Do not deserialize GlobalID objects that were not generated by Active Job

Trusting any GlobaID object when deserializing jobs can allow
attackers to access information that should not be accessible to them.

Fix CVE-2018-16476.

2 files changed, 5 insertions, 1 deletions

diff --git a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb
index fa58c50ed0..92eb58aaaf 100644
--- a/activejob/lib/active_job/arguments.rb
+++ b/activejob/lib/active_job/arguments.rb
@@ -91,7 +91,7 @@ module ActiveJob
       def deserialize_argument(argument)
         case argument
         when String
-          GlobalID::Locator.locate(argument) || argument
+          argument
         when *PERMITTED_TYPES
           argument
         when Array
diff --git a/activejob/test/cases/argument_serialization_test.rb b/activejob/test/cases/argument_serialization_test.rb
index e4e14016d9..da198abc0b 100644
--- a/activejob/test/cases/argument_serialization_test.rb
+++ b/activejob/test/cases/argument_serialization_test.rb
@@ -41,6 +41,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase
     assert_arguments_roundtrip [@person]
   end
 
+  test "should keep Global IDs strings as they are" do
+    assert_arguments_roundtrip [@person.to_gid.to_s]
+  end
+
   test "should dive deep into arrays and hashes" do
     assert_arguments_roundtrip [3, [@person]]
     assert_arguments_roundtrip [{ "a" => @person }]