WordPress.org

Make WordPress Core

Opened 8 months ago

Closed 7 months ago

Last modified 3 months ago

#47020 closed defect (bug) (fixed)

jQuery Update 3.4.0 vulnerability

Reported by: MikeNGarrett Owned by: azaozz
Milestone: 5.2.1 Priority: normal
Severity: normal Version: 5.1.1
Component: External Libraries Keywords: fixed-major
Focuses: javascript Cc:
PR Number:

Description

jQuery's latest release contains a fix for jQuery.extend which allows for unintended behavior which could lead to cross site scripting attacks.

From jQuery's 3.4.0 release notes:

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

This vulnerability affects all previous version of jQuery. As they mention in the release notes, "patch diffs exist to match previous jQuery versions."

For reference, Drupal released a core patch for 7 and 8 which replaced jQuery.extend() completely with minor changes compatible with all old versions of jQuery. See Drupal's core patch.

Attachments (1)

47020.diff (97.0 KB) - added by azaozz 7 months ago.

Download all attachments as: .zip

Change History (31)

This ticket was mentioned in Slack in #core-js by mikengarrett. View the logs.


8 months ago

#3 @spacedmonkey
8 months ago

  • Component changed from General to External Libraries
  • Focuses javascript added
  • Keywords needs-patch added

#4 @SergeyBiryukov
8 months ago

  • Milestone changed from Awaiting Review to 5.2.1

Core still uses 1.12.4 for backward compatibility, looks like we'll need to apply the patch manually.

#5 @desrosj
7 months ago

I think we have two options here:

  1. Bring jQuery back into our SVN repo and patch.
  2. Publish a forked version (1.12.4.1 maybe) to NPM.

This ticket was mentioned in Slack in #core by elrae. View the logs.


7 months ago

#7 @azaozz
7 months ago

Seems the best would be to patch jQuery 1.12.4 and bring it back to our SVN.

Patch coming up.

@azaozz
7 months ago

#8 @azaozz
7 months ago

In 47020.diff:

  • Patch jquery.js and add it to src/js/_enqueues/vendor/jquery/.
  • Change Gruntfile.js to use the local copy.
  • Remove jQuery from dependencies in package.json.

Note: the patch doesn't include changes to package-lock.json as it gets changed a lot when I update it locally.

Last edited 7 months ago by azaozz (previous) (diff)

#9 @azaozz
7 months ago

  • Owner set to azaozz
  • Resolution set to fixed
  • Status changed from new to closed

In 45342:

jQuery: bring jquery.js back into the WordPress SVN repo and backport the patch from 3.4.0.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020 for trunk.

#10 @azaozz
7 months ago

  • Keywords fixed-major added; needs-patch removed
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopen for 5.2.

#11 follow-up: @azaozz
7 months ago

@netweb A quick look at the build changes would be great before merging to 5.2 :)

#12 in reply to: ↑ 11 ; follow-up: @netweb
7 months ago

Replying to azaozz:

@netweb A quick look at the build changes would be great before merging to 5.2 :)

~[45342] looks good to me except for the change to the package-lock.json file.~

~https://core.trac.wordpress.org/changeset/45342/trunk/package-lock.json~

~jQuery should no longer be in the lock file~

The build changes also look good:

https://build.trac.wordpress.org/changeset/45153

Edit: Per replies below, the lock file is correct as is

Last edited 7 months ago by netweb (previous) (diff)

#13 @desrosj
7 months ago

Looked at this a bit. I believe that jquery is still in the lock file because it is a dependency for other packages. However, the latest version is now being included. It's unclear to me if this is actually a problem.

The version downloaded by NPM will not be used in the build process anymore, but I'm not sure if that version is used by any other packages directly.

This ticket was mentioned in Slack in #core-js by desrosj. View the logs.


7 months ago

#15 @desrosj
7 months ago

After some discussion, it seems that the issue in the lock file is trivial.

The correct version of jQuery is being included when building (confirmed in the build change set), and jQuery only appears to be in the lock file because it is a specified dependency.

Since everything is checking out except the lock file, this does not seem like a blocker for 5.2.1-RC!, and can be sorted out after.

#16 in reply to: ↑ 12 @netweb
7 months ago

Replying to desrosj:

Looked at this a bit. I believe that jquery is still in the lock file because it is a dependency for other packages.

This is correct

However, the latest version is now being included. It's unclear to me if this is actually a problem.

I don't believe it will be an issue

#17 @desrosj
7 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 45354:

jQuery: bring jquery.js back into the WordPress SVN repo and backport the patch from 3.4.0.

Merges [45342] to the 5.2 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

#19 @azaozz
7 months ago

Thanks @netweb and @desrosj.

Looked at this a bit. I believe that jquery is still in the lock file because it is a dependency for other packages.

Right. Was just wondering if it should be the latest version (as per the package-lock.json update after running npm install) or it should be the same version we have in core. Looking at WP 5.0 (that still had jquery.js in wp-includes/js/jquery/), the version in package-lock there is the latest at the time too: 3.3.1, and that didn't cause problems.

#20 @netweb
7 months ago

Yes, the jQuery dependencies are child dependencies and I don't believe they'll cause any issues being the latest:

WordPress@5.3.0 /Users/netweb/Code/WordPress/develop-git-github-ntwb
...
...
├── jquery-color@2.1.1 (github:jquery/jquery-color#95402e5b2f1184ab2de7014aeef0a90f2bee0a40)
├─┬ jquery-form@4.2.1
│ └── jquery@3.4.1
├─┬ jquery-hoverintent@1.8.3
│ └── jquery@3.4.1 deduped
├── jquery-migrate@1.4.1
├── jquery-ui@1.11.4 (github:jquery/jquery-ui#d6713024e16de90ea71dc0544ba34e1df01b4d8a)
...

#22 @superpoincare
7 months ago

There seems to be another vulnerability as reported here:

https://snyk.io/vuln/npm:jquery

The third in the list.

The patch was for some reason removed from jQuery 1.12.3 although present in 1.12.2 (and hence not present in 1.12.4).

The modification is to add

// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
	if ( s.crossDomain ) {
		s.contents.script = false;
	}
} );

Line 10368 here: https://code.jquery.com/jquery-1.12.2.js

as per the last comment here:

https://github.com/jquery/jquery/issues/2432#issuecomment-403761229

Apologies in advance if irrelevant.

This ticket was mentioned in Slack in #themereview by ipstenu. View the logs.


6 months ago

#24 @azaozz
3 months ago

In 46014:

jQuery: bring jquery.js back into the WordPress SVN repo and backport the patch from 3.4.0.

Merges [45342] to the 5.1 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

#25 @azaozz
3 months ago

In 46017:

jQuery: Backport the patch from jQuery 3.4.0.

Merges [45342] to the 5.0 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

#26 @azaozz
3 months ago

In 46020:

jQuery: Backport the patch from jQuery 3.4.0.

Merges [45342] to the 4.9 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

#27 @azaozz
3 months ago

In 46021:

jQuery: Backport the patch from jQuery 3.4.0.

Merges [45342] to the 4.8 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

#28 @azaozz
3 months ago

In 46025:

jQuery: Backport the patch from jQuery 3.4.0.

Merges [45342] to the 4.7 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

#29 @azaozz
3 months ago

In 46026:

jQuery: Backport the patch from jQuery 3.4.0.

Merges [45342] to the 4.6 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

#30 @azaozz
3 months ago

In 46027:

jQuery: Backport the patch from jQuery 3.4.0.

Merges [45342] to the 4.5 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

Note: See TracTickets for help on using tickets.