sidekiq 5.2.9 → 6.2.1

data/lib/sidekiq/web/csrf_protection.rb

@@ -0,0 +1,180 @@
+# frozen_string_literal: true
+
+# this file originally based on authenticity_token.rb from the sinatra/rack-protection project
+#
+# The MIT License (MIT)
+#
+# Copyright (c) 2011-2017 Konstantin Haase
+# Copyright (c) 2015-2017 Zachary Scott
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# 'Software'), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+require "securerandom"
+require "base64"
+require "rack/request"
+
+module Sidekiq
+  class Web
+    class CsrfProtection
+      def initialize(app, options = nil)
+        @app = app
+      end
+
+      def call(env)
+        accept?(env) ? admit(env) : deny(env)
+      end
+
+      private
+
+      def admit(env)
+        # On each successful request, we create a fresh masked token
+        # which will be used in any forms rendered for this request.
+        s = session(env)
+        s[:csrf] ||= SecureRandom.base64(TOKEN_LENGTH)
+        env[:csrf_token] = mask_token(s[:csrf])
+        @app.call(env)
+      end
+
+      def safe?(env)
+        %w[GET HEAD OPTIONS TRACE].include? env["REQUEST_METHOD"]
+      end
+
+      def logger(env)
+        @logger ||= (env["rack.logger"] || ::Logger.new(env["rack.errors"]))
+      end
+
+      def deny(env)
+        logger(env).warn "attack prevented by #{self.class}"
+        [403, {"Content-Type" => "text/plain"}, ["Forbidden"]]
+      end
+
+      def session(env)
+        env["rack.session"] || fail(<<~EOM)
+          Sidekiq::Web needs a valid Rack session for CSRF protection. If this is a Rails app,
+          make sure you mount Sidekiq::Web *inside* your application routes:
+
+
+          Rails.application.routes.draw do
+            mount Sidekiq::Web => "/sidekiq"
+            ....
+          end
+
+
+          If this is a Rails app in API mode, you need to enable sessions.
+
+            https://guides.rubyonrails.org/api_app.html#using-session-middlewares
+
+          If this is a bare Rack app, use a session middleware before Sidekiq::Web:
+
+            # first, use IRB to create a shared secret key for sessions and commit it
+            require 'securerandom'; File.open(".session.key", "w") {|f| f.write(SecureRandom.hex(32)) }
+
+            # now use the secret with a session cookie middleware
+            use Rack::Session::Cookie, secret: File.read(".session.key"), same_site: true, max_age: 86400
+            run Sidekiq::Web
+
+        EOM
+      end
+
+      def accept?(env)
+        return true if safe?(env)
+
+        giventoken = ::Rack::Request.new(env).params["authenticity_token"]
+        valid_token?(env, giventoken)
+      end
+
+      TOKEN_LENGTH = 32
+
+      # Checks that the token given to us as a parameter matches
+      # the token stored in the session.
+      def valid_token?(env, giventoken)
+        return false if giventoken.nil? || giventoken.empty?
+
+        begin
+          token = decode_token(giventoken)
+        rescue ArgumentError # client input is invalid
+          return false
+        end
+
+        sess = session(env)
+        localtoken = sess[:csrf]
+
+        # Checks that Rack::Session::Cookie actualy contains the csrf toekn
+        return false if localtoken.nil?
+
+        # Rotate the session token after every use
+        sess[:csrf] = SecureRandom.base64(TOKEN_LENGTH)
+
+        # See if it's actually a masked token or not. We should be able
+        # to handle any unmasked tokens that we've issued without error.
+
+        if unmasked_token?(token)
+          compare_with_real_token token, localtoken
+        elsif masked_token?(token)
+          unmasked = unmask_token(token)
+          compare_with_real_token unmasked, localtoken
+        else
+          false # Token is malformed
+        end
+      end
+
+      # Creates a masked version of the authenticity token that varies
+      # on each request. The masking is used to mitigate SSL attacks
+      # like BREACH.
+      def mask_token(token)
+        token = decode_token(token)
+        one_time_pad = SecureRandom.random_bytes(token.length)
+        encrypted_token = xor_byte_strings(one_time_pad, token)
+        masked_token = one_time_pad + encrypted_token
+        Base64.strict_encode64(masked_token)
+      end
+
+      # Essentially the inverse of +mask_token+.
+      def unmask_token(masked_token)
+        # Split the token into the one-time pad and the encrypted
+        # value and decrypt it
+        token_length = masked_token.length / 2
+        one_time_pad = masked_token[0...token_length]
+        encrypted_token = masked_token[token_length..-1]
+        xor_byte_strings(one_time_pad, encrypted_token)
+      end
+
+      def unmasked_token?(token)
+        token.length == TOKEN_LENGTH
+      end
+
+      def masked_token?(token)
+        token.length == TOKEN_LENGTH * 2
+      end
+
+      def compare_with_real_token(token, local)
+        ::Rack::Utils.secure_compare(token.to_s, decode_token(local).to_s)
+      end
+
+      def decode_token(token)
+        Base64.strict_decode64(token)
+      end
+
+      def xor_byte_strings(s1, s2)
+        s1.bytes.zip(s2.bytes).map { |(c1, c2)| c1 ^ c2 }.pack("c*")
+      end
+    end
+  end
+end

data/lib/sidekiq/web/helpers.rb

@@ -1,15 +1,16 @@
 # frozen_string_literal: true
-require 'uri'
-require 'set'
-require 'yaml'
-require 'cgi'
+
+require "uri"
+require "set"
+require "yaml"
+require "cgi"
 
 module Sidekiq
   # This is not a public API
   module WebHelpers
     def strings(lang)
-      @@strings ||= {}
-      @@strings[lang] ||= begin
+      @strings ||= {}
+      @strings[lang] ||= begin
         # Allow sidekiq-web extensions to add locale paths
         # so extensions can be localized
         settings.locales.each_with_object({}) do |path, global|
@@ -21,20 +22,28 @@ module Sidekiq
       end
     end
 
+    def singularize(str, count)
+      if count == 1 && str.respond_to?(:singularize) # rails
+        str.singularize
+      else
+        str
+      end
+    end
+
     def clear_caches
-      @@strings = nil
-      @@locale_files = nil
-      @@available_locales = nil
+      @strings = nil
+      @locale_files = nil
+      @available_locales = nil
     end
 
     def locale_files
-      @@locale_files ||= settings.locales.flat_map do |path|
+      @locale_files ||= settings.locales.flat_map { |path|
         Dir["#{path}/*.yml"]
-      end
+      }
     end
 
     def available_locales
-      @@available_locales ||= locale_files.map { |path| File.basename(path, '.yml') }.uniq
+      @available_locales ||= locale_files.map { |path| File.basename(path, ".yml") }.uniq
     end
 
     def find_locale_files(lang)
@@ -63,32 +72,35 @@ module Sidekiq
     end
 
     def poll_path
-      if current_path != '' && params['poll']
-        root_path + current_path
+      if current_path != "" && params["poll"]
+        path = root_path + current_path
+        query_string = to_query_string(params.slice(*params.keys - %w[page poll]))
+        path += "?#{query_string}" unless query_string.empty?
+        path
       else
         ""
       end
     end
 
     def text_direction
-      get_locale['TextDirection'] || 'ltr'
+      get_locale["TextDirection"] || "ltr"
     end
 
     def rtl?
-      text_direction == 'rtl'
+      text_direction == "rtl"
     end
 
     # See https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.4
     def user_preferred_languages
-      languages = env['HTTP_ACCEPT_LANGUAGE']
-      languages.to_s.downcase.gsub(/\s+/, '').split(',').map do |language|
-        locale, quality = language.split(';q=', 2)
-        locale  = nil if locale == '*' # Ignore wildcards
+      languages = env["HTTP_ACCEPT_LANGUAGE"]
+      languages.to_s.downcase.gsub(/\s+/, "").split(",").map { |language|
+        locale, quality = language.split(";q=", 2)
+        locale = nil if locale == "*" # Ignore wildcards
         quality = quality ? quality.to_f : 1.0
         [locale, quality]
-      end.sort do |(_, left), (_, right)|
+      }.sort { |(_, left), (_, right)|
         right <=> left
-      end.map(&:first).compact
+      }.map(&:first).compact
     end
 
     # Given an Accept-Language header like "fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4,ru;q=0.2"
@@ -97,31 +109,38 @@ module Sidekiq
     # Inspiration taken from https://github.com/iain/http_accept_language/blob/master/lib/http_accept_language/parser.rb
     def locale
       @locale ||= begin
-        matched_locale = user_preferred_languages.map do |preferred|
-          preferred_language = preferred.split('-', 2).first
+        matched_locale = user_preferred_languages.map { |preferred|
+          preferred_language = preferred.split("-", 2).first
 
-          lang_group = available_locales.select do |available|
-            preferred_language == available.split('-', 2).first
-          end
+          lang_group = available_locales.select { |available|
+            preferred_language == available.split("-", 2).first
+          }
 
           lang_group.find { |lang| lang == preferred } || lang_group.min_by(&:length)
-        end.compact.first
+        }.compact.first
 
-        matched_locale || 'en'
+        matched_locale || "en"
       end
     end
 
+    # within is used by Sidekiq Pro
+    def display_tags(job, within = nil)
+      job.tags.map { |tag|
+        "<span class='jobtag label label-info'>#{::Rack::Utils.escape_html(tag)}</span>"
+      }.join(" ")
+    end
+
     # mperham/sidekiq#3243
     def unfiltered?
-      yield unless env['PATH_INFO'].start_with?("/filter/")
+      yield unless env["PATH_INFO"].start_with?("/filter/")
     end
 
     def get_locale
       strings(locale)
     end
 
-    def t(msg, options={})
-      string = get_locale[msg] || strings('en')[msg] || msg
+    def t(msg, options = {})
+      string = get_locale[msg] || strings("en")[msg] || msg
       if options.empty?
         string
       else
@@ -129,6 +148,10 @@ module Sidekiq
       end
     end
 
+    def sort_direction_label
+      params[:direction] == "asc" ? "&uarr;" : "&darr;"
+    end
+
     def workers
       @workers ||= Sidekiq::Workers.new
     end
@@ -141,16 +164,9 @@ module Sidekiq
       @stats ||= Sidekiq::Stats.new
     end
 
-    def retries_with_score(score)
-      Sidekiq.redis do |conn|
-        conn.zrangebyscore('retry', score, score)
-      end.map { |msg| Sidekiq.load_json(msg) }
-    end
-
     def redis_connection
       Sidekiq.redis do |conn|
-        c = conn.connection
-        "redis://#{c[:location]}/#{c[:db]}"
+        conn.connection[:id]
       end
     end
 
@@ -163,24 +179,24 @@ module Sidekiq
     end
 
     def root_path
-      "#{env['SCRIPT_NAME']}/"
+      "#{env["SCRIPT_NAME"]}/"
     end
 
     def current_path
-      @current_path ||= request.path_info.gsub(/^\//,'')
+      @current_path ||= request.path_info.gsub(/^\//, "")
     end
 
     def current_status
-      workers.size == 0 ? 'idle' : 'active'
+      workers.size == 0 ? "idle" : "active"
     end
 
     def relative_time(time)
       stamp = time.getutc.iso8601
-      %{<time class="ltr" dir="ltr" title="#{stamp}" datetime="#{stamp}">#{time}</time>}
+      %(<time class="ltr" dir="ltr" title="#{stamp}" datetime="#{stamp}">#{time}</time>)
     end
 
     def job_params(job, score)
-      "#{score}-#{job['jid']}"
+      "#{score}-#{job["jid"]}"
     end
 
     def parse_params(params)
@@ -188,18 +204,19 @@ module Sidekiq
       [score.to_f, jid]
     end
 
-    SAFE_QPARAMS = %w(page poll)
+    SAFE_QPARAMS = %w[page poll direction]
 
     # Merge options with current params, filter safe params, and stringify to query string
     def qparams(options)
-      # stringify
-      options.keys.each do |key|
-        options[key.to_s] = options.delete(key)
-      end
+      stringified_options = options.transform_keys(&:to_s)
+
+      to_query_string(params.merge(stringified_options))
+    end
 
-      params.merge(options).map do |key, value|
+    def to_query_string(params)
+      params.map { |key, value|
         SAFE_QPARAMS.include?(key) ? "#{key}=#{CGI.escape(value.to_s)}" : next
-      end.compact.join("&")
+      }.compact.join("&")
     end
 
     def truncate(text, truncate_after_chars = 2000)
@@ -207,40 +224,38 @@ module Sidekiq
     end
 
     def display_args(args, truncate_after_chars = 2000)
-      return "Invalid job payload, args is nil" if args == nil
-      return "Invalid job payload, args must be an Array, not #{args.class.name}" if !args.is_a?(Array)
+      return "Invalid job payload, args is nil" if args.nil?
+      return "Invalid job payload, args must be an Array, not #{args.class.name}" unless args.is_a?(Array)
 
       begin
-        args.map do |arg|
+        args.map { |arg|
           h(truncate(to_display(arg), truncate_after_chars))
-        end.join(", ")
+        }.join(", ")
       rescue
         "Illegal job arguments: #{h args.inspect}"
       end
     end
 
     def csrf_tag
-      "<input type='hidden' name='authenticity_token' value='#{session[:csrf]}'/>"
+      "<input type='hidden' name='authenticity_token' value='#{env[:csrf_token]}'/>"
     end
 
     def to_display(arg)
+      arg.inspect
+    rescue
       begin
-        arg.inspect
-      rescue
-        begin
-          arg.to_s
-        rescue => ex
-          "Cannot display argument: [#{ex.class.name}] #{ex.message}"
-        end
+        arg.to_s
+      rescue => ex
+        "Cannot display argument: [#{ex.class.name}] #{ex.message}"
       end
     end
 
-    RETRY_JOB_KEYS = Set.new(%w(
+    RETRY_JOB_KEYS = Set.new(%w[
       queue class args retry_count retried_at failed_at
       jid error_message error_class backtrace
       error_backtrace enqueued_at retry wrapped
-      created_at
-    ))
+      created_at tags
+    ])
 
     def retry_extra_items(retry_job)
       @retry_extra_items ||= {}.tap do |extra|
@@ -250,15 +265,29 @@ module Sidekiq
       end
     end
 
+    def format_memory(rss_kb)
+      return "0" if rss_kb.nil? || rss_kb == 0
+
+      if rss_kb < 100_000
+        "#{number_with_delimiter(rss_kb)} KB"
+      elsif rss_kb < 10_000_000
+        "#{number_with_delimiter((rss_kb / 1024.0).to_i)} MB"
+      else
+        "#{number_with_delimiter((rss_kb / (1024.0 * 1024.0)).round(1))} GB"
+      end
+    end
+
     def number_with_delimiter(number)
+      return "" if number.nil?
+
       begin
         Float(number)
       rescue ArgumentError, TypeError
         return number
       end
 
-      options = {delimiter: ',', separator: '.'}
-      parts = number.to_s.to_str.split('.')
+      options = {delimiter: ",", separator: "."}
+      parts = number.to_s.to_str.split(".")
       parts[0].gsub!(/(\d)(?=(\d\d\d)+(?!\d))/, "\\1#{options[:delimiter]}")
       parts.join(options[:separator])
     end
@@ -266,8 +295,8 @@ module Sidekiq
     def h(text)
       ::Rack::Utils.escape_html(text)
     rescue ArgumentError => e
-      raise unless e.message.eql?('invalid byte sequence in UTF-8')
-      text.encode!('UTF-16', 'UTF-8', invalid: :replace, replace: '').encode!('UTF-8', 'UTF-16')
+      raise unless e.message.eql?("invalid byte sequence in UTF-8")
+      text.encode!("UTF-16", "UTF-8", invalid: :replace, replace: "").encode!("UTF-8", "UTF-16")
       retry
     end
 
@@ -284,7 +313,7 @@ module Sidekiq
     end
 
     def environment_title_prefix
-      environment = Sidekiq.options[:environment] || ENV['RAILS_ENV'] || ENV['RACK_ENV'] || 'development'
+      environment = Sidekiq.options[:environment] || ENV["APP_ENV"] || ENV["RAILS_ENV"] || ENV["RACK_ENV"] || "development"
 
       "[#{environment.upcase}] " unless environment == "production"
     end
@@ -294,30 +323,30 @@ module Sidekiq
     end
 
     def server_utc_time
-      Time.now.utc.strftime('%H:%M:%S UTC')
+      Time.now.utc.strftime("%H:%M:%S UTC")
     end
 
     def redis_connection_and_namespace
       @redis_connection_and_namespace ||= begin
-        namespace_suffix = namespace == nil ? '' : "##{namespace}"
+        namespace_suffix = namespace.nil? ? "" : "##{namespace}"
         "#{redis_connection}#{namespace_suffix}"
       end
     end
 
     def retry_or_delete_or_kill(job, params)
-      if params['retry']
+      if params["retry"]
         job.retry
-      elsif params['delete']
+      elsif params["delete"]
         job.delete
-      elsif params['kill']
+      elsif params["kill"]
         job.kill
       end
     end
 
     def delete_or_add_queue(job, params)
-      if params['delete']
+      if params["delete"]
         job.delete
-      elsif params['add_to_queue']
+      elsif params["add_to_queue"]
         job.add_to_queue
       end
     end

data/lib/sidekiq/web/router.rb

@@ -1,18 +1,23 @@
 # frozen_string_literal: true
-require 'rack'
+
+require "rack"
 
 module Sidekiq
   module WebRouter
-    GET = 'GET'
-    DELETE = 'DELETE'
-    POST = 'POST'
-    PUT = 'PUT'
-    PATCH = 'PATCH'
-    HEAD = 'HEAD'
-
-    ROUTE_PARAMS = 'rack.route_params'
-    REQUEST_METHOD = 'REQUEST_METHOD'
-    PATH_INFO = 'PATH_INFO'
+    GET = "GET"
+    DELETE = "DELETE"
+    POST = "POST"
+    PUT = "PUT"
+    PATCH = "PATCH"
+    HEAD = "HEAD"
+
+    ROUTE_PARAMS = "rack.route_params"
+    REQUEST_METHOD = "REQUEST_METHOD"
+    PATH_INFO = "PATH_INFO"
+
+    def head(path, &block)
+      route(HEAD, path, &block)
+    end
 
     def get(path, &block)
       route(GET, path, &block)
@@ -35,10 +40,9 @@ module Sidekiq
     end
 
     def route(method, path, &block)
-      @routes ||= { GET => [], POST => [], PUT => [], PATCH => [], DELETE => [], HEAD => [] }
+      @routes ||= {GET => [], POST => [], PUT => [], PATCH => [], DELETE => [], HEAD => []}
 
       @routes[method] << WebRoute.new(method, path, block)
-      @routes[HEAD] << WebRoute.new(method, path, block) if method == GET
     end
 
     def match(env)
@@ -50,7 +54,8 @@ module Sidekiq
       path_info = "/" if path_info == ""
 
       @routes[request_method].each do |route|
-        if params = route.match(request_method, path_info)
+        params = route.match(request_method, path_info)
+        if params
           env[ROUTE_PARAMS] = params
 
           return WebAction.new(env, route.block)
@@ -64,7 +69,7 @@ module Sidekiq
   class WebRoute
     attr_accessor :request_method, :pattern, :block, :name
 
-    NAMED_SEGMENTS_PATTERN = /\/([^\/]*):([^\.:$\/]+)/
+    NAMED_SEGMENTS_PATTERN = /\/([^\/]*):([^.:$\/]+)/
 
     def initialize(request_method, pattern, block)
       @request_method = request_method
@@ -77,7 +82,7 @@ module Sidekiq
     end
 
     def compile
-      if pattern.match(NAMED_SEGMENTS_PATTERN)
+      if pattern.match?(NAMED_SEGMENTS_PATTERN)
         p = pattern.gsub(NAMED_SEGMENTS_PATTERN, '/\1(?<\2>[^$/]+)')
 
         Regexp.new("\\A#{p}\\Z")
@@ -91,9 +96,8 @@ module Sidekiq
       when String
         {} if path == matcher
       else
-        if path_match = path.match(matcher)
-          Hash[path_match.names.map(&:to_sym).zip(path_match.captures)]
-        end
+        path_match = path.match(matcher)
+        path_match&.named_captures&.transform_keys(&:to_sym)
       end
     end
   end