sidekiq 7.0.5 → 7.0.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fec40f38a40f555d39f3826d0b2b26dd72d500a8e58a35ff2e85436ad5abb2c7
-  data.tar.gz: b6b0fde1518951d5715484a046e0732224f819b6c45dba1e18c02e8292b97f55
+  metadata.gz: 69b692f7976998a1655a5c6f108c0a1f686fdcdcde164f6cde071f9ea3f89ced
+  data.tar.gz: d78d581fa48b744789b3af117a55d71bab1037b592f58ee9c74cf2c132716e0c
 SHA512:
-  metadata.gz: c6e0d60356029b73764a1e57e3e6e570fa8e56758da14f6a16945f502f694d182f71e34b246eed4aaa022b184214f7da8253292deeb3b7540bcf14030b3a1139
-  data.tar.gz: 3b03e4b1373288faceaee25ac08e73da00f3923bbbfd925b5b02dc0af6ec0c37fb7d23a14b6ec90be268df0441b974e100aa07462586b41648126d3b4020460a
+  metadata.gz: 42d16710f20a67a94df6498cf1fb5097a8795a5611f058e58d60e43e82503d26871c6d3061b3404590a0e0eba319997cb7e1daec3a88b66c2356e9cc0164a781
+  data.tar.gz: 5b6d9aa7512a67cb552c3a1bed37aa111a877927e7690f53efd3e85aa1ea7049fb75eb05b31232810c8a805f95cb0959a54cc80bafb5c80f9aae0c0701d158b7

data/Changes.md

@@ -2,7 +2,23 @@
 
 [Sidekiq Changes](https://github.com/sidekiq/sidekiq/blob/main/Changes.md) | [Sidekiq Pro Changes](https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md) | [Sidekiq Enterprise Changes](https://github.com/sidekiq/sidekiq/blob/main/Ent-Changes.md)
 
-7.0.5
+7.0.8
+----------
+
+- **SECURITY** Sanitize `period` input parameter on Metrics pages.
+  Specially crafted values can lead to XSS. This functionality
+  was introduced in 7.0.4. Thank you to spercex @ huntr.dev [#5694]
+- Add job hash as 3rd parameter to the `sidekiq_retry_in` block.
+
+7.0.7
+----------
+
+- Fix redis-client API usage which could result in stuck Redis
+connections [#5823]
+- Fix AS::Duration with `sidekiq_retry_in` [#5806]
+- Restore dumping config options on startup with `-v` [#5822]
+
+7.0.5,7.0.6
 ----------
 
 - More context for debugging json unsafe errors [#5787]

data/lib/sidekiq/fetch.rb

@@ -44,7 +44,7 @@ module Sidekiq # :nodoc:
         return nil
       end
 
-      queue, job = redis { |conn| conn.blocking_call(false, "brpop", *qs, TIMEOUT) }
+      queue, job = redis { |conn| conn.blocking_call(TIMEOUT + 1, "brpop", *qs, TIMEOUT) }
       UnitOfWork.new(queue, job, config) if queue
     end
 

data/lib/sidekiq/job_retry.rb

@@ -171,7 +171,7 @@ module Sidekiq
       # Goodbye dear message, you (re)tried your best I'm sure.
       return retries_exhausted(jobinst, msg, exception) if count >= max_retry_attempts
 
-      strategy, delay = delay_for(jobinst, count, exception)
+      strategy, delay = delay_for(jobinst, count, exception, msg)
       case strategy
       when :discard
         return # poof!
@@ -190,17 +190,18 @@ module Sidekiq
     end
 
     # returns (strategy, seconds)
-    def delay_for(jobinst, count, exception)
+    def delay_for(jobinst, count, exception, msg)
       rv = begin
         # sidekiq_retry_in can return two different things:
         # 1. When to retry next, as an integer of seconds
         # 2. A symbol which re-routes the job elsewhere, e.g. :discard, :kill, :default
-        jobinst&.sidekiq_retry_in_block&.call(count, exception)
+        jobinst&.sidekiq_retry_in_block&.call(count, exception, msg)
       rescue Exception => e
         handle_exception(e, {context: "Failure scheduling retry using the defined `sidekiq_retry_in` in #{jobinst.class.name}, falling back to default"})
         nil
       end
 
+      rv = rv.to_i if rv.respond_to?(:to_i)
       delay = (count**4) + 15
       if Integer === rv && rv > 0
         delay = rv

data/lib/sidekiq/job_util.rb

@@ -21,8 +21,7 @@ module Sidekiq
       mode = Sidekiq::Config::DEFAULTS[:on_complex_arguments]
 
       if mode == :raise || mode == :warn
-        unless json_safe?(args)
-          unsafe_item = json_unsafe_item(args)
+        if (unsafe_item = json_unsafe?(args))
           msg = <<~EOM
             Job arguments to #{job_class} must be native JSON types, but #{unsafe_item.inspect} is a #{unsafe_item.class}.
             See https://github.com/sidekiq/sidekiq/wiki/Best-Practices.
@@ -70,50 +69,37 @@ module Sidekiq
 
     private
 
-    RECURSIVE_JSON_SAFE = {
-      Integer => ->(val) { true },
-      Float => ->(val) { true },
-      TrueClass => ->(val) { true },
-      FalseClass => ->(val) { true },
-      NilClass => ->(val) { true },
-      String => ->(val) { true },
+    RECURSIVE_JSON_UNSAFE = {
+      Integer => ->(val) {},
+      Float => ->(val) {},
+      TrueClass => ->(val) {},
+      FalseClass => ->(val) {},
+      NilClass => ->(val) {},
+      String => ->(val) {},
       Array => ->(val) {
-        val.all? { |e| RECURSIVE_JSON_SAFE[e.class].call(e) }
-      },
-      Hash => ->(val) {
-        val.all? { |k, v| String === k && RECURSIVE_JSON_SAFE[v.class].call(v) }
-      }
-    }
-
-    RECURSIVE_JSON_SAFE.default = ->(_val) { false }
-    RECURSIVE_JSON_SAFE.compare_by_identity
-    private_constant :RECURSIVE_JSON_SAFE
-
-    def json_safe?(item)
-      RECURSIVE_JSON_SAFE[item.class].call(item)
-    end
-
-    def json_unsafe_item(item)
-      case item
-      when String, Integer, Float, TrueClass, FalseClass, NilClass
-        nil
-      when Array
-        item.each do |e|
-          unsafe_item = json_unsafe_item(e)
+        val.each do |e|
+          unsafe_item = RECURSIVE_JSON_UNSAFE[e.class].call(e)
           return unsafe_item unless unsafe_item.nil?
         end
         nil
-      when Hash
-        item.each do |k, v|
+      },
+      Hash => ->(val) {
+        val.each do |k, v|
           return k unless String === k
 
-          unsafe_item = json_unsafe_item(v)
+          unsafe_item = RECURSIVE_JSON_UNSAFE[v.class].call(v)
           return unsafe_item unless unsafe_item.nil?
         end
         nil
-      else
-        item
-      end
+      }
+    }
+
+    RECURSIVE_JSON_UNSAFE.default = ->(val) { val }
+    RECURSIVE_JSON_UNSAFE.compare_by_identity
+    private_constant :RECURSIVE_JSON_UNSAFE
+
+    def json_unsafe?(item)
+      RECURSIVE_JSON_UNSAFE[item.class].call(item)
     end
   end
 end

data/lib/sidekiq/launcher.rb

@@ -37,6 +37,7 @@ module Sidekiq
     # and instead have thread call Launcher#heartbeat every N seconds.
     def run(async_beat: true)
       Sidekiq.freeze!
+      logger.debug { @config.merge!({}) }
       @thread = safe_thread("heartbeat", &method(:start_heartbeat)) if async_beat
       @poller.start
       @managers.each(&:start)

data/lib/sidekiq/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
 module Sidekiq
-  VERSION = "7.0.5"
+  VERSION = "7.0.8"
   MAJOR = 7
 end

data/lib/sidekiq/web/application.rb

@@ -68,7 +68,7 @@ module Sidekiq
 
     get "/metrics" do
       q = Sidekiq::Metrics::Query.new
-      @period = params[:period]
+      @period = h((params[:period] || "")[0..1])
       @periods = METRICS_PERIODS
       minutes = @periods.fetch(@period, @periods.values.first)
       @query_result = q.top_jobs(minutes: minutes)
@@ -77,7 +77,7 @@ module Sidekiq
 
     get "/metrics/:name" do
       @name = route_params[:name]
-      @period = params[:period]
+      @period = h((params[:period] || "")[0..1])
       q = Sidekiq::Metrics::Query.new
       @periods = METRICS_PERIODS
       minutes = @periods.fetch(@period, @periods.values.first)

data/sidekiq.gemspec

@@ -19,7 +19,8 @@ Gem::Specification.new do |gem|
     "bug_tracker_uri" => "https://github.com/sidekiq/sidekiq/issues",
     "documentation_uri" => "https://github.com/sidekiq/sidekiq/wiki",
     "changelog_uri" => "https://github.com/sidekiq/sidekiq/blob/main/Changes.md",
-    "source_code_uri" => "https://github.com/sidekiq/sidekiq"
+    "source_code_uri" => "https://github.com/sidekiq/sidekiq",
+    "rubygems_mfa_required" => "true"
   }
 
   gem.add_dependency "redis-client", ">= 0.11.0"

data/web/locales/ja.yml

@@ -27,6 +27,7 @@ ja:
   Extras: エクストラ
   Failed: 失敗
   Failures: 失敗
+  Failure: 失敗
   GoBack: ← 戻る
   History: 履歴
   Job: ジョブ
@@ -75,6 +76,7 @@ ja:
   Stop: 停止
   StopAll: すべて停止
   StopPolling: ポーリング停止
+  Success: 成功
   Thread: スレッド
   Threads: スレッド
   ThreeMonths: 3 ヶ月
@@ -82,7 +84,7 @@ ja:
   Unpause: 一時停止を解除
   Metrics: メトリクス
   NoDataFound: データが見つかりませんでした
-  ExecutionTime: 合計実行時間
+  TotalExecutionTime: 合計実行時間
   AvgExecutionTime: 平均実行時間
   Context: コンテキスト
   Bucket: バケット

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sidekiq
 version: !ruby/object:Gem::Version
-  version: 7.0.5
+  version: 7.0.8
 platform: ruby
 authors:
 - Mike Perham
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-15 00:00:00.000000000 Z
+date: 2023-04-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: redis-client
@@ -205,6 +205,7 @@ metadata:
   documentation_uri: https://github.com/sidekiq/sidekiq/wiki
   changelog_uri: https://github.com/sidekiq/sidekiq/blob/main/Changes.md
   source_code_uri: https://github.com/sidekiq/sidekiq
+  rubygems_mfa_required: 'true'
 post_install_message: |2+
 
   Welcome to Sidekiq 7.0!
@@ -227,7 +228,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.6
+rubygems_version: 3.4.7
 signing_key:
 specification_version: 4
 summary: Simple, efficient background processing for Ruby