Verify mount in BackgroundMoveWorker before using `public_send` (!103782) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

This is mostly safe anyway, as it doesn't pass any arguments, but we should still check that the given file_field (mount point) is actually an uploader of the correct type before we call it.

A Sidekiq job class that takes a method name as an argument and calls that method (with public_send on an object) is a security risk. It's not typically directly exploitable, but it can be used to escalate from Redis injection to arbitrary code execution (see #371098 (closed) for an example).

We should remove public_send from Sidekiq workers where possible, and where not possible, validate the method name we're passing carefully. I found these workers that disable the Security/PublicSend cop:

Split from !103053 (closed). For #371470 (closed).

How to set up and validate locally

Mostly just specs.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Nov 17, 2022 by Sean McGivern

Verify mount in BackgroundMoveWorker before using `public_send`

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports