Security - CRITICAL - Unsafe dynamic method access

Question

Security - CRITICAL - Unsafe dynamic method access

Gaetanbrl opened this issue 9 months ago · 8 comments

Gaetanbrl commented 9 months ago

Hi,

According to CodeQL scan, z-worker return a CRITICAL issue.

See https://github.com/mviewer/mviewer/security/code-scanning/23 to get more details.

Answer 1 · 2023-12-19T11:01:11.000Z

The link returns a 404.

Answer 2 · 2023-12-19T11:07:48.000Z

Yes, sry, it's private security page. GitHub return 404, i will share a screen capture.

Answer 3 · 2023-12-19T11:08:37.000Z

Our project use zip.js lib, and a security scan return this alert.

Answer 4 · 2023-12-19T11:14:42.000Z

This line of code is related to the legacy version of zip.js. It can only be found in the previous version of the documentation, see https://github.com/gildas-lormeau/zip.js/blob/gh-pages/old-docs/demos/z-worker.js#L45. This code is not used in the current version of zip.js.

To solve this problem, you could retrieve only the master branch of zip.js in your project and ignore the branch gh-pages which is used for documentation purposes only.

Alternatively, if you're using the old version of zip.js then it has to be updated to the new version because the old version is not maintained anymore.

Answer 5 · 2023-12-19T11:47:02.000Z

ok thanks.

I will upgrade. Do you know from wich version of zip.js this code come from ?

https://raw.githubusercontent.com/mviewer/mviewer/master/demo/addons/fileimport/lib/zip.js

Answer 6 · 2023-12-19T11:54:42.000Z

This is the old version of zip.js. FYI, here is the last commit of this version: https://github.com/gildas-lormeau/zip.js/tree/3e7920810f63d5057ef6028833243105521da369.

Answer 7 · 2023-12-19T14:16:51.000Z

Ok Thanks. Weird to have too old lib (external contribution)... need real update of zip.js in my project.
I close.
Thx.

Answer 8 · 2023-12-19T14:29:49.000Z

You're welcome!

Kenavo