Skip to content
This repository has been archived by the owner on May 17, 2021. It is now read-only.

Exception view execution data #206

Closed
Rido opened this issue Mar 1, 2016 · 1 comment
Closed

Exception view execution data #206

Rido opened this issue Mar 1, 2016 · 1 comment
Assignees
@jamesrwhite
Labels
bug
Milestone
0.9.3

Comments

@Rido
Copy link

Rido commented Mar 1, 2016

When I try to view the execution output data I get an exception. The execution page is loaded but after 1-2 seconds I get the exception. I think that it's trying to load the output data.

ActiveRecord::RecordNotFound at /execution/totaalexport_*****.php
Couldn't find Minicron::Hub::Execution with 'id'=totaalexport_*****.php

Ruby    /opt/minicron/lib/vendor/ruby/2.2.0/gems/activerecord-4.2.5.1/lib/active_record/relation/finder_methods.rb: in raise_record_not_found_exception!, line 324
Web GET ir-cronjobs.nova14/execution/totaalexport_*****.php

Traceback (innermost first)

/opt/minicron/lib/vendor/ruby/2.2.0/gems/activerecord-4.2.5.1/lib/active_record/relation/finder_methods.rb: in raise_record_not_found_exception!
      raise RecordNotFound, error...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/activerecord-4.2.5.1/lib/active_record/relation/finder_methods.rb: in find_one
      raise_record_not_found_exception!(id, 0, 1) unless record...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/activerecord-4.2.5.1/lib/active_record/relation/finder_methods.rb: in find_with_ids
        result = find_one(ids.first)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/activerecord-4.2.5.1/lib/active_record/relation/finder_methods.rb: in find
        find_with_ids(*args)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/minicron-0.9.2.1454258962/lib/minicron/hub/controllers/executions.rb: in block in <class:App>
                                         .find(params[:id])...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in call
          proc { |a,p| unbound_method.bind(a).call }...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in block in compile!
          proc { |a,p| unbound_method.bind(a).call }...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in []
            route_eval { block[*args] }...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in block (3 levels) in route!
            route_eval { block[*args] }...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in route_eval
      throw :halt, yield...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in block (2 levels) in route!
            route_eval { block[*args] }...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in block in process_route
        block ? block[self, values] : yield(self, values)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in catch
      catch(:pass) do...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in process_route
      catch(:pass) do...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in block in route!
          returned_pass_block = process_route(pattern, keys, conditions) do |*args|...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in each
        routes.each do |pattern, keys, conditions, block|...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in route!
        routes.each do |pattern, keys, conditions, block|...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in block in dispatch!
        route!...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in block in invoke
      res = catch(:halt) { yield }...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in catch
      res = catch(:halt) { yield }...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in invoke
      res = catch(:halt) { yield }...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in dispatch!
      invoke do...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in block in call!
      invoke { dispatch! }...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in block in invoke
      res = catch(:halt) { yield }...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in catch
      res = catch(:halt) { yield }...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in invoke
      res = catch(:halt) { yield }...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in call!
      invoke { dispatch! }...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in call
      dup.call!(env)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/rack-protection-1.5.3/lib/rack/protection/xss_header.rb: in call
        status, headers, body = @app.call(env)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb: in call
        app.call env...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/rack-protection-1.5.3/lib/rack/protection/json_csrf.rb: in call
        status, headers, body = app.call(env)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/rack-protection-1.5.3/lib/rack/protection/base.rb: in call
        result or app.call(env)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/rack-protection-1.5.3/lib/rack/protection/base.rb: in call
        result or app.call(env)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/rack-protection-1.5.3/lib/rack/protection/frame_options.rb: in call
        status, headers, body        = @app.call(env)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/rack-1.6.4/lib/rack/nulllogger.rb: in call
      @app.call(env)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/rack-1.6.4/lib/rack/head.rb: in call
    status, headers, body = @app.call(env)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in call
      result, callback = app.call(env), env['async.callback']...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in call
      @stack.call(env)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/rack-1.6.4/lib/rack/urlmap.rb: in block in call
        return app.call(env)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/rack-1.6.4/lib/rack/urlmap.rb: in each
      @mapping.each do |host, location, match, app|...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/rack-1.6.4/lib/rack/urlmap.rb: in call
      @mapping.each do |host, location, match, app|...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/rack-1.6.4/lib/rack/session/abstract/id.rb: in context
          status, headers, body = app.call(env)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/rack-1.6.4/lib/rack/session/abstract/id.rb: in call
          context(env)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/rack-1.6.4/lib/rack/showexceptions.rb: in call
      @app.call(env)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/rack-1.6.4/lib/rack/commonlogger.rb: in call
      status, header, body = @app.call(env)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/sinatra-1.4.7/lib/sinatra/base.rb: in call
        call_without_check(env)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/thin-1.6.3/lib/thin/connection.rb: in block in pre_process
        response = @app.call(@request.env)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/thin-1.6.3/lib/thin/connection.rb: in catch
      catch(:async) do...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/thin-1.6.3/lib/thin/connection.rb: in pre_process
      catch(:async) do...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/thin-1.6.3/lib/thin/connection.rb: in process
        post_process(pre_process)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/thin-1.6.3/lib/thin/connection.rb: in receive_data
      process if @request.parse(data)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/eventmachine-1.0.6/lib/eventmachine.rb: in run_machine
        run_machine...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/eventmachine-1.0.6/lib/eventmachine.rb: in run
        run_machine...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/thin-1.6.3/lib/thin/backends/base.rb: in start
          EventMachine.run(&starter)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/thin-1.6.3/lib/thin/server.rb: in start
      @backend.start { setup_signals if @setup_signals }...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/minicron-0.9.2.1454258962/lib/minicron/transport/server.rb: in start!
        @server.start...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/minicron-0.9.2.1454258962/lib/minicron/cli/commands.rb: in block (3 levels) in add_server_cli_command
                Minicron::Transport::Server.start!(...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/insidious-0.3/lib/insidious.rb: in call
      block.call...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/insidious-0.3/lib/insidious.rb: in run_daemon!
      block.call...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/insidious-0.3/lib/insidious.rb: in start!
      run_daemon!(&block)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/insidious-0.3/lib/insidious.rb: in restart!
    start!(&block)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/minicron-0.9.2.1454258962/lib/minicron/cli/commands.rb: in block (2 levels) in add_server_cli_command
              insidious.restart! do...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/commander-4.3.7/lib/commander/command.rb: in call
      when Proc then object.call(args, options)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/commander-4.3.7/lib/commander/command.rb: in call
      when Proc then object.call(args, options)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/commander-4.3.7/lib/commander/command.rb: in run
      call parse_options_and_call_procs(*args)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/commander-4.3.7/lib/commander/runner.rb: in run_active_command
        active_command.run(*args_without_command_name)...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/commander-4.3.7/lib/commander/runner.rb: in run!
        run_active_command...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/minicron-0.9.2.1454258962/lib/minicron/cli.rb: in run
      @cli.run!...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/minicron-0.9.2.1454258962/bin/minicron: in block in <top (required)>
    Minicron::CLI.run(ARGV) do |output|...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/minicron-0.9.2.1454258962/lib/minicron.rb: in capture_output
      yield...
/opt/minicron/lib/vendor/ruby/2.2.0/gems/minicron-0.9.2.1454258962/bin/minicron: in <top (required)>
  Minicron.capture_output(:type => :stderr) do...
/opt/minicron/lib/vendor/ruby/2.2.0/bin/minicron: in load
load Gem.bin_path('minicron', 'minicron', version)...
/opt/minicron/lib/vendor/ruby/2.2.0/bin/minicron: in <main>
load Gem.bin_path('minicron', 'minicron', version)

The saved output for this execution is:
screenshot at mar 01 09-42-36
@jamesrwhite jamesrwhite added this to the future milestone Mar 13, 2016
@jamesrwhite
Copy link
Owner

Ahh...

So the problem here is that the output isn't being escaped/encoded before it's inserted into the page so it's being treated as actual HTML. If you look at what your job does after 500ms it redirects the user to /totaalexport_*****.php?rank=something&blah=blah which is where that error you are seeing comes from.

For fun if you ran minicron run "echo '<script>alert(1);</script>'" you can self-xss yourself 😄

I'll fix this in the next release, thanks for reporting!

@jamesrwhite jamesrwhite modified the milestones: 0.9.3, future Mar 13, 2016
@jamesrwhite jamesrwhite self-assigned this Mar 13, 2016
jamesrwhite added a commit that referenced this issue Mar 13, 2016
@jamesrwhite
Escaping fix for #206
ac4b273
jamesrwhite added a commit that referenced this issue May 15, 2016
@jamesrwhite
Merge branch 'develop' into feature/pusher-ruby-#145
bee0573 
* develop: (23 commits)
  git tag was missing the `v` prefix
  Bump version
  Prevent issue in #222
  Bump version
  Make same optimisation as #219 to all models
  Bump version
  Reconnect for #216
  avoid many delete and high cpu usage
  No longer required
  Use job command for name #210
  Remove test connection button
  Escaping fix for #206
  Update import jobs button name
  Enhancements on import functions
  Tidy up slack integration in #208
  Improvements for import jobs function
  Small changes on import jobs
  Button to import jobs
  Import existing crontab jobs
  Read and parse a crontab file
  ...

# Conflicts:
#	lib/minicron.rb
#	lib/minicron/hub/views/partials/sidebar.erb
#	minicron.gemspec
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jamesrwhite jamesrwhite

Labels
bug
Projects
None yet
Milestone
0.9.3
Development

No branches or pull requests
2 participants
@jamesrwhite @Rido