sidekiq 7.2.2 → 7.2.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 67dd3e4a49f94aa711fa9baa0caac22c992b5c0a6a04a1cade9426f9a4a9341b
-  data.tar.gz: 224649c4a61110b9600f70f3ccd568360642e74330fc7503f6ac03bc57f638dd
+  metadata.gz: 6c43e6b585c25dcfc8ef8364bb36cf74f9167b981ad03faa3a8d76e0d45ebe55
+  data.tar.gz: d8c65dc03008f7280b36af94db753d4c7f68267c2eb0d78cd018322887aabbb0
 SHA512:
-  metadata.gz: 20154e18f4d51e19b68946543f4523ac452f463ef7b8f2e4445bdb1d2bf518902e94edefc9d2a4f5771c33bdc5003b5b4b55fab05495d7756f90ebdc0bfbe0b9
-  data.tar.gz: 510fa35d3b8657b1e8e6b23bc940d0a32ae64d0e09331981728b23ea1548d2b000f1943ee39b2b2459500d86c4b3a3cd9a8bf2142ebd82ecdbdbfac75a0d521f
+  metadata.gz: d2687692b873ab82bda2ad32e9be795150cd0a8d3d330bc19f5b509ba729bef33189e06ebac86b1906c2682187391d6cf0d532e47d03fcbea83058109c5816ef
+  data.tar.gz: 431a482baeb03fc4de50fbdfba8717fc332a9d6564fde98a77699a7bd174fa3194431385951cf689c64e04853039c95fcf287084f283e8d381b3b37d5bc665e0

data/Changes.md

@@ -2,7 +2,21 @@
 
 [Sidekiq Changes](https://github.com/sidekiq/sidekiq/blob/main/Changes.md) | [Sidekiq Pro Changes](https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md) | [Sidekiq Enterprise Changes](https://github.com/sidekiq/sidekiq/blob/main/Ent-Changes.md)
 
-HEAD
+7.2.4
+----------
+
+- Fix XSS in metrics filtering introduced in 7.2.0, CVE-2024-32887
+  Thanks to @UmerAdeemCheema for the security report.
+
+7.2.3
+----------
+
+- [Support Dragonfly.io](https://www.mikeperham.com/2024/02/01/supporting-dragonfly/) as an alternative Redis implementation
+- Fix error unpacking some compressed error backtraces [#6241]
+- Fix potential heartbeat data leak [#6227]
+- Add ability to find a currently running work by jid [#6212, fatkodima]
+
+7.2.2
 ----------
 
 - Add `Process.warmup` call in Ruby 3.3+

data/lib/sidekiq/api.rb

@@ -490,7 +490,7 @@ module Sidekiq
     end
 
     def uncompress_backtrace(backtrace)
-      strict_base64_decoded = backtrace.unpack1("m0")
+      strict_base64_decoded = backtrace.unpack1("m")
       uncompressed = Zlib::Inflate.inflate(strict_base64_decoded)
       Sidekiq.load_json(uncompressed)
     end
@@ -1136,6 +1136,20 @@ module Sidekiq
         end
       end
     end
+
+    ##
+    # Find the work which represents a job with the given JID.
+    # *This is a slow O(n) operation*.  Do not use for app logic.
+    #
+    # @param jid [String] the job identifier
+    # @return [Sidekiq::Work] the work or nil
+    def find_work_by_jid(jid)
+      each do |_process_id, _thread_id, work|
+        job = work.job
+        return work if job.jid == jid
+      end
+      nil
+    end
   end
 
   # Sidekiq::Work represents a job which is currently executing.

data/lib/sidekiq/deploy.rb

@@ -34,7 +34,7 @@ module Sidekiq
       # handle an very common error in marking deploys:
       # having every process mark its deploy, leading
       # to N marks for each deploy. Instead we round the time
-      # to the minute so that multple marks within that minute
+      # to the minute so that multiple marks within that minute
       # will all naturally rollup into one mark per minute.
       whence = at.utc
       floor = Time.utc(whence.year, whence.month, whence.mday, whence.hour, whence.min, 0)

data/lib/sidekiq/launcher.rb

@@ -145,15 +145,17 @@ module Sidekiq
         flush_stats
 
         curstate = Processor::WORK_STATE.dup
+        curstate.transform_values! { |val| Sidekiq.dump_json(val) }
+
         redis do |conn|
           # work is the current set of executing jobs
           work_key = "#{key}:work"
-          conn.pipelined do |transaction|
+          conn.multi do |transaction|
             transaction.unlink(work_key)
-            curstate.each_pair do |tid, hash|
-              transaction.hset(work_key, tid, Sidekiq.dump_json(hash))
+            if curstate.size > 0
+              transaction.hset(work_key, curstate)
+              transaction.expire(work_key, 60)
             end
-            transaction.expire(work_key, 60)
           end
         end
 

data/lib/sidekiq/processor.rb

@@ -187,7 +187,7 @@ module Sidekiq
           # we didn't properly finish it.
         rescue Sidekiq::JobRetry::Handled => h
           # this is the common case: job raised error and Sidekiq::JobRetry::Handled
-          # signals that we created a retry successfully.  We can acknowlege the job.
+          # signals that we created a retry successfully.  We can acknowledge the job.
           ack = true
           e = h.cause || h
           handle_exception(e, {context: "Job raised exception", job: job_hash})

data/lib/sidekiq/rails.rb

@@ -22,7 +22,7 @@ module Sidekiq
       end
 
       def to_hash
-        { app: @app.class.name }
+        {app: @app.class.name}
       end
     end
 

data/lib/sidekiq/redis_client_adapter.rb

@@ -32,8 +32,8 @@ module Sidekiq
         zremrangebyrank zremrangebyscore]
 
       USED_COMMANDS.each do |name|
-        define_method(name) do |*args|
-          @client.call(name, *args)
+        define_method(name) do |*args, **kwargs|
+          @client.call(name, *args, **kwargs)
         end
       end
 

data/lib/sidekiq/scheduled.rb

@@ -144,7 +144,7 @@ module Sidekiq
         # In the example above, each process should schedule every 10 seconds on average. We special
         # case smaller clusters to add 50% so they would sleep somewhere between 5 and 15 seconds.
         # As we run more processes, the scheduling interval average will approach an even spread
-        # between 0 and poll interval so we don't need this artifical boost.
+        # between 0 and poll interval so we don't need this artificial boost.
         #
         count = process_count
         interval = poll_interval_average(count)

data/lib/sidekiq/testing.rb

@@ -112,7 +112,7 @@ module Sidekiq
     # The Queues class is only for testing the fake queue implementation.
     # There are 2 data structures involved in tandem. This is due to the
     # Rspec syntax of change(HardJob.jobs, :size). It keeps a reference
-    # to the array. Because the array was dervied from a filter of the total
+    # to the array. Because the array was derived from a filter of the total
     # jobs enqueued, it appeared as though the array didn't change.
     #
     # To solve this, we'll keep 2 hashes containing the jobs. One with keys based

data/lib/sidekiq/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
 module Sidekiq
-  VERSION = "7.2.2"
+  VERSION = "7.2.4"
   MAJOR = 7
 end

data/lib/sidekiq/web/action.rb

@@ -22,6 +22,11 @@ module Sidekiq
       throw :halt, [302, {Web::LOCATION => "#{request.base_url}#{location}"}, []]
     end
 
+    def reload_page
+      current_location = request.referer.gsub(request.base_url, "")
+      redirect current_location
+    end
+
     def params
       indifferent_hash = Hash.new { |hash, key| hash[key.to_s] if Symbol === key }
 

data/lib/sidekiq/web/application.rb

@@ -49,9 +49,9 @@ module Sidekiq
 
     head "/" do
       # HEAD / is the cheapest heartbeat possible,
-      # it hits Redis to ensure connectivity
-      Sidekiq.redis { |c| c.llen("queue:default") }
-      ""
+      # it hits Redis to ensure connectivity and returns
+      # the size of the default queue
+      Sidekiq.redis { |c| c.llen("queue:default") }.to_s
     end
 
     get "/" do
@@ -394,6 +394,18 @@ module Sidekiq
       erb :morgue
     end
 
+    post "/change_locale" do
+      locale = params["locale"]
+
+      match = available_locales.find { |available|
+        locale == available
+      }
+
+      session[:locale] = match if match
+
+      reload_page
+    end
+
     def call(env)
       action = self.class.match(env)
       return [404, {Rack::CONTENT_TYPE => "text/plain", Web::X_CASCADE => "pass"}, ["Not Found"]] unless action

data/lib/sidekiq/web/csrf_protection.rb

@@ -115,7 +115,7 @@ module Sidekiq
         sess = session(env)
         localtoken = sess[:csrf]
 
-        # Checks that Rack::Session::Cookie actualy contains the csrf toekn
+        # Checks that Rack::Session::Cookie actually contains the csrf token
         return false if localtoken.nil?
 
         # Rotate the session token after every use

data/lib/sidekiq/web/helpers.rb

@@ -121,6 +121,10 @@ module Sidekiq
     #
     # Inspiration taken from https://github.com/iain/http_accept_language/blob/master/lib/http_accept_language/parser.rb
     def locale
+      # session[:locale] is set via the locale selector from the footer
+      # defined?(session) && session are used to avoid exceptions when running tests
+      return session[:locale] if defined?(session) && session&.[](:locale)
+
       @locale ||= begin
         matched_locale = user_preferred_languages.map { |preferred|
           preferred_language = preferred.split("-", 2).first
@@ -340,7 +344,8 @@ module Sidekiq
     end
 
     def pollable?
-      !(current_path == "" || current_path.start_with?("metrics"))
+      # there's no point to refreshing the metrics pages every N seconds
+      !(current_path == "" || current_path.index("metrics"))
     end
 
     def retry_or_delete_or_kill(job, params)

data/web/assets/javascripts/application.js

@@ -47,6 +47,8 @@ function addListeners() {
       scheduleLivePoll();
     }
   }
+
+  document.getElementById("locale-select").addEventListener("change", updateLocale);
 }
 
 function addPollingListeners(_event)  {
@@ -175,3 +177,7 @@ function replacePage(text) {
 function showError(error) {
   console.error(error)
 }
+
+function updateLocale(event) {
+  event.target.form.submit();
+};

data/web/assets/stylesheets/application-rtl.css

@@ -151,3 +151,13 @@ div.interval-slider {
     padding-left: 5px;
   }
 }
+
+#locale-select {
+  float: right;
+}
+
+@media (max-width: 767px) {
+  #locale-select {
+    float: none;
+  }
+}

data/web/assets/stylesheets/application.css

@@ -731,3 +731,16 @@ div.interval-slider input {
 canvas {
   margin: 20px 0 30px;
 }
+
+#locale-select {
+  float: left;
+  margin: 8px 15px;
+}
+
+@media (max-width: 767px) {
+  #locale-select {
+    float: none;
+    width: auto;
+    margin: 15px auto;
+  }
+}

data/web/views/_footer.erb

@@ -15,7 +15,19 @@
             <p class="navbar-text"><a rel=help href="https://github.com/sidekiq/sidekiq/wiki">docs</a></p>
           </li>
           <li>
-            <p class="navbar-text"><a rel=external href="https://github.com/sidekiq/sidekiq/tree/main/web/locales"><%= locale %></a></p>
+            <form id="locale-form" class="form-inline" action="<%= root_path %>change_locale" method="post">
+              <%= csrf_tag %>
+              <label class="sr-only" for="locale">Language</label>
+              <select id="locale-select" class="form-control" name="locale">
+                <% available_locales.each do |locale_option| %>
+                  <% if locale_option == locale %>
+                    <option selected value="<%= locale_option %>"><%= locale_option %></option>
+                  <% else %>
+                    <option value="<%= locale_option %>"><%= locale_option %></option>
+                  <% end %>
+                <% end %>
+              </select>
+            </form>
           </li>
         </ul>
     </div>

data/web/views/metrics.erb

@@ -12,7 +12,7 @@
     <form id="metrics-form" class="form-inline" action="<%= root_path %>filter/metrics" method="post">
       <%= csrf_tag %>
       <label for="substr"><%= t('Filter') %></label>
-      <input id="class-filter" class="form-control" type="text" name="substr" placeholder="<%= t('Name') %>" value="<%= params[:substr] %>">
+      <input id="class-filter" class="form-control" type="text" name="substr" placeholder="<%= t('Name') %>" value="<%= h params[:substr] %>">
       <select id="period-selector" class="form-control" name="period">
         <% @periods.each_key do |code| %>
           <% if code == @period %>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sidekiq
 version: !ruby/object:Gem::Version
-  version: 7.2.2
+  version: 7.2.4
 platform: ruby
 authors:
 - Mike Perham
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-16 00:00:00.000000000 Z
+date: 2024-04-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: redis-client