pgbus 0.2.3 → 0.2.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 85f2e8748cf70bb74cb736b23e3e0288be5ca0b946b0eb80c08e1d28650e98c0
-  data.tar.gz: d1fd675bb9d9a5beb4607f8e0da684c606d096a835948abf60034bd601cdd7f2
+  metadata.gz: daac3606ba66624f54b5b6cf8db0830827c2ce0492b7d6d38ce347d1e0f3aeb2
+  data.tar.gz: ad7eb6ea7beae1e07a813cac5cac37980671f8106f2ac7444a127a81d6f7a2e3
 SHA512:
-  metadata.gz: 99b168d4276ef5149effdbf7d18955c542b9f8507a67d022381a61c7c36cacdf58ab414e166e528495e244313ef12d10e054119361bbf77ca2e6cc260f6d1982
-  data.tar.gz: 606324c33ddd072b24135c91314258fc2c162e54b6610ec813457cae2b4df3ba5c0391fc5dbd8a1ff6e13f14032968320b41b9a1d9450d0b5fbe2d66686f2c9e
+  metadata.gz: f7a513fd3e2f7aac5a3c0db040a3e7b6b11b6c4c0f619f6f0d37ebbf3e2cd6336737af20e4a7a00da19a1937d5be2b8e24d666483bf661005422c04bbac1805c
+  data.tar.gz: 255c0382fbc4f4b797577757ebe5bfa9611f350456292d78e41678d6ebe834c52a5588e2f902159b0c5467becb076f0b724b8dc782b21dfb0d423404dc31d178

data/CHANGELOG.md

@@ -1,5 +1,18 @@
 ## [Unreleased]
 
+### Breaking Changes
+
+- **Queue names must be alphanumeric and underscores only.** Queue names containing dashes (e.g., `my-app-queue`) will now raise `ArgumentError`. Rename to underscored form (e.g., `my_app_queue`) before upgrading. This restriction prevents SQL injection via PGMQ queue identifiers, which are interpolated into table names and cannot be parameterized.
+
+### Security
+
+- Add `bundler-audit` to CI for dependency vulnerability scanning
+- Add `QueueNameValidator` to enforce strict queue name validation (alphanumeric + underscores, 61 char max)
+- Add `config.allowed_global_id_models` to restrict which models can be deserialized from event payloads
+- Add security headers to dashboard (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
+- Warn when dashboard `web_auth` is unconfigured
+- Add `globalid` as an explicit runtime dependency (was used but only transitively available via activejob)
+
 ## [0.1.0] - 2026-03-30
 
 - Initial release

data/app/controllers/pgbus/application_controller.rb

@@ -6,6 +6,7 @@ module Pgbus
 
     protect_from_forgery with: :exception
     before_action :set_locale
+    after_action :set_security_headers
 
     layout "pgbus/application"
 
@@ -21,6 +22,14 @@ module Pgbus
 
     private
 
+    def set_security_headers
+      response.headers["X-Frame-Options"] = "SAMEORIGIN"
+      response.headers["X-Content-Type-Options"] = "nosniff"
+      response.headers["X-XSS-Protection"] = "0"
+      response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+      response.headers["Permissions-Policy"] = "camera=(), microphone=(), geolocation=()"
+    end
+
     def set_locale
       I18n.locale = extract_locale || I18n.default_locale
     end

data/lib/active_job/queue_adapters/pgbus_adapter.rb

@@ -19,6 +19,13 @@ module ActiveJob
         true
       end
 
+      # Called by ActiveJob::Continuation (Rails 8.1+) at each checkpoint.
+      # When true, continuable jobs save their cursor and re-enqueue
+      # themselves so the worker can shut down gracefully.
+      def stopping?
+        Pgbus.stopping
+      end
+
       private
 
       def adapter

data/lib/pgbus/active_job/executor.rb

@@ -80,7 +80,7 @@ module Pgbus
       private
 
       def execute_job(job)
-        if defined?(Rails) && Rails.application
+        if defined?(Rails) && Rails.respond_to?(:application) && Rails.application
           Rails.application.executor.wrap { job.perform_now }
         else
           job.perform_now

data/lib/pgbus/client.rb

@@ -216,7 +216,7 @@ module Pgbus
 
     def purge_archive(queue_name, older_than:, batch_size: 1000)
       full_name = config.queue_name(queue_name)
-      sanitized = full_name.gsub(/[^a-zA-Z0-9_]/, "")
+      sanitized = QueueNameValidator.sanitize!(full_name)
       total = 0
 
       sql = "DELETE FROM pgmq.a_#{sanitized} " \

data/lib/pgbus/config_loader.rb

@@ -8,7 +8,7 @@ module Pgbus
     module_function
 
     def load(path, env: nil)
-      env ||= defined?(Rails) ? Rails.env : ENV.fetch("PGBUS_ENV", "development")
+      env ||= (defined?(Rails) && Rails.respond_to?(:env) && Rails.env) || ENV.fetch("PGBUS_ENV", "development")
       raw = File.read(path)
       parsed = YAML.safe_load(ERB.new(raw).result, permitted_classes: [Symbol], aliases: true)
       config_hash = parsed.fetch(env, parsed)

data/lib/pgbus/configuration.rb

@@ -36,7 +36,7 @@ module Pgbus
     attr_accessor :outbox_enabled, :outbox_poll_interval, :outbox_batch_size, :outbox_retention
 
     # Event bus
-    attr_accessor :idempotency_ttl
+    attr_accessor :idempotency_ttl, :allowed_global_id_models
 
     # Logging
     attr_accessor :logger
@@ -108,8 +108,9 @@ module Pgbus
       @outbox_retention = 24 * 3600 # 1 day
 
       @idempotency_ttl = 7 * 24 * 3600 # 7 days
+      @allowed_global_id_models = nil # nil = allow all (for backwards compat)
 
-      @logger = defined?(Rails) ? Rails.logger : Logger.new($stdout)
+      @logger = (defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger) || Logger.new($stdout)
 
       @listen_notify = true
       @notify_throttle_ms = 250
@@ -138,7 +139,9 @@ module Pgbus
     end
 
     def queue_name(name)
-      "#{queue_prefix}_#{name}"
+      full = "#{queue_prefix}_#{name}"
+      QueueNameValidator.validate!(full)
+      full
     end
 
     def dead_letter_queue_name(name)

data/lib/pgbus/event_bus/handler.rb

@@ -36,7 +36,7 @@ module Pgbus
 
       def build_event(raw)
         payload = raw["payload"]
-        payload = GlobalID::Locator.locate(payload["_global_id"]) if payload.is_a?(Hash) && payload["_global_id"]
+        payload = Serializer.locate_global_id(payload["_global_id"]) if payload.is_a?(Hash) && payload["_global_id"]
 
         Event.new(
           event_id: raw["event_id"],

data/lib/pgbus/process/supervisor.rb

@@ -143,7 +143,7 @@ module Pgbus
         return true if config.recurring_tasks_file && File.exist?(config.recurring_tasks_file.to_s)
 
         # Check default location
-        if defined?(Rails)
+        if defined?(Rails) && Rails.respond_to?(:root) && Rails.root
           default_path = Rails.root.join("config", "recurring.yml")
           return File.exist?(default_path.to_s)
         end
@@ -155,7 +155,7 @@ module Pgbus
         return if config.recurring_tasks&.any?
 
         path = config.recurring_tasks_file
-        path ||= defined?(Rails) ? Rails.root.join("config", "recurring.yml") : nil
+        path ||= defined?(Rails) && Rails.respond_to?(:root) && Rails.root ? Rails.root.join("config", "recurring.yml") : nil
         return unless path && File.exist?(path.to_s)
 
         config.recurring_tasks = Recurring::ConfigLoader.load(path)
@@ -289,7 +289,7 @@ module Pgbus
       end
 
       def load_rails_app
-        return unless defined?(Rails)
+        return unless defined?(Rails) && Rails.respond_to?(:application) && Rails.application
 
         Rails.application.eager_load! if Rails.application.respond_to?(:eager_load!)
       end

data/lib/pgbus/process/worker.rb

@@ -66,12 +66,14 @@ module Pgbus
 
       def graceful_shutdown
         Pgbus.logger.info { "[Pgbus] Worker shutting down gracefully..." }
+        Pgbus.stopping = true
         @lifecycle.transition_to(:draining)
         @wake_signal.notify!
       end
 
       def immediate_shutdown
         Pgbus.logger.warn { "[Pgbus] Worker shutting down immediately!" }
+        Pgbus.stopping = true
         @lifecycle.transition_to!(:stopped)
         @wake_signal.notify!
         @pool.kill
@@ -210,6 +212,7 @@ module Pgbus
       def check_recycle
         return unless @lifecycle.running? && recycle_needed?
 
+        Pgbus.stopping = true
         @lifecycle.transition_to(:draining)
         @wake_signal.notify!
       end

data/lib/pgbus/queue_name_validator.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Pgbus
+  # Validates and sanitizes PGMQ queue names for safe use in SQL identifiers.
+  #
+  # PGMQ queue names are interpolated into SQL as table/sequence names
+  # (e.g., pgmq.q_<name>, pgmq.a_<name>). This module enforces strict
+  # validation to prevent SQL injection via crafted queue names.
+  module QueueNameValidator
+    # PostgreSQL identifier limit is 63 bytes (NAMEDATALEN - 1).
+    # PGMQ prefixes with "q_" or "a_" (2 chars), so limit the name itself.
+    MAX_QUEUE_NAME_LENGTH = 61
+
+    # Only alphanumeric characters and underscores are allowed.
+    VALID_QUEUE_NAME_PATTERN = /\A[a-zA-Z0-9_]+\z/
+
+    module_function
+
+    # Validates a queue name for safe SQL identifier use.
+    # Returns the name if valid, raises ArgumentError if not.
+    def validate!(name)
+      name = name.to_s
+      raise ArgumentError, "Queue name cannot be blank" if name.empty?
+      if name.length > MAX_QUEUE_NAME_LENGTH
+        raise ArgumentError,
+              "Queue name too long (#{name.length} chars, max #{MAX_QUEUE_NAME_LENGTH}): #{name.inspect}"
+      end
+
+      unless VALID_QUEUE_NAME_PATTERN.match?(name)
+        raise ArgumentError,
+              "Invalid queue name: #{name.inspect}. Only alphanumeric characters and underscores are allowed."
+      end
+
+      name
+    end
+
+    # Sanitizes a queue name by removing invalid characters, then validates.
+    # Use this for names from untrusted sources (e.g., URL params).
+    def sanitize!(name)
+      sanitized = name.to_s.gsub(/[^a-zA-Z0-9_]/, "")
+      validate!(sanitized)
+      sanitized
+    end
+  end
+end

data/lib/pgbus/recurring/config_loader.rb

@@ -24,7 +24,7 @@ module Pgbus
       end
 
       def detect_env
-        if defined?(Rails)
+        if defined?(Rails) && Rails.respond_to?(:env) && Rails.env
           Rails.env.to_s
         else
           ENV.fetch("PGBUS_ENV", "development")

data/lib/pgbus/serializer.rb

@@ -41,7 +41,7 @@ module Pgbus
       data = JSON.parse(json_string)
       payload = data["payload"]
 
-      data["payload"] = GlobalID::Locator.locate(payload["_global_id"]) if payload.is_a?(Hash) && payload["_global_id"]
+      data["payload"] = locate_global_id(payload["_global_id"]) if payload.is_a?(Hash) && payload["_global_id"]
 
       Event.new(
         event_id: data["event_id"],
@@ -49,5 +49,32 @@ module Pgbus
         published_at: Time.parse(data["published_at"])
       )
     end
+
+    # Locate a GlobalID with optional type restriction.
+    # When allowed_global_id_models is configured, only those model classes
+    # can be resolved — prevents loading arbitrary objects from crafted payloads.
+    def locate_global_id(gid_string)
+      gid = GlobalID.parse(gid_string)
+      raise ArgumentError, "Invalid GlobalID: #{gid_string.inspect}" unless gid
+
+      allowed = Pgbus.configuration.allowed_global_id_models
+      if allowed&.empty?
+        raise ArgumentError,
+              "GlobalID deserialization is disabled (allowed_global_id_models is empty). " \
+              "Set to nil to allow all models, or add permitted classes."
+      end
+      if allowed&.any? { |entry| !entry.is_a?(Class) && !entry.is_a?(Module) }
+        raise ArgumentError,
+              "allowed_global_id_models must contain Class/Module objects, " \
+              "got: #{allowed.map(&:class).uniq.join(", ")}"
+      end
+      if allowed&.none? { |klass| gid.model_class <= klass }
+        raise ArgumentError,
+              "GlobalID model #{gid.model_class} is not in allowed_global_id_models. " \
+              "Add it to Pgbus.configuration.allowed_global_id_models to permit deserialization."
+      end
+
+      GlobalID::Locator.locate(gid)
+    end
   end
 end

data/lib/pgbus/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Pgbus
-  VERSION = "0.2.3"
+  VERSION = "0.2.4"
 end

data/lib/pgbus/web/authentication.rb

@@ -9,16 +9,35 @@ module Pgbus
         before_action :authenticate_pgbus!
       end
 
+      class << self
+        attr_accessor :auth_warned
+      end
+
       private
 
       def authenticate_pgbus!
         auth_block = Pgbus.configuration.web_auth
-        return if auth_block.nil?
+
+        if auth_block.nil?
+          warn_unauthenticated_dashboard
+          return
+        end
 
         return if auth_block.respond_to?(:call) && auth_block.call(request)
 
         head :unauthorized
       end
+
+      def warn_unauthenticated_dashboard
+        return if Pgbus::Web::Authentication.auth_warned
+
+        Pgbus.logger.warn do
+          "[Pgbus] Dashboard is accessible without authentication. " \
+            "Configure Pgbus.configuration.web_auth to restrict access. " \
+            "See: https://github.com/mhenrixon/pgbus#dashboard-authentication"
+        end
+        Pgbus::Web::Authentication.auth_warned = true
+      end
     end
   end
 end

data/lib/pgbus/web/data_source.rb

@@ -662,10 +662,7 @@ module Pgbus
       end
 
       def sanitize_name(name)
-        sanitized = name.gsub(/[^a-zA-Z0-9_]/, "")
-        raise ArgumentError, "Invalid queue name: #{name.inspect}" if sanitized.empty?
-
-        sanitized
+        QueueNameValidator.sanitize!(name)
       end
 
       def compute_throughput(queues)

data/lib/pgbus.rb

@@ -13,6 +13,14 @@ module Pgbus
   class SchemaNotReady < Error; end
 
   class << self
+    # Process-global flag set by Worker#graceful_shutdown so the adapter
+    # can report stopping? to ActiveJob::Continuation (Rails 8.1+).
+    attr_writer :stopping
+
+    def stopping
+      @stopping || false
+    end
+
     def loader
       @loader ||= begin
         loader = Zeitwerk::Loader.for_gem

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pgbus
 version: !ruby/object:Gem::Version
-  version: 0.2.3
+  version: 0.2.4
 platform: ruby
 authors:
 - Mikael Henriksson
@@ -43,6 +43,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.11.1
+- !ruby/object:Gem::Dependency
+  name: globalid
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: pgmq-ruby
   requirement: !ruby/object:Gem::Requirement
@@ -228,6 +242,7 @@ files:
 - lib/pgbus/process/wake_signal.rb
 - lib/pgbus/process/worker.rb
 - lib/pgbus/queue_factory.rb
+- lib/pgbus/queue_name_validator.rb
 - lib/pgbus/rate_counter.rb
 - lib/pgbus/recurring/already_recorded.rb
 - lib/pgbus/recurring/command_job.rb