Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🚨 [security] Update sidekiq: 6.0.0 → 6.2.0 (minor) #236

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

depfu[bot]
Copy link
Contributor

@depfu depfu bot commented Mar 16, 2021


🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!


Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ sidekiq (6.0.0 → 6.2.0) · Repo · Changelog

Release Notes

6.2.0 (from changelog)

  • Store Redis RTT and log if poor [#4824]
  • Add process/thread stats to Busy page [#4806]
  • Improve Web UI on mobile devices [#4840]
  • Refactor Web UI session usage [#4804] Numerous people have hit "Forbidden" errors and struggled with Sidekiq's Web UI session requirement. If you have code in your initializer for Web sessions, it's quite possible it will need to be removed. Here's an overview:
Sidekiq::Web needs a valid Rack session for CSRF protection. If this is a Rails app,
make sure you mount Sidekiq::Web *inside* your routes in `config/routes.rb` so
Sidekiq can reuse the Rails session:

Rails.application.routes.draw do
mount Sidekiq::Web => "/sidekiq"
....
end

If this is a bare Rack app, use a session middleware before Sidekiq::Web:

first, use IRB to create a shared secret key for sessions and commit it

require 'securerandom'; File.open(".session.key", "w") {|f| f.write(SecureRandom.hex(32)) }

now, update your Rack app to include the secret with a session cookie middleware

use Rack::Session::Cookie, secret: File.read(".session.key"), same_site: true, max_age: 86400
run Sidekiq::Web

6.1.3 (from changelog)

  • Warn if Redis is configured to evict data under memory pressure [#4752]
  • Add process RSS on the Busy page [#4717]

6.1.2 (from changelog)

  • Improve readability in dark mode Web UI [#4674]
  • Fix Web UI crash with corrupt session [#4672]
  • Allow middleware to yield arguments [#4673, @eugeneius]
  • Migrate CI from CircleCI to GitHub Actions [#4677]

6.1.1 (from changelog)

  • Jobs are now sorted by age in the Busy Workers table. [#4641]
  • Fix "check all" JS logic in Web UI [#4619]

6.1.0 (from changelog)

  • Web UI - Dark Mode fixes [#4543, natematykiewicz]
  • Ensure Rack::ContentLength is loaded as middleware for correct Web UI responses [#4541]
  • Avoid exception dumping SSL store in Redis connection logging [#4532]
  • Better error messages in Sidekiq::Client [#4549]
  • Remove rack-protection, reimplement CSRF protection [#4588]
  • Require redis-rb 4.2 [#4591]
  • Update to jquery 1.12.4 [#4593]
  • Refactor internal fetch logic and API [#4602]

6.0.7 (from changelog)

  • Refactor systemd integration to work better with custom binaries [#4511]
  • Don't connect to Redis at process exit if not needed [#4502]
  • Remove Redis connection naming [#4479]
  • Fix Redis Sentinel password redaction [#4499]
  • Add Vietnamese locale (vi) [#4528]

6.0.6 (from changelog)

  • Integrate with systemd's watchdog and notification features [#4488] Set Type=notify in sidekiq.service. The integration works automatically.
  • Use setTimeout rather than setInterval to avoid thundering herd [#4480]
  • Fix edge case where a job can be pushed without a queue.
  • Flush job stats at exit [#4498]
  • Check RAILS_ENV before RACK_ENV [#4493]
  • Add Lithuanian locale [#4476]

6.0.5 (from changelog)

  • Fix broken Web UI response when using NewRelic and Rack 2.1.2+. [#4440]
  • Update APIs to use UNLINK, not DEL. [#4449]
  • Fix Ruby 2.7 warnings [#4412]

6.0.4 (from changelog)

  • Fix ActiveJob's sidekiq_options integration [#4404]
  • Sidekiq Pro users will now see a Pause button next to each queue in the Web UI, allowing them to pause queues manually [#4374, shayonj]
  • Fix Sidekiq::Workers API unintentional change in 6.0.2 [#4387]

6.0.3 (from changelog)

  • Fix Sidekiq::Client.push_bulk API which was erroneously putting invalid at values in the job payloads [#4321]

6.0.2 (from changelog)

  • Fix Sidekiq Enterprise's rolling restart functionality, broken by refactoring in 6.0.0. [#4334]
  • More internal refactoring and performance tuning [fatkodima]

6.0.1 (from changelog)

  • Performance tuning, Sidekiq should be 10-15% faster now [#4303, 4299, 4269, fatkodima]
  • Dark Mode support in Web UI (further design polish welcome!) [#4227, mperham, fatkodima, silent-e]
  • Job-specific log levels, allowing you to turn on debugging for problematic workers. [fatkodima, #4287]
MyWorker.set(log_level: :debug).perform_async(...)
  • Ad-hoc job tags. You can tag your jobs with, e.g, subdomain, tenant, country, locale, application, version, user/client, "alpha/beta/pro/ent", types of jobs, teams/people responsible for jobs, additional metadata, etc. Tags are shown on different pages with job listings. Sidekiq Pro users can filter based on them [fatkodima, #4280]
class MyWorker
  include Sidekiq::Worker
  sidekiq_options tags: ['bank-ops', 'alpha']
  ...
end
  • Fetch scheduled jobs in batches before pushing into specific queues. This will decrease enqueueing time of scheduled jobs by a third. [fatkodima, #4273]
ScheduledSet with 10,000 jobs
Before: 56.6 seconds
After:  39.2 seconds
  • Compress error backtraces before pushing into Redis, if you are storing error backtraces, this will halve the size of your RetrySet in Redis [fatkodima, #4272]
RetrySet with 100,000 jobs
Before: 261 MB
After:  129 MB
  • Support display of ActiveJob 6.0 payloads in the Web UI [#4263]
  • Add SortedSet#scan for pattern based scanning. For large sets this API will be MUCH faster than standard iteration using each. [fatkodima, #4262]
  Sidekiq::DeadSet.new.scan("UnreliableApi") do |job|
    job.retry
  end
  • Dramatically speed up SortedSet#find_job(jid) by using Redis's ZSCAN support, approx 10x faster. [fatkodima, #4259]
zscan   0.179366   0.047727   0.227093 (  1.161376)
enum    8.522311   0.419826   8.942137 (  9.785079)
  • Respect rails' generators test_framework option and gracefully handle extra worker suffix on generator [fatkodima, #4256]
  • Add ability to sort 'Enqueued' page on Web UI by position in the queue [fatkodima, #4248]
  • Support Client.push_bulk with different delays [fatkodima, #4243]
Sidekiq::Client.push_bulk("class" => FooJob, "args" => [[1], [2]], "at" => [1.minute.from_now.to_f, 5.minutes.from_now.to_f])
  • Easier way to test enqueuing specific ActionMailer and ActiveRecord delayed jobs. Instead of manually parsing embedded class, you can now test by fetching jobs for specific classes. [fatkodima, #4292]
assert_equal 1, Sidekiq::Extensions::DelayedMailer.jobs_for(FooMailer).size
  • Add sidekiqmon to gemspec executables [#4242]
  • Gracefully handle Sidekiq.logger = nil [#4240]
  • Inject Sidekiq::LogContext module if user-supplied logger does not include it [#4239]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ connection_pool (indirect, 2.2.2 → 2.2.3) · Repo · Changelog

Release Notes

2.2.3 (from changelog)

  • Pool now throws ConnectionPool::TimeoutError on timeout. [#130]
  • Use monotonic clock present in all modern Rubies [Tero Tasanen, #109]
  • Remove code hacks necessary for JRuby 1.7
  • Expose wrapped pool from ConnectionPool::Wrapper [Thomas Lecavelier, #113]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 30 commits:

↗️ rack (indirect, 2.2.2 → 2.2.3) · Repo · Changelog

Security Advisories 🚨

🚨 Percent-encoded cookies can be used to overwrite existing prefixed cookie names

It is possible to forge a secure or host-only cookie prefix in Rack using
an arbitrary cookie write by using URL encoding (percent-encoding) on the
name of the cookie. This could result in an application that is dependent on
this prefix to determine if a cookie is safe to process being manipulated
into processing an insecure or cross-origin request.
This vulnerability has been assigned the CVE identifier CVE-2020-8184.

Versions Affected: rack < 2.2.3, rack < 2.1.4
Not affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process
Fixed Versions: rack >= 2.2.3, rack >= 2.1.4

Impact

An attacker may be able to trick a vulnerable application into processing an
insecure (non-SSL) or cross-origin request if they can gain the ability to write
arbitrary cookies that are sent to the application.

Workarounds

If your application is impacted but you cannot upgrade to the released versions or apply
the provided patch, this issue can be temporarily addressed by adding the following workaround:

module Rack
  module Utils
    module_function def parse_cookies_header(header)
      return {} unless header
      header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
        next if cookie.empty?
        key, value = cookie.split('=', 2)
        cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
      end
    end
  end
end
Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ redis (indirect, 4.1.2 → 4.2.5) · Repo · Changelog

Release Notes

4.2.5 (from changelog)

  • Optimize the ruby connector write buffering. See #964.

4.2.4 (from changelog)

  • Fix bytesize calculations in the ruby connector, and work on a copy of the buffer. Fix #961, #962.

4.2.3 (from changelog)

  • Use io/wait instead of IO.select in the ruby connector. See #960.
  • Use exception free non blocking IOs in the ruby connector. See #926.
  • Prevent corruption of the client when an interrupt happen during inside a pipeline block. See #945.

4.2.2 (from changelog)

  • Fix WATCH support for Redis::Distributed. See #941.
  • Fix handling of empty stream responses. See #905, #929.

4.2.1 (from changelog)

  • Fix exists? returning an actual boolean when called with multiple keys. See #918.
  • Setting Redis.exists_returns_integer = false disables warning message about new behaviour. See #920.

4.2.0 (from changelog)

  • Convert commands to accept keyword arguments rather than option hashes. This both help catching typos, and reduce needless allocations.
  • Deprecate the synchrony driver. It will be removed in 5.0 and hopefully maintained as a separate gem. See #915.
  • Make Redis#exists variadic, will return an Integer if called with multiple keys.
  • Add Redis#exists? to get a Boolean if any of the keys exists.
  • Redis#exists when called with a single key will warn that future versions will return an Integer. Set Redis.exists_returns_integer = true to opt-in to the new behavior.
  • Support keepttl ooption in set. See #913.
  • Optimized initialization of Redis::Cluster. See #912.
  • Accept sentinel options even with string key. See #599.
  • Verify TLS connections by default. See #900.

4.1.4 (from changelog)

  • Alias Redis#disconnect as #close. See #901.
  • Handle clusters with multiple slot ranges. See #894.
  • Fix password authentication to a redis cluster. See #889.
  • Handle recursive MOVED responses. See #882.
  • Increase buffer size in the ruby connector. See #880.
  • Fix thread safety of Redis.queue. See #878.
  • Deprecate Redis::Future#== as it's likely to be a mistake. See #876.

4.1.3 (from changelog)

  • Fix the client hanging forever when connecting with SSL to a non-SSL server. See #835.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🗑️ rack-protection (removed)


Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants