Skip to content

Latest commit

 

History

History
98 lines (73 loc) · 7.91 KB

mitigations.md

File metadata and controls

98 lines (73 loc) · 7.91 KB

Mitigation Strategies Analysis for collectiveidea/delayed_job

Mitigation Strategy: Strict Job Argument Whitelisting and Secure Serialization

  • Description:

    1. Define Allowed Data Types: Create a whitelist of permissible data types and structures for job arguments passed to delayed_job. This might include integers, strings (with length limits), booleans, and specific, well-defined data transfer objects (DTOs) or parameter classes.
    2. Create Parameter Classes (DTOs): For complex arguments, define dedicated classes (like the SafeJobParams example) that encapsulate the allowed data and perform validation upon initialization. These classes should have clear to_json (or to_protobuf, etc.) and from_json methods for serialization and deserialization to be used with delayed_job.
    3. Validate Input: Within the parameter classes' initializers and from_json methods, rigorously validate all input data against the whitelist. Check data types, lengths, ranges, and any other relevant constraints. Raise exceptions for invalid data.
    4. Choose a Secure Serializer: Configure delayed_job to use a more secure serializer than the default YAML. Use the Delayed::Worker.serializer = :json (or :msgpack, :protobuf) setting. If YAML must be used, configure delayed_job to use YAML.safe_load with a strict whitelist of allowed classes. This is a direct delayed_job configuration.
    5. Serialize/Deserialize Consistently: Ensure that all job enqueuing uses the secure serialization method (e.g., calling .to_json on your parameter object and passing the result to delay(serializer: 'json')). Ensure all job perform methods deserialize using the corresponding method (e.g., SafeJobParams.from_json).
    6. Avoid handle_asynchronously with Untrusted Data: Prefer defining explicit job classes and passing only validated, serialized data to delay(). If using handle_asynchronously, restrict its use to trusted internal methods and objects with immutable, well-defined states. This directly impacts how you use delayed_job.

  • Threats Mitigated:

    • Code Injection / Arbitrary Code Execution (Severity: Critical): Prevents attackers from injecting malicious code into job arguments, which delayed_job would then execute.
    • Data Leakage / Information Disclosure (Severity: High/Medium): By controlling the data serialized by delayed_job, you reduce the risk.
    • Job Manipulation (Severity: Medium): Makes it harder to manipulate delayed_job's queue.

  • Impact:

    • Code Injection: Risk significantly reduced (near elimination if implemented correctly).
    • Data Leakage: Risk reduced.
    • Job Manipulation: Risk reduced.

  • Currently Implemented:

    • Partially implemented: JSON serialization used in some jobs, but not consistently, and parameter validation is insufficient.

  • Missing Implementation:

    • Need to create dedicated parameter classes for all jobs.
    • Need to enforce strict validation in all parameter classes.
    • Need to audit all uses of handle_asynchronously and replace them.
    • Need to globally configure delayed_job to use JSON (or another secure serializer) and ensure all jobs use it.

Mitigation Strategy: Queue Management and Job Timeouts (using delayed_job features)

  • Description:

    1. Configure Queue Limits: Set maximum lengths for your delayed_job queues using Delayed::Worker.max_queue_size = N. When a queue reaches its limit, delayed_job will raise an error, preventing further enqueuing.
    2. Set Job Timeouts: Configure Delayed::Worker.max_attempts = N and Delayed::Worker.max_run_time = N (in seconds) globally, or set them on individual jobs using the max_attempts and max_run_time methods when enqueuing. This directly uses delayed_job's built-in features.
    3. Use Separate Queues: Create different queues for different job types (e.g., Delayed::Worker.queue_attributes = { email: { priority: 10 }, data_processing: { priority: 0 } }). Start workers with the --queue or -q option to assign them to specific queues (e.g., bin/delayed_job start -q email). This is a direct delayed_job configuration.
    4. Prioritize Jobs: Use delayed_job's priority system (the priority attribute, set via delay(priority: N)) to ensure critical jobs are processed first. This is a direct feature of delayed_job.

  • Threats Mitigated:

    • Denial of Service (DoS) (Severity: High/Medium): Prevents attackers from overwhelming delayed_job with jobs.

  • Impact:

    • DoS: Risk significantly reduced.

  • Currently Implemented:

    • max_attempts is set globally.
    • Default queue is used.

  • Missing Implementation:

    • Delayed::Worker.max_queue_size needs to be configured.
    • Delayed::Worker.max_run_time needs to be set appropriately.
    • Separate queues need to be created and workers configured.
    • Job prioritization needs to be implemented using delay(priority: N).

Mitigation Strategy: Job Idempotency and Expiration (using delayed_job in conjunction with application logic)

  • Description:

    1. Identify Non-Idempotent Jobs: Determine which jobs have side effects that should not be repeated.
    2. Implement Idempotency Checks: Within your job's perform method (which is executed by delayed_job), add checks to prevent duplicate execution. This often involves database checks or using unique constraints. This is application logic within the delayed_job context.
    3. Add Expiration Time (Optional): Add a custom expires_at column to the delayed_jobs table. When enqueuing a job, set this value. Within your job's perform method, check if the current time is past expires_at before proceeding. This uses delayed_job's table but requires custom logic within the job.
    4. Unique Job Identifiers (Optional): Generate a unique identifier (UUID) before enqueuing the job. Store this identifier. Within your job's perform method, check if the identifier has already been processed before executing. This uses delayed_job's execution context but requires custom logic.

  • Threats Mitigated:

    • Job Manipulation / Replay Attacks (Severity: Medium/Low): Prevents replaying jobs processed by delayed_job.

  • Impact:

    • Job Manipulation: Risk significantly reduced.

  • Currently Implemented:

    • Idempotency check in SendWelcomeEmailJob.

  • Missing Implementation:

    • Audit all jobs and implement idempotency checks.
    • Consider adding expiration times and unique identifiers.

Mitigation Strategy: Keep delayed_job Updated

  • Description:

    1. Use a Dependency Manager: Use Bundler (or another dependency manager) to manage delayed_job's version.
    2. Regularly Update: Run bundle update delayed_job regularly.
    3. Monitor Security Advisories: Use tools like bundler-audit to check for vulnerabilities in delayed_job.
    4. Test After Updates: Thoroughly test after updating delayed_job.

  • Threats Mitigated:

    • Vulnerabilities in delayed_job (Severity: Variable, potentially Critical): Addresses vulnerabilities in the delayed_job gem itself.

  • Impact:

    • delayed_job Vulnerabilities: Risk reduced.

  • Currently Implemented:

    • delayed_job is managed by Bundler.

  • Missing Implementation:

    • Establish a regular update schedule.
    • Set up automated vulnerability scanning.
    • Improve testing after updates.