Stop PagesWorker from using `send`
What does this MR do and why?
It only had one possible method to call, so let's hard-code that.
A Sidekiq job class that takes a method name as an argument and calls that method (with public_send
on an object) is a security risk. It's not typically directly exploitable, but it can be used to escalate from Redis injection to arbitrary code execution (see #371098 (closed) for an example).
We should remove public_send
from Sidekiq workers where possible, and where not possible, validate the method name we're passing carefully. I found these workers that disable the Security/PublicSend
cop:
Split from !103053 (closed). For #371470 (closed).
How to set up and validate locally
Mostly just specs.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.