Potential vulnerability in jQuery

[mrgswift]

Since this is already a public security advisory and a jQuery vulnerability, I am posting it as a public issue.

Summary:

CVE-2020-11022
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0

Problem:

The current stable version of OctoberCMS uses jQuery 3.4.0 which is vulnerable.

Solution:

The code-base should either be updated to support jQuery 3.5.0 or higher, or jQuery.htmlPrefilter should be overridden as a workaround - discussed here:
jQuery GitHub security advisory

From link above - workaround:
jQuery.htmlPrefilter = function( html ) { return html; };

[LukeTowers]

@mrgswift I realize that this is already public but I would prefer to have these reports come through privately first. We deal with all security reports very quickly so I prefer to discuss them back and forth over email before public issues are submitted when they may not be applicable.

[mrgswift]

Understood. From now on anything related to security will be discussed privately.

[LukeTowers]

Thanks, I appreciate it!

[LukeTowers]

Fixed by 5c7ba9f, thanks for the report @mrgswift!

@bennothommo is there a way we can tell GitHub what our JS dependencies are so that we can get notified when they release security advisories?

[bennothommo]

@LukeTowers we have to define the specific versions we are running in the package.json file I've already set up for JS testing - https://github.com/octobercms/october/network/dependencies. At the moment, it see us as running as ^ 3.4.1, which means we wouldn't have got the advisory as we're saying we can accept versions above that.

[LukeTowers]

@bennothommo we should probably switch that to be more of a reporting feature than an actual package management file, i.e. specify the exact package versions we use

[bennothommo]

@LukeTowers yep, agreed, as long as the tests still work. I'll take a look soon.

[summercms]

@LukeTowers @bennothommo as I said in the past a few times, use this: https://snyk.io/ or https://github.com/apps/whitesource-bolt-for-github

[LukeTowers]

@ayumi-cloud GitHub has a tool for dependency vuln reporting built in, we just need to adjust our package.json to make it known to GitHub what dependencies we're using for JS. I believe it's on @bennothommo's todo list, but if you'd like to do it, go ahead!

[bennothommo]

@LukeTowers I tried that out - the only (really minor) issue is that specifying all these dependencies is that when npm install is run to do the tests, it downloads all these dependencies into the node_modules folder, even though they aren't needed for the tests.

I was hoping to have npm deliver these dependencies into the folders we have them in October (potentially giving us a decent mechanism to quickly update JS dependencies) but npm doesn't support multiple paths :(

[LukeTowers]

Oh well, even just having them recorded centrally and being tracked by GitHub is an improvement. Is Yarn any better? I don't really know anything about JS package management

[bennothommo]

@LukeTowers I think Yarn has the same limitation. It's no big deal, it just would've been a nice-to-have.