October: Potential vulnerability in jQuery
Since this is already a public security advisory and a jQuery vulnerability, I am posting it as a public issue.
Summary:
CVE-2020-11022
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0
Problem:
The current stable version of OctoberCMS uses jQuery 3.4.0 which is vulnerable.
Solution:
The code-base should either be updated to support jQuery 3.5.0 or higher, or jQuery.htmlPrefilter should be overridden as a workaround - discussed here:
jQuery GitHub security advisory
From link above - workaround:
jQuery.htmlPrefilter = function( html ) {
return html;
};
mrgswift
All 12 comments
@mrgswift I realize that this is already public but I would prefer to have these reports come through privately first. We deal with all security reports very quickly so I prefer to discuss them back and forth over email before public issues are submitted when they may not be applicable.
LukeTowers
on 29 May 2020
Understood. From now on anything related to security will be discussed privately.
mrgswift
on 29 May 2020
Thanks, I appreciate it!
LukeTowers
on 29 May 2020
Fixed by https://github.com/octobercms/october/commit/5c7ba9fbe9f2b596b2f0e3436ee06b91b97e5892, thanks for the report @mrgswift!
@bennothommo is there a way we can tell GitHub what our JS dependencies are so that we can get notified when they release security advisories?
LukeTowers
on 31 May 2020
@LukeTowers we have to define the specific versions we are running in the package.json file I've already set up for JS testing - https://github.com/octobercms/october/network/dependencies. At the moment, it see us as running as ^ 3.4.1, which means we wouldn't have got the advisory as we're saying we can accept versions above that.
bennothommo
on 31 May 2020
@bennothommo we should probably switch that to be more of a reporting feature than an actual package management file, i.e. specify the exact package versions we use
LukeTowers
on 31 May 2020
@LukeTowers yep, agreed, as long as the tests still work. I'll take a look soon.
bennothommo
on 31 May 2020
@LukeTowers @bennothommo as I said in the past a few times, use this: https://snyk.io/ or https://github.com/apps/whitesource-bolt-for-github
ayumi-cloud
on 8 Jun 2020
@ayumi-cloud GitHub has a tool for dependency vuln reporting built in, we just need to adjust our package.json to make it known to GitHub what dependencies we're using for JS. I believe it's on @bennothommo's todo list, but if you'd like to do it, go ahead!
LukeTowers
on 8 Jun 2020
@LukeTowers I tried that out - the only (really minor) issue is that specifying all these dependencies is that when npm install is run to do the tests, it downloads all these dependencies into the node_modules folder, even though they aren't needed for the tests.
I was hoping to have npm deliver these dependencies into the folders we have them in October (potentially giving us a decent mechanism to quickly update JS dependencies) but npm doesn't support multiple paths :(
bennothommo
on 9 Jun 2020
Oh well, even just having them recorded centrally and being tracked by GitHub is an improvement. Is Yarn any better? I don't really know anything about JS package management
LukeTowers
on 9 Jun 2020
@LukeTowers I think Yarn has the same limitation. It's no big deal, it just would've been a nice-to-have.
bennothommo
on 9 Jun 2020
Related issues
jvanremoortere
路
3Comments
mittultechnobrave
路
3Comments
dunets
路
3Comments
mittultechnobrave
路
3Comments
SeekAndPwn
路
3Comments