aboutsummaryrefslogtreecommitdiffstats
path: root/activejob/test/cases
diff options
context:
space:
mode:
authorRafael Mendonça França <rafaelmfranca@gmail.com>2018-09-05 17:38:09 -0400
committerRafael Mendonça França <rafaelmfranca@gmail.com>2018-11-27 15:28:41 -0500
commit72300f9742745f9535b06d45a9632e948ed7d79b (patch)
tree7d1f203574ac445f8532e68f9b75886f2d282b61 /activejob/test/cases
parentddaca7ccec208ee80652e696e001671fd6e735f9 (diff)
downloadrails-72300f9742745f9535b06d45a9632e948ed7d79b.tar.gz
rails-72300f9742745f9535b06d45a9632e948ed7d79b.tar.bz2
rails-72300f9742745f9535b06d45a9632e948ed7d79b.zip
Do not deserialize GlobalID objects that were not generated by Active Job
Trusting any GlobaID object when deserializing jobs can allow attackers to access information that should not be accessible to them. Fix CVE-2018-16476.
Diffstat (limited to 'activejob/test/cases')
-rw-r--r--activejob/test/cases/argument_serialization_test.rb4
1 files changed, 4 insertions, 0 deletions
diff --git a/activejob/test/cases/argument_serialization_test.rb b/activejob/test/cases/argument_serialization_test.rb
index e4e14016d9..da198abc0b 100644
--- a/activejob/test/cases/argument_serialization_test.rb
+++ b/activejob/test/cases/argument_serialization_test.rb
@@ -41,6 +41,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase
assert_arguments_roundtrip [@person]
end
+ test "should keep Global IDs strings as they are" do
+ assert_arguments_roundtrip [@person.to_gid.to_s]
+ end
+
test "should dive deep into arrays and hashes" do
assert_arguments_roundtrip [3, [@person]]
assert_arguments_roundtrip [{ "a" => @person }]