Stop PagesWorker from using `send` (!103781) · Merge requests · GitLab.org / GitLab

Sean McGivern requested to merge stop-pagesworker-from-using-send into master Nov 11, 2022

What does this MR do and why?

It only had one possible method to call, so let's hard-code that.

A Sidekiq job class that takes a method name as an argument and calls that method (with public_send on an object) is a security risk. It's not typically directly exploitable, but it can be used to escalate from Redis injection to arbitrary code execution (see #371098 (closed) for an example).

We should remove public_send from Sidekiq workers where possible, and where not possible, validate the method name we're passing carefully. I found these workers that disable the Security/PublicSend cop:

Split from !103053 (closed). For #371470 (closed).

How to set up and validate locally

Mostly just specs.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Stop PagesWorker from using `send`

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports