sidekiq-unique-jobs 8.0.9 → 8.0.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: de442ce815fcfc00992295bd4160cfcf122815282e652cccca8c73ce1e62b351
-  data.tar.gz: f01d32c217f81f41abf34666c43acdddcb8148e6f7ca0df8146d408f9ed14f8e
+  metadata.gz: 8cd95f03398a1663b2afbba47f61736cfd3a0ab91fcc0d5b90d353d4f283db07
+  data.tar.gz: ced0a60e5fad52b5f2a66dcc29b10a221c6d39f4c4089d812327922d3b6b4e8b
 SHA512:
-  metadata.gz: aec1ab15a3a3c1959bc137aaad674fa9e0854ca354b2226c352901f4d7d7c9cc6c8ef8d805b3b1ad680672eebca52a332de916a5e10d5f4d8b7b439bb677c7c0
-  data.tar.gz: 9af5d9ce6dda38757fb33aa33d86c337cd40751fc55bad37ad5c3f98cb04225209953843b7ec137e9295b8da2c2a40a640c7735f1d623c17851621b577b7a03e
+  metadata.gz: d72a8b181407ccc09e4f11c9d8f0860df65f80373c2064ec0f7d743d2bde4273cde1e117f2983b8f71b3a2c9f17c8b9ab8808395991030617bb6b380073457be
+  data.tar.gz: 2908759b402bff47b1ace5c9ab666a10779085c89b90c6261b4c935fde97cbf0f8291c8bf2df48e0b46c302eaa66f169785fdf0503ad97fcf0d43a0e0fd1b47d

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## [v8.0.9](https://github.com/mhenrixon/sidekiq-unique-jobs/tree/v8.0.9) (2024-02-12)
+
+[Full Changelog](https://github.com/mhenrixon/sidekiq-unique-jobs/compare/v8.0.8...v8.0.9)
+
+**Fixed bugs:**
+
+- note: The RCE vulnerability was a false alarm, `sidekiq-unique-jobs` was not vulnerable to RCE. You can find additional information in the PR linked below.
+- fix\(rce\): prevent remot code execution [\#833](https://github.com/mhenrixon/sidekiq-unique-jobs/pull/833) ([mhenrixon](https://github.com/mhenrixon))
+
 ## [v8.0.8](https://github.com/mhenrixon/sidekiq-unique-jobs/tree/v8.0.8) (2024-02-12)
 
 [Full Changelog](https://github.com/mhenrixon/sidekiq-unique-jobs/compare/v8.0.7...v8.0.8)

data/lib/sidekiq_unique_jobs/locksmith.rb

@@ -82,7 +82,7 @@ module SidekiqUniqueJobs
     # Deletes the lock regardless of if it has a pttl set
     #
     def delete!
-      call_script(:delete, key.to_a, [job_id, config.pttl, config.type, config.limit]).to_i.positive?
+      call_script(:delete, key.to_a, argv).to_i.positive?
     end
 
     #
@@ -362,7 +362,11 @@ module SidekiqUniqueJobs
     end
 
     def argv
-      [job_id, config.pttl, config.type, config.limit]
+      [job_id, config.pttl, config.type, config.limit, lock_score]
+    end
+
+    def lock_score
+      item[AT].to_s
     end
 
     def lock_info
@@ -375,6 +379,7 @@ module SidekiqUniqueJobs
         TYPE => config.type,
         LOCK_ARGS => item[LOCK_ARGS],
         TIME => now_f,
+        AT => item[AT],
       )
     end
 

data/lib/sidekiq_unique_jobs/lua/delete.lua

@@ -13,14 +13,15 @@ local job_id       = ARGV[1]
 local pttl         = tonumber(ARGV[2])
 local lock_type    = ARGV[3]
 local limit        = tonumber(ARGV[4])
+local lock_score   = ARGV[5]
 -------- END lock arguments -----------
 
 --------  BEGIN injected arguments --------
-local current_time = tonumber(ARGV[5])
-local debug_lua    = tostring(ARGV[6]) == "1"
-local max_history  = tonumber(ARGV[7])
-local script_name  = tostring(ARGV[8]) .. ".lua"
-local redisversion = tostring(ARGV[9])
+local current_time = tonumber(ARGV[6])
+local debug_lua    = tostring(ARGV[7]) == "1"
+local max_history  = tonumber(ARGV[8])
+local script_name  = tostring(ARGV[9]) .. ".lua"
+local redisversion = tostring(ARGV[10])
 ---------  END injected arguments ---------
 
 --------  BEGIN local functions --------

data/lib/sidekiq_unique_jobs/lua/lock.lua

@@ -15,15 +15,16 @@ local job_id       = ARGV[1]
 local pttl         = tonumber(ARGV[2])
 local lock_type    = ARGV[3]
 local limit        = tonumber(ARGV[4])
+local lock_score   = ARGV[5]
 -------- END lock arguments -----------
 
 
 --------  BEGIN injected arguments --------
-local current_time = tonumber(ARGV[5])
-local debug_lua    = tostring(ARGV[6]) == "1"
-local max_history  = tonumber(ARGV[7])
-local script_name  = tostring(ARGV[8]) .. ".lua"
-local redisversion = ARGV[9]
+local current_time = tonumber(ARGV[6])
+local debug_lua    = tostring(ARGV[7]) == "1"
+local max_history  = tonumber(ARGV[8])
+local script_name  = tostring(ARGV[9]) .. ".lua"
+local redisversion = ARGV[10]
 ---------  END injected arguments ---------
 
 
@@ -62,8 +63,16 @@ if lock_type == "until_expired" and pttl and pttl > 0 then
   log_debug("ZADD", expiring_digests, current_time + pttl, digest)
   redis.call("ZADD", expiring_digests, current_time + pttl, digest)
 else
-  log_debug("ZADD", digests, current_time, digest)
-  redis.call("ZADD", digests, current_time, digest)
+  local score
+
+  if #lock_score == 0 then
+    score = current_time
+  else
+    score = lock_score
+  end
+
+  log_debug("ZADD", digests, score, digest)
+  redis.call("ZADD", digests, score, digest)
 end
 
 log_debug("HSET", locked, job_id, current_time)

data/lib/sidekiq_unique_jobs/lua/queue.lua

@@ -10,18 +10,19 @@ local digests   = KEYS[7]
 
 
 -------- BEGIN lock arguments ---------
-local job_id    = ARGV[1]      -- The job_id that was previously primed
-local pttl      = tonumber(ARGV[2])
-local lock_type = ARGV[3]
-local limit     = tonumber(ARGV[4])
+local job_id     = ARGV[1]      -- The job_id that was previously primed
+local pttl       = tonumber(ARGV[2])
+local lock_type  = ARGV[3]
+local limit      = tonumber(ARGV[4])
+local lock_score = ARGV[5]
 -------- END lock arguments -----------
 
 
 --------  BEGIN injected arguments --------
-local current_time = tonumber(ARGV[5])
-local debug_lua    = tostring(ARGV[6]) == "1"
-local max_history  = tonumber(ARGV[7])
-local script_name  = tostring(ARGV[8]) .. ".lua"
+local current_time = tonumber(ARGV[6])
+local debug_lua    = tostring(ARGV[7]) == "1"
+local max_history  = tonumber(ARGV[8])
+local script_name  = tostring(ARGV[9]) .. ".lua"
 ---------  END injected arguments ---------
 
 

data/lib/sidekiq_unique_jobs/lua/shared/_delete_from_queue.lua

@@ -1,22 +1,22 @@
 local function delete_from_queue(queue, digest)
-  local per    = 50
-  local total  = redis.call("LLEN", queue)
-  local index  = 0
-  local result = nil
+  local total = redis.call("LLEN", queue)
+  local per   = 50
+
+  for index = 0, total, per do
+    local items = redis.call("LRANGE", queue, index, index + per - 1)
 
-  while (index < total) do
-    local items = redis.call("LRANGE", queue, index, index + per -1)
     if #items == 0 then
       break
     end
+
     for _, item in pairs(items) do
       if string.find(item, digest) then
         redis.call("LREM", queue, 1, item)
-        result = item
-        break
+
+        return item
       end
     end
-    index = index + per
   end
-  return result
+
+  return nil
 end

data/lib/sidekiq_unique_jobs/lua/shared/_delete_from_sorted_set.lua

@@ -1,19 +1,29 @@
 local function delete_from_sorted_set(name, digest)
-  local per   = 50
-  local total = redis.call("zcard", name)
-  local index = 0
-  local result
+  local score  = redis.call("ZSCORE", "uniquejobs:digests", digest)
+  local total  = redis.call("ZCARD", name)
+  local per    = 50
+
+  for offset = 0, total, per do
+    local items
+
+    if score then
+      items = redis.call("ZRANGE", name, score, "+inf", "BYSCORE", "LIMIT", offset, per)
+    else
+      items = redis.call("ZRANGE", name, offset, offset + per -1)
+    end
+
+    if #items == 0 then
+      break
+    end
 
-  while (index < total) do
-    local items = redis.call("ZRANGE", name, index, index + per -1)
     for _, item in pairs(items) do
       if string.find(item, digest) then
         redis.call("ZREM", name, item)
-        result = item
-        break
+
+        return item
       end
     end
-    index = index + per
   end
-  return result
+
+  return nil
 end

data/lib/sidekiq_unique_jobs/lua/unlock.lua

@@ -10,19 +10,20 @@ local digests   = KEYS[7]
 
 
 -------- BEGIN lock arguments ---------
-local job_id    = ARGV[1]
-local pttl      = tonumber(ARGV[2])
-local lock_type = ARGV[3]
-local limit     = tonumber(ARGV[4])
+local job_id     = ARGV[1]
+local pttl       = tonumber(ARGV[2])
+local lock_type  = ARGV[3]
+local limit      = tonumber(ARGV[4])
+local lock_score = ARGV[5]
 -------- END lock arguments -----------
 
 
 --------  BEGIN injected arguments --------
-local current_time = tonumber(ARGV[5])
-local debug_lua    = tostring(ARGV[6]) == "1"
-local max_history  = tonumber(ARGV[7])
-local script_name  = tostring(ARGV[8]) .. ".lua"
-local redisversion = ARGV[9]
+local current_time = tonumber(ARGV[6])
+local debug_lua    = tostring(ARGV[7]) == "1"
+local max_history  = tonumber(ARGV[8])
+local script_name  = tostring(ARGV[9]) .. ".lua"
+local redisversion = ARGV[10]
 ---------  END injected arguments ---------
 
 

data/lib/sidekiq_unique_jobs/version.rb

@@ -3,5 +3,5 @@
 module SidekiqUniqueJobs
   #
   # @return [String] the current SidekiqUniqueJobs version
-  VERSION = "8.0.9"
+  VERSION = "8.0.10"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sidekiq-unique-jobs
 version: !ruby/object:Gem::Version
-  version: 8.0.9
+  version: 8.0.10
 platform: ruby
 authors:
 - Mikael Henriksson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-12 00:00:00.000000000 Z
+date: 2024-02-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby