Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#47020 closed defect (bug) (fixed)

jQuery Update 3.4.0 vulnerability

Reported by: mikengarrett's profile MikeNGarrett Owned by: azaozz's profile azaozz
Milestone: 5.2.1 Priority: normal
Severity: normal Version: 5.1.1
Component: External Libraries Keywords: fixed-major
Focuses: javascript Cc:

Description

jQuery's latest release contains a fix for jQuery.extend which allows for unintended behavior which could lead to cross site scripting attacks.

From jQuery's 3.4.0 release notes:

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

This vulnerability affects all previous version of jQuery. As they mention in the release notes, "patch diffs exist to match previous jQuery versions."

For reference, Drupal released a core patch for 7 and 8 which replaced jQuery.extend() completely with minor changes compatible with all old versions of jQuery. See Drupal's core patch.

Attachments (1)

47020.diff (97.0 KB) - added by azaozz 5 years ago.

Download all attachments as: .zip

Change History (34)

This ticket was mentioned in Slack in #core-js by mikengarrett. View the logs.


5 years ago

#3 @spacedmonkey
5 years ago

  • Component changed from General to External Libraries
  • Focuses javascript added
  • Keywords needs-patch added

#4 @SergeyBiryukov
5 years ago

  • Milestone changed from Awaiting Review to 5.2.1

Core still uses 1.12.4 for backward compatibility, looks like we'll need to apply the patch manually.

#5 @desrosj
5 years ago

I think we have two options here:

  1. Bring jQuery back into our SVN repo and patch.
  2. Publish a forked version (1.12.4.1 maybe) to NPM.

This ticket was mentioned in Slack in #core by elrae. View the logs.


5 years ago

#7 @azaozz
5 years ago

Seems the best would be to patch jQuery 1.12.4 and bring it back to our SVN.

Patch coming up.

@azaozz
5 years ago

#8 @azaozz
5 years ago

In 47020.diff:

  • Patch jquery.js and add it to src/js/_enqueues/vendor/jquery/.
  • Change Gruntfile.js to use the local copy.
  • Remove jQuery from dependencies in package.json.

Note: the patch doesn't include changes to package-lock.json as it gets changed a lot when I update it locally.

Last edited 5 years ago by azaozz (previous) (diff)

#9 @azaozz
5 years ago

  • Owner set to azaozz
  • Resolution set to fixed
  • Status changed from new to closed

In 45342:

jQuery: bring jquery.js back into the WordPress SVN repo and backport the patch from 3.4.0.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020 for trunk.

#10 @azaozz
5 years ago

  • Keywords fixed-major added; needs-patch removed
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopen for 5.2.

#11 follow-up: @azaozz
5 years ago

@netweb A quick look at the build changes would be great before merging to 5.2 :)

#12 in reply to: ↑ 11 ; follow-up: @netweb
5 years ago

Replying to azaozz:

@netweb A quick look at the build changes would be great before merging to 5.2 :)

~[45342] looks good to me except for the change to the package-lock.json file.~

~https://core.trac.wordpress.org/changeset/45342/trunk/package-lock.json~

~jQuery should no longer be in the lock file~

The build changes also look good:

https://build.trac.wordpress.org/changeset/45153

Edit: Per replies below, the lock file is correct as is

Last edited 5 years ago by netweb (previous) (diff)

#13 @desrosj
5 years ago

Looked at this a bit. I believe that jquery is still in the lock file because it is a dependency for other packages. However, the latest version is now being included. It's unclear to me if this is actually a problem.

The version downloaded by NPM will not be used in the build process anymore, but I'm not sure if that version is used by any other packages directly.

This ticket was mentioned in Slack in #core-js by desrosj. View the logs.


5 years ago

#15 @desrosj
5 years ago

After some discussion, it seems that the issue in the lock file is trivial.

The correct version of jQuery is being included when building (confirmed in the build change set), and jQuery only appears to be in the lock file because it is a specified dependency.

Since everything is checking out except the lock file, this does not seem like a blocker for 5.2.1-RC!, and can be sorted out after.

#16 in reply to: ↑ 12 @netweb
5 years ago

Replying to desrosj:

Looked at this a bit. I believe that jquery is still in the lock file because it is a dependency for other packages.

This is correct

However, the latest version is now being included. It's unclear to me if this is actually a problem.

I don't believe it will be an issue

#17 @desrosj
5 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 45354:

jQuery: bring jquery.js back into the WordPress SVN repo and backport the patch from 3.4.0.

Merges [45342] to the 5.2 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

#19 @azaozz
5 years ago

Thanks @netweb and @desrosj.

Looked at this a bit. I believe that jquery is still in the lock file because it is a dependency for other packages.

Right. Was just wondering if it should be the latest version (as per the package-lock.json update after running npm install) or it should be the same version we have in core. Looking at WP 5.0 (that still had jquery.js in wp-includes/js/jquery/), the version in package-lock there is the latest at the time too: 3.3.1, and that didn't cause problems.

#20 @netweb
5 years ago

Yes, the jQuery dependencies are child dependencies and I don't believe they'll cause any issues being the latest:

WordPress@5.3.0 /Users/netweb/Code/WordPress/develop-git-github-ntwb
...
...
├── jquery-color@2.1.1 (github:jquery/jquery-color#95402e5b2f1184ab2de7014aeef0a90f2bee0a40)
├─┬ jquery-form@4.2.1
│ └── jquery@3.4.1
├─┬ jquery-hoverintent@1.8.3
│ └── jquery@3.4.1 deduped
├── jquery-migrate@1.4.1
├── jquery-ui@1.11.4 (github:jquery/jquery-ui#d6713024e16de90ea71dc0544ba34e1df01b4d8a)
...

#22 @superpoincare
5 years ago

There seems to be another vulnerability as reported here:

https://snyk.io/vuln/npm:jquery

The third in the list.

The patch was for some reason removed from jQuery 1.12.3 although present in 1.12.2 (and hence not present in 1.12.4).

The modification is to add

// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
	if ( s.crossDomain ) {
		s.contents.script = false;
	}
} );

Line 10368 here: https://code.jquery.com/jquery-1.12.2.js

as per the last comment here:

https://github.com/jquery/jquery/issues/2432#issuecomment-403761229

Apologies in advance if irrelevant.

This ticket was mentioned in Slack in #themereview by ipstenu. View the logs.


5 years ago

#24 @azaozz
5 years ago

In 46014:

jQuery: bring jquery.js back into the WordPress SVN repo and backport the patch from 3.4.0.

Merges [45342] to the 5.1 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

#25 @azaozz
5 years ago

In 46017:

jQuery: Backport the patch from jQuery 3.4.0.

Merges [45342] to the 5.0 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

#26 @azaozz
5 years ago

In 46020:

jQuery: Backport the patch from jQuery 3.4.0.

Merges [45342] to the 4.9 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

#27 @azaozz
5 years ago

In 46021:

jQuery: Backport the patch from jQuery 3.4.0.

Merges [45342] to the 4.8 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

#28 @azaozz
5 years ago

In 46025:

jQuery: Backport the patch from jQuery 3.4.0.

Merges [45342] to the 4.7 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

#29 @azaozz
5 years ago

In 46026:

jQuery: Backport the patch from jQuery 3.4.0.

Merges [45342] to the 4.6 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

#30 @azaozz
5 years ago

In 46027:

jQuery: Backport the patch from jQuery 3.4.0.

Merges [45342] to the 4.5 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

This ticket was mentioned in Slack in #core by ipstenu. View the logs.


4 years ago

This ticket was mentioned in Slack in #forums by clorith. View the logs.


4 years ago

This ticket was mentioned in Slack in #core by ipstenu. View the logs.


4 years ago

Note: See TracTickets for help on using tickets.