Validate days parameter to avoid possible DoS in Web UI

mperham · mperham · commit 7785ac1399f1 · 2022-01-20T10:42:26.000-08:00
Thank you to Sergey Shpakov of http://tutum.space for reporting.
diff --git a/lib/sidekiq/api.rb b/lib/sidekiq/api.rb
@@ -161,6 +161,8 @@ def lengths
 
     class History
       def initialize(days_previous, start_date = nil)
+        # we only store five years of data in Redis
+        raise ArgumentError if days_previous < 1 || days_previous > (5 * 365)
         @days_previous = days_previous
         @start_date = start_date || Time.now.utc.to_date
       end
diff --git a/lib/sidekiq/web/application.rb b/lib/sidekiq/web/application.rb
@@ -50,7 +50,10 @@ def self.set(key, val)
 
     get "/" do
       @redis_info = redis_info.select { |k, v| REDIS_KEYS.include? k }
-      stats_history = Sidekiq::Stats::History.new((params["days"] || 30).to_i)
+      days = (params["days"] || 30).to_i
+      return halt(401) if days < 1 || days > 180
+
+      stats_history = Sidekiq::Stats::History.new(days)
       @processed_history = stats_history.processed
       @failed_history = stats_history.failed
 
diff --git a/test/test_api.rb b/test/test_api.rb
@@ -156,6 +156,15 @@
         Time::DATE_FORMATS[:default] = @before
       end
 
+      describe "history" do
+        it "does not allow invalid input" do
+          assert_raises(ArgumentError) { Sidekiq::Stats::History.new(-1) }
+          assert_raises(ArgumentError) { Sidekiq::Stats::History.new(0) }
+          assert_raises(ArgumentError) { Sidekiq::Stats::History.new(2000) }
+          assert Sidekiq::Stats::History.new(200)
+        end
+      end
+
       describe "processed" do
         it 'retrieves hash of dates' do
           Sidekiq.redis do |c|
diff --git a/test/test_web.rb b/test/test_web.rb
@@ -748,8 +748,9 @@ def app
       basic_authorize 'a', 'b'
 
       get '/'
-
       assert_equal 200, last_response.status
+      get '/?days=1000000'
+      assert_equal 401, last_response.status
     end
   end
 
