Skip to content
This repository has been archived by the owner on Dec 8, 2022. It is now read-only.

Angular Version Security Update #1087

Closed
Blackbaud-SpencerMurphy opened this issue Jan 16, 2018 · 5 comments
Closed

Angular Version Security Update #1087

Blackbaud-SpencerMurphy opened this issue Jan 16, 2018 · 5 comments

Comments

@Blackbaud-SpencerMurphy
Copy link
Contributor

Blackbaud-SpencerMurphy commented Jan 16, 2018

Expected behavior

SkyUX should be up to date with latest angular version

Actual behavior

SkyUX is on angular version 1.6.1 which apparently has a security vulnerability

Steps to reproduce

In our latest OWASP security scan, it brought to our attention that there is a security vulnerability in angular versions less than 1.6.5. Here is the text from the scan:
"In angular versions below 1.6.5 both Firefox and Safari are vulnerable to XSS in $sanitize if an inert document created via document.implementation.createHTMLDocument() is used. Angular version
1.6.5 checks for these vulnerabilities and then use a DOMParser or XHR strategy if needed. Please refer to vendor documentation (https://github.com/angular/angular.js/commit/
8f31f1ff43b673a24f84422d5c13d6312b2c4d94) for latest security updates."

I went ahead and pulled down a local copy of the repo, updated the package.json to the latest version of angular 1 (1.6.8) and ran all the tests. It appears that everything is passing, although I have not actually had anything up and running on it outside of the tests. Should I go ahead and submit a pull request with the updates?

Update

After looking closer at the scan, it also flagged jquery-ui (currently 1.11.4, needs to be 1.12.1) and jquery (currently 2.1.3, needs to be 3.0.0). Locally updating jquery-ui only resulted in one failure in one of the datepicker unit tests, but the jquery update was super problematic causing basically all of the visual tests to fail. With that being a much more drastic change, I'm not sure the best way to move forward with this, but wanted to at least make it aware as this could potentially affect anyone using SKYUX.

@Blackbaud-BobbyEarl
Copy link

I'm surprised we didn't get automated security vulnerability warnings through GitHub for the angularjs and jquery-ui related vulnerabilities. We have that service enabled and have received a couple to date.

Specifically, we recently received two such reports regarding upgrading jQuery. CVE-2015-9251 and CVE-2016-10707. We were able to evaluate those and deem them as not applicable.

Not having such a link makes it harder to evaluate the vulnerabilities you've mentioned. Are you able to provide such links @Blackbaud-SpencerMurphy?

@Blackbaud-SpencerMurphy
Copy link
Contributor Author

I don't have those exact same type of links, but I can provide the OWASP Scan output which has links to the github's issues from the libraries. The jQuery vulnerability our scan found appears to be the same as CVE-2015-9251.

Vulnerable javascript library: Angular
version: 1.6.1
Details:
In angular versions below 1.6.5 both Firefox and Safari are vulnerable to XSS in $sanitize if an inert document created via document.implementation.createHTMLDocument() is used. Angular version
1.6.5 checks for these vulnerabilities and then use a DOMParser or XHR strategy if needed. Please refer to vendor documentation (angular/angular.js@8f31f1f) for latest security updates.

Vulnerable javascript library: jQuery.ui.dialog
version: 1.11.4
Details:
jquery.ui.dialog version below 1.12.0 is vulnerable to XSS if the user input is allowed to pass through to the closeText property. Please refer vendor documentatation (jquery/api.jqueryui.com#281 latest security updates.

Some of this will probably require more investigation on our end, but we wanted to bring it up here

@Blackbaud-IsaacAggrey
Copy link

Screenshot_2019-05-28 Mail - Isaac Aggrey - Outlook(2)

@Blackbaud-BobbyEarl - you think these are along the same lines as what you validated as not applicable?

@Blackbaud-BobbyEarl
Copy link

I agree they are related, and I would feel comfortable marking both of these as resolved.

@Blackbaud-PaulCrowder
Copy link
Member

AngularJS was updated to 1.6.5 in #1117.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants