diff options
author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2018-09-05 17:38:09 -0400 |
---|---|---|
committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2018-11-27 15:28:41 -0500 |
commit | 72300f9742745f9535b06d45a9632e948ed7d79b (patch) | |
tree | 7d1f203574ac445f8532e68f9b75886f2d282b61 /activejob/test/cases | |
parent | ddaca7ccec208ee80652e696e001671fd6e735f9 (diff) | |
download | rails-72300f9742745f9535b06d45a9632e948ed7d79b.tar.gz rails-72300f9742745f9535b06d45a9632e948ed7d79b.tar.bz2 rails-72300f9742745f9535b06d45a9632e948ed7d79b.zip |
Do not deserialize GlobalID objects that were not generated by Active Job
Trusting any GlobaID object when deserializing jobs can allow
attackers to access information that should not be accessible to them.
Fix CVE-2018-16476.
Diffstat (limited to 'activejob/test/cases')
-rw-r--r-- | activejob/test/cases/argument_serialization_test.rb | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/activejob/test/cases/argument_serialization_test.rb b/activejob/test/cases/argument_serialization_test.rb index e4e14016d9..da198abc0b 100644 --- a/activejob/test/cases/argument_serialization_test.rb +++ b/activejob/test/cases/argument_serialization_test.rb @@ -41,6 +41,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase assert_arguments_roundtrip [@person] end + test "should keep Global IDs strings as they are" do + assert_arguments_roundtrip [@person.to_gid.to_s] + end + test "should dive deep into arrays and hashes" do assert_arguments_roundtrip [3, [@person]] assert_arguments_roundtrip [{ "a" => @person }] |