Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency jquery-ui-rails to v7 [SECURITY] #2655

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 19, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
jquery-ui-rails '6.0.1' -> '7.0.0' age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-41182

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

CVE-2021-41183

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

CVE-2021-41184

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.


Release Notes

joliss/jquery-ui-rails (jquery-ui-rails)

v7.0.0

Compare Source

  • Update to jQuery UI 1.13.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Mar 19, 2024
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch from 698ebb8 to 15faf5c Compare April 12, 2024 16:45
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch 3 times, most recently from 1b19803 to 083c8a3 Compare May 17, 2024 01:47
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch from 083c8a3 to 2bb963c Compare June 12, 2024 04:47
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch from 2bb963c to 1eb58d0 Compare June 22, 2024 03:49
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch 3 times, most recently from 0e50234 to 2c852d9 Compare July 22, 2024 04:29
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch 3 times, most recently from 80eebd9 to 438a0ba Compare August 2, 2024 09:18
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch from 438a0ba to 7340604 Compare August 11, 2024 04:14
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch from 7340604 to e2e3da3 Compare August 22, 2024 08:25
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch 7 times, most recently from 38e6a01 to fc8cfaf Compare September 4, 2024 17:11
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch 2 times, most recently from fd24f99 to b49b9a0 Compare September 7, 2024 06:55
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch from b49b9a0 to c1a8488 Compare September 30, 2024 12:29
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch 4 times, most recently from afc66fa to c72d955 Compare October 21, 2024 13:29
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch from c72d955 to 1d64ec2 Compare October 25, 2024 04:28
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch 2 times, most recently from 6d2fde5 to bff27d6 Compare November 2, 2024 04:34
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch 2 times, most recently from d1fe0f5 to 340bfb6 Compare November 8, 2024 10:55
@renovate renovate bot changed the title Update dependency jquery-ui-rails to v7 [SECURITY] chore(deps): update dependency jquery-ui-rails to v7 [security] Nov 8, 2024
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch 5 times, most recently from 4d25d65 to fa79102 Compare November 14, 2024 08:27
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch from fa79102 to 8c2fd99 Compare November 19, 2024 08:35
Copy link
Contributor Author

renovate bot commented Nov 19, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock
[11:31:58.754] INFO (71): Installing tool ruby@3.0.3...
installing v2 tool ruby v3.0.3
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/3.0.3/ruby-3.0.3-jammy-x86_64.tar.xz
Download failed, retrying
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/3.0.3/ruby-3.0.3-jammy-x86_64.tar.xz
Download failed, retrying
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/3.0.3/ruby-3.0.3-jammy-x86_64.tar.xz
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/3.0.3/ruby-3.0.3-jammy-x86_64.tar.xz
[11:32:00.413] INFO (139): Downloading file ...
    url: "https://github.com/containerbase/ruby-prebuild/releases/download/3.0.3/ruby-3.0.3-jammy-x86_64.tar.xz"
    output: "/tmp/renovate/cache/containerbase/500bb85aafd22fa0602ae4677b8244140f70593fdf1f82434c353a72ed783ac4/ruby-3.0.3-jammy-x86_64.tar.xz"
[11:32:00.493] ERROR (139): Response code 404 (Not Found)
[11:32:00.494] FATAL (139): Download failed in 81ms.
[11:32:00.565] ERROR (71): Command failed with exit code 1: /usr/local/containerbase/bin/install-tool.sh ruby 3.0.3
[11:32:00.565] FATAL (71): Install tool ruby failed in 1.8s.


@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch from 8c2fd99 to 5ffdc54 Compare November 19, 2024 08:51
@renovate renovate bot force-pushed the renovate/rubygems-jquery-ui-rails-vulnerability branch from 5ffdc54 to b629724 Compare November 26, 2024 11:32
@renovate renovate bot changed the title chore(deps): update dependency jquery-ui-rails to v7 [security] Update dependency jquery-ui-rails to v7 [SECURITY] Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants