From 970b0d754be7c71a760d9b807eea32297fd838e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
<rafaelmfranca@gmail.com>
Date: Wed, 5 Sep 2018 17:38:09 -0400
Subject: [PATCH] Do not deserialize GlobalID objects that were not generated
by Active Job
Trusting any GlobaID object when deserializing jobs can allow
attackers to access information that should not be accessible to them.
Fix CVE-2018-16476.
---
activejob/lib/active_job/arguments.rb | 2 +-
1 files changed, 1 insertions(+), 1 deletion(-)
diff --git a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb
index de11e7fcb193..8d992a478b75 100644
--- a/activejob/lib/active_job/arguments.rb
+++ b/activejob/lib/active_job/arguments.rb
@@ -75,7 +75,7 @@ def serialize_argument(argument)
def deserialize_argument(argument)
case argument
when String
- GlobalID::Locator.locate(argument) || argument
+ argument
when *TYPE_WHITELIST
argument
when Array