eXist-db/shared-resources

Security - Update Jquery

Opened this issue · 6 comments

Hello,

Shared-resources uses the version 1.7.1 of Jquery which contains a XSS vulnerability. Is it possible to update it to a least the version 1.9 of Jquery or better, the 3.4.1 version.

Even if the version is updated to 1.9, this version is no longer maintained by the Jquery team and does not receive any security update.

Do you know if these versions are API compatible??

@dizzzz nope, even if we wouldn't break stuff in our own apps, we would very likely break them for every app that uses shared resources.

@luciolebrillante I would recommend not using the jquery library that ships with shared resources for your own apps. An update to the way that shared resources works is in the making but still ways off.
FYI i tested the exploits i could find, and found them not to work when using exist's own mix of xhtml and local loading, but i m not a crack, so it's possible that someone more determined could make it work.

Thank you for your quick answer.

@dizzzz
I do not know sorry.

@duncdrum
After some researches, it appears that shared-ressources is not the only one apps which uses an obsolete Jquery version.
Instead of replace it, why can't we make available the last version of each Jquery branch? It will not break the ascendant compatibility and offers the new one.

Trying to update manually
I updated Jquery for 1.9.1 for all of them in exist-db/webapp/WEB-INF/data/expathrepo/* but even if i replaced the version of Jquery in exist-db/webapp/WEB-INF/data/expathrepo/dashboard-1.1./templates/page.html, added the jquery file in exist-db/webapp/WEB-INF/data/expathrepo/shared-0.8.4/resources/scripts/ and restart eXist, it didn't work. I still have the version 1.7.1 loaded and written in the index page.

Do you have any clue to how modify the dashboard index page of exist? I thought it was the dashboard app but it seems I was mistaken.

@luciolebrillante the core team is currently busy with the upcoming release of 5.0.0 scheduled for 08-31, which features a new dashboard and update to all stock apps. It is therefore unlikely that any core devs will spend time on this now. When we do it ll very likely be a 5.0.0+ feature.

If this is bothering you right now, i recommend switching to the latest release-candidate.

This leaves you with a few options to get in on the action though. To debug breakages with jquery 1.12.4 I would replace the jquery source file inside shared-resourcesshared-resources/resources/scripts/jquery/ and see what breaks. You ll also need to updated Bootstrap in a similar manner to the latest 3.x version.

There is the e2e-core repo with tests for 4.x core apps. You can run existing tests on your local machine, and if you notice a break without a matching test please open a PR to add them. eXide, monex, the demo apps, and public-repo afaik all use jquery 1. There might be others, some of them might ship with their own jquery, you ll have to check the resources folder manually, since most of them don't have a package.json

@duncdrum
Thank you for your complete answer.

I prefer to wait until version 5.0.1 is released, I prefer to be careful.

Some news about what I did
I updated Jquery to 1.9.1 and I briefly checked and I didn't see bugs for :

  • monex-1.0.1
  • markdown-0.6
  • xsltforms-demo-0.1.5
  • demo-0.4.3
  • public-repo-1.0.1
  • eXide-2.4.8
  • dashboard-1.1.1
  • shared-0.8.4

However, I also updated bootstrap from 3.0.3 to 3.4.1, I briefly checked and I didn't see bugs.