-
Notifications
You must be signed in to change notification settings - Fork 68
Angular Version Security Update #1087
Comments
I'm surprised we didn't get automated security vulnerability warnings through GitHub for the Specifically, we recently received two such reports regarding upgrading jQuery. CVE-2015-9251 and CVE-2016-10707. We were able to evaluate those and deem them as not applicable. Not having such a link makes it harder to evaluate the vulnerabilities you've mentioned. Are you able to provide such links @Blackbaud-SpencerMurphy? |
I don't have those exact same type of links, but I can provide the OWASP Scan output which has links to the github's issues from the libraries. The jQuery vulnerability our scan found appears to be the same as CVE-2015-9251. Vulnerable javascript library: Angular Vulnerable javascript library: jQuery.ui.dialog Some of this will probably require more investigation on our end, but we wanted to bring it up here |
@Blackbaud-BobbyEarl - you think these are along the same lines as what you validated as not applicable? |
I agree they are related, and I would feel comfortable marking both of these as resolved. |
AngularJS was updated to 1.6.5 in #1117. |
Expected behavior
SkyUX should be up to date with latest angular version
Actual behavior
SkyUX is on angular version 1.6.1 which apparently has a security vulnerability
Steps to reproduce
In our latest OWASP security scan, it brought to our attention that there is a security vulnerability in angular versions less than 1.6.5. Here is the text from the scan:
"In angular versions below 1.6.5 both Firefox and Safari are vulnerable to XSS in $sanitize if an inert document created via
document.implementation.createHTMLDocument()
is used. Angular version1.6.5 checks for these vulnerabilities and then use a DOMParser or XHR strategy if needed. Please refer to vendor documentation (https://github.com/angular/angular.js/commit/
8f31f1ff43b673a24f84422d5c13d6312b2c4d94) for latest security updates."
I went ahead and pulled down a local copy of the repo, updated the package.json to the latest version of angular 1 (1.6.8) and ran all the tests. It appears that everything is passing, although I have not actually had anything up and running on it outside of the tests. Should I go ahead and submit a pull request with the updates?
Update
After looking closer at the scan, it also flagged jquery-ui (currently 1.11.4, needs to be 1.12.1) and jquery (currently 2.1.3, needs to be 3.0.0). Locally updating jquery-ui only resulted in one failure in one of the datepicker unit tests, but the jquery update was super problematic causing basically all of the visual tests to fail. With that being a much more drastic change, I'm not sure the best way to move forward with this, but wanted to at least make it aware as this could potentially affect anyone using SKYUX.
The text was updated successfully, but these errors were encountered: