Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security - Update Jquery #46

Open
luciolebrillante opened this issue Aug 21, 2019 · 6 comments
Open

Security - Update Jquery #46

luciolebrillante opened this issue Aug 21, 2019 · 6 comments

Comments

@luciolebrillante
Copy link

luciolebrillante commented Aug 21, 2019

Hello,

Shared-resources uses the version 1.7.1 of Jquery which contains a XSS vulnerability. Is it possible to update it to a least the version 1.9 of Jquery or better, the 3.4.1 version.

Even if the version is updated to 1.9, this version is no longer maintained by the Jquery team and does not receive any security update.

@dizzzz
Copy link
Member

dizzzz commented Aug 21, 2019

Do you know if these versions are API compatible??

@duncdrum
Copy link
Contributor

@dizzzz nope, even if we wouldn't break stuff in our own apps, we would very likely break them for every app that uses shared resources.

@duncdrum
Copy link
Contributor

duncdrum commented Aug 21, 2019

@luciolebrillante I would recommend not using the jquery library that ships with shared resources for your own apps. An update to the way that shared resources works is in the making but still ways off.
FYI i tested the exploits i could find, and found them not to work when using exist's own mix of xhtml and local loading, but i m not a crack, so it's possible that someone more determined could make it work.

@luciolebrillante
Copy link
Author

Thank you for your quick answer.

@dizzzz
I do not know sorry.

@duncdrum
After some researches, it appears that shared-ressources is not the only one apps which uses an obsolete Jquery version.
Instead of replace it, why can't we make available the last version of each Jquery branch? It will not break the ascendant compatibility and offers the new one.

Trying to update manually
I updated Jquery for 1.9.1 for all of them in exist-db/webapp/WEB-INF/data/expathrepo/* but even if i replaced the version of Jquery in exist-db/webapp/WEB-INF/data/expathrepo/dashboard-1.1./templates/page.html, added the jquery file in exist-db/webapp/WEB-INF/data/expathrepo/shared-0.8.4/resources/scripts/ and restart eXist, it didn't work. I still have the version 1.7.1 loaded and written in the index page.

Do you have any clue to how modify the dashboard index page of exist? I thought it was the dashboard app but it seems I was mistaken.

@duncdrum
Copy link
Contributor

@luciolebrillante the core team is currently busy with the upcoming release of 5.0.0 scheduled for 08-31, which features a new dashboard and update to all stock apps. It is therefore unlikely that any core devs will spend time on this now. When we do it ll very likely be a 5.0.0+ feature.

If this is bothering you right now, i recommend switching to the latest release-candidate.

This leaves you with a few options to get in on the action though. To debug breakages with jquery 1.12.4 I would replace the jquery source file inside shared-resourcesshared-resources/resources/scripts/jquery/ and see what breaks. You ll also need to updated Bootstrap in a similar manner to the latest 3.x version.

There is the e2e-core repo with tests for 4.x core apps. You can run existing tests on your local machine, and if you notice a break without a matching test please open a PR to add them. eXide, monex, the demo apps, and public-repo afaik all use jquery 1. There might be others, some of them might ship with their own jquery, you ll have to check the resources folder manually, since most of them don't have a package.json

@luciolebrillante
Copy link
Author

luciolebrillante commented Aug 23, 2019

@duncdrum
Thank you for your complete answer.

I prefer to wait until version 5.0.1 is released, I prefer to be careful.

Some news about what I did
I updated Jquery to 1.9.1 and I briefly checked and I didn't see bugs for :

  • monex-1.0.1
  • markdown-0.6
  • xsltforms-demo-0.1.5
  • demo-0.4.3
  • public-repo-1.0.1
  • eXide-2.4.8
  • dashboard-1.1.1
  • shared-0.8.4

However, I also updated bootstrap from 3.0.3 to 3.4.1, I briefly checked and I didn't see bugs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants