruby 3.3+- Batch jobs now skip transactional push [#6160]
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 33 commits:
Fix for CVE-2024-32887changesprep for releaseFix Rack deprecationFix session secret error in tests with rails 71Fix build, latest ent changesAdd **kwargs to dynamic redis client method definition (#6249)Fix typos (#6245)formattingUse lax decoding, fixes #6241Bump actions/dependency-review-action from 3 to 4 (#6171)optimize heartbeat, fixes #6227New CI setup for Dragonfly + RedisAdd dragonfly CIAdd language selector and session language persistance (#6217)Add ability to find a currently running work by jid (#6212)Improve web application test coverage, fixes #6206add more test coverage for web/application.rbmetrics filtering shouldnt allow live poll, fixes #6203fmt722bump722fix: Avoid JSON dump on Rails.application (#6198)Add comment to sidekiq.service for use as user service (#6191)formatting, loggingDragonfly supportreleasefix: fix determine_redis_provider test behaviour (#6176)Better, thanks @jjbstandard formattingImplement Process.warmup in Ruby 3.3Batch jobs should push immediately, fixes #6160
↗️ rack (indirect, 3.0.9.1 → 3.0.10) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 2 commits:
↗️ redis-client (indirect, 0.19.1 → 0.22.1) · Repo · Changelog
Release Notes
0.20.0 (from changelog)
- Accept
unix://schemes as well as simple paths in theurl:config parameter. #170.- Make basic usage Ractor compatible.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 74 commits:
Release 0.22.1Merge pull request #193 from redis-rb/workaround-ssl-socket-buffer-clearFix ruby-head unused block argument warningWorkaround SSLSocket always clearing the bufferUpdate test certificatesRelease 0.22.0Merge pull request #189 from redis-rb/fix-utf8-responseFix BufferedIO to search with `byteindex`Merge pull request #188 from eregon/improve-conditionImprove condition for whether force_encoding is neededMerge pull request #187 from philippeboyd/feature/add-pipeline-raise_exception-flagfeat(pipeline): add flag to disable raising exceptionsMerge pull request #186 from redis-rb/dependabot/bundler/rake-13.2.1Bump rake from 13.1.0 to 13.2.1Merge pull request #185 from jmthomas/windows_detectionBetter detection of Windows platformRESP3: Pre-freeze hash keysUpdate CHANGELOGAlways assume UTF-8 encoding instead of relying on `Encoding.default_external`Merge pull request #184 from redis-rb/bench-hiredis-vs-rubyFix compatibility with TruffleRubyRecord drivers benchmark with ruby-headBufferedIO#getbyte: optimistically read the next byteBufferedIO: Use a buffer with `Encoding.default_external`RESP3: parse sequence sizes with getbyteResp3#parse use a jump table rather than a hash lookup + sendRecord Ruby VS Hiredis benchmarksRelease 0.21.1Re-run benchmarksMerge pull request #183 from stanhu/sh-fix-unresolved-sentinel-configHandle unresolved Sentinel master/replica errorMerge pull request #181 from redis-rb/dependabot/bundler/minitest-5.22.3Bump minitest from 5.22.2 to 5.22.3Merge pull request #180 from ngan/retry-write-on-ssl-errorsRescue OpenSSL::SSL::SSLError for write and write_multiRelease 0.21.0Merge pull request #178 from stanhu/sh-improve-log-messagesImprove `Config#server_url`Improve error log message outputMerge pull request #179 from stanhu/sh-add-unit-test-multi-execAdd unit test/comment for multi/exec handlingMerge pull request #176 from stanhu/sh-shutdown-redis-sentinel-connectionClose Redis Sentinel connection after resolving roleMerge pull request #175 from redis-rb/dependabot/bundler/minitest-5.22.2Bump minitest from 5.22.0 to 5.22.2Release 0.20.0Merge pull request #174 from stanhu/sh-add-prelude-unit-testsAdd more unit tests for connection preludeMerge pull request #173 from stanhu/sh-freeze-preludeEnsure all elements of connection prelude are frozenMerge pull request #172 from redis-rb/dependabot/bundler/minitest-5.22.0Merge pull request #171 from redis-rb/dependabot/bundler/rake-compiler-1.2.7Bump minitest from 5.21.2 to 5.22.0Bump rake-compiler from 1.2.6 to 1.2.7Merge pull request #170 from tacerus/unixSupport `unix://` schemes and pure paths in `url:` configMerge pull request #169 from redis-rb/dependabot/bundler/rubocop-minitest-0.30.0Merge pull request #168 from redis-rb/dependabot/bundler/rake-compiler-1.2.6Bump rubocop-minitest from 0.27.0 to 0.30.0Bump rake-compiler from 1.2.5 to 1.2.6Merge pull request #163 from jgmontoya/feat/make-client-ractor-compatibleFix compatibility with RactorsMerge pull request #166 from redis-rb/dependabot/bundler/rubocop-1.50.2Bump rubocop from 1.28.2 to 1.50.2Merge pull request #167 from redis-rb/dependabot/bundler/rubocop-minitest-0.27.0Bump rubocop-minitest from 0.19.1 to 0.27.0Merge pull request #165 from redis-rb/dependabot/bundler/minitest-5.21.2Bump minitest from 5.21.1 to 5.21.2Merge pull request #164 from redis-rb/dependabot/github_actions/actions/cache-4Bump actions/cache from 3 to 4Drop support for Ruby 2.5Merge pull request #160 from redis-rb/dependabot/bundler/stackprof-0.2.26Update minitestBump stackprof from 0.2.25 to 0.2.26
👉 No CI detected
You don't seem to have any Continuous Integration service set up!
Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.
This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:
* [Circle CI](https://circleci.com), [Semaphore ](https://semaphoreci.com) and [Github Actions](https://docs.github.com/actions) are all excellent options. * If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github. * If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with `depfu/`.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
- @depfu rebase
- Rebases against your default branch and redoes this update
- @depfu recreate
- Recreates this PR, overwriting any edits that you've made to it
- @depfu merge
- Merges this PR once your tests are passing and conflicts are resolved
- @depfu cancel merge
- Cancels automatic merging of this PR
- @depfu close
- Closes this PR and deletes the branch
- @depfu reopen
- Restores the branch and reopens this PR (if it's closed)
- @depfu pause
- Ignores all future updates for this dependency and closes this PR
- @depfu pause [minor|major]
- Ignores all future minor/major updates for this dependency and closes this PR
- @depfu resume
- Future versions of this dependency will create PRs again (leaves this PR as is)
![depfu[bot] avatar](https://avatars.githubusercontent.com/in/715?v=4 "Published by a pub.dev verified publisher"){kind=small}