Do not deserialize GlobalID objects that were not generated by Active Job

rafaelfranca · rafaelfranca · commit 72300f974274 · 2018-11-27T15:28:41.000-05:00
Trusting any GlobaID object when deserializing jobs can allow attackers to access information that should not be accessible to them. Fix CVE-2018-16476.
diff --git a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb
@@ -91,7 +91,7 @@ def serialize_argument(argument)
       def deserialize_argument(argument)
         case argument
         when String
-          GlobalID::Locator.locate(argument) || argument
+          argument
         when *PERMITTED_TYPES
           argument
         when Array
diff --git a/activejob/test/cases/argument_serialization_test.rb b/activejob/test/cases/argument_serialization_test.rb
@@ -41,6 +41,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase
     assert_arguments_roundtrip [@person]
   end
 
+  test "should keep Global IDs strings as they are" do
+    assert_arguments_roundtrip [@person.to_gid.to_s]
+  end
+
   test "should dive deep into arrays and hashes" do
     assert_arguments_roundtrip [3, [@person]]
     assert_arguments_roundtrip [{ "a" => @person }]
