This release contains fixes for security issues related to dashboard, so it is highly recommended to upgrade. Cross-Site Request Forgery protection was added by using existing libraries, but methods are different across application frameworks:
- For ASP.NET Core, no additional configuration is required, since
Microsoft.AspNetCore.Antiforgerypackage is used to generate and validate tokens. Dependency injection is used to obtain the implementation and apply it when available.
- For other frameworks, additional configuration is required based on an abstract
IOwinDashboardAntiforgeryinterface, because the available implementation is tightly coupled with the
System.Web.Helpersassembly. Please check this gist to learn how to enable antiforgery token validation on ASP.NET and ASP.NET MVC platforms.
Other important updates include a new retry implementation for state changes in the
Worker class to avoid any reads and writes whenever it is possible for a job’s distributed lock to be abandoned, because it may lead to consistency issues. Transitions directly to the Failed state without applying the job filters were also disabled, because such a behavior is not a determined one.
Also, looks like waiting on
CancellationToken.WaitHandle rarely leads to high CPU usage. I was unable to reveal the exact reason for this, but any other implementation, including using
Task.Delay or own tandem of
ManualResetEvent works fine without such issues.
- SECURITY – Add “robots” meta tag to ensure browser don’t index dashboard pages.
SECURITY – Add support for antiforgery validation to prevent CSRF attacks (requires configuration).
- Fixed – Perform state change retries using a fresh connection when job’s distributed lock may be abandoned.
- Fixed – Disallow transitions to the Failed state on retries that bypass all the filters.
Fixed – Remove possible rare CPU spikes due to the use of
- Fixed – Avoid resolving types and methods for logging in static constructors that may lead to process shutdown.
Fixed – Prevent Recurring jobs dashboard from throwing
- Fixed – Replace wall clocks with monotonic ones when calculating local timeouts.
- Fixed – Change logger initialization to be deterministic and predictable by using instance fields.
Fixed – Make
_currentLogProviderfield access to use volatile reads/writes.
Fixed – Typo in
NotSupportedException’s message (by @benrick).
- Fixed – Typo on the Failed jobs page (by @gareth-evans).
- Fixed – Remove the synthetic limitation to support Azure SQL Management instance (by @TimSQL).
- SECURITY – Use ASP.NET Core’s built-in antiforgery validation to prevent CSRF attacks.