WordPress.org

Make WordPress Core

Opened 8 weeks ago

Closed 4 weeks ago

Last modified 4 weeks ago

#47020 closed defect (bug) (fixed)

jQuery Update 3.4.0 vulnerability

Reported by: MikeNGarrett Owned by: azaozz
Milestone: 5.2.1 Priority: normal
Severity: normal Version: 5.1.1
Component: External Libraries Keywords: fixed-major
Focuses: javascript Cc:

Description

jQuery's latest release contains a fix for jQuery.extend which allows for unintended behavior which could lead to cross site scripting attacks.

From jQuery's 3.4.0 release notes:

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

This vulnerability affects all previous version of jQuery. As they mention in the release notes, "patch diffs exist to match previous jQuery versions."

For reference, Drupal released a core patch for 7 and 8 which replaced jQuery.extend() completely with minor changes compatible with all old versions of jQuery. See Drupal's core patch.

Attachments (1)

47020.diff (97.0 KB) - added by azaozz 5 weeks ago.

Download all attachments as: .zip

Change History (23)

This ticket was mentioned in Slack in #core-js by mikengarrett. View the logs.


8 weeks ago

#3 @spacedmonkey
8 weeks ago

  • Component changed from General to External Libraries
  • Focuses javascript added
  • Keywords needs-patch added

#4 @SergeyBiryukov
8 weeks ago

  • Milestone changed from Awaiting Review to 5.2.1

Core still uses 1.12.4 for backward compatibility, looks like we'll need to apply the patch manually.

#5 @desrosj
5 weeks ago

I think we have two options here:

  1. Bring jQuery back into our SVN repo and patch.
  2. Publish a forked version (1.12.4.1 maybe) to NPM.

This ticket was mentioned in Slack in #core by elrae. View the logs.


5 weeks ago

#7 @azaozz
5 weeks ago

Seems the best would be to patch jQuery 1.12.4 and bring it back to our SVN.

Patch coming up.

@azaozz
5 weeks ago

#8 @azaozz
5 weeks ago

In 47020.diff:

  • Patch jquery.js and add it to src/js/_enqueues/vendor/jquery/.
  • Change Gruntfile.js to use the local copy.
  • Remove jQuery from dependencies in package.json.

Note: the patch doesn't include changes to package-lock.json as it gets changed a lot when I update it locally.

Last edited 5 weeks ago by azaozz (previous) (diff)

#9 @azaozz
5 weeks ago

  • Owner set to azaozz
  • Resolution set to fixed
  • Status changed from new to closed

In 45342:

jQuery: bring jquery.js back into the WordPress SVN repo and backport the patch from 3.4.0.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020 for trunk.

#10 @azaozz
5 weeks ago

  • Keywords fixed-major added; needs-patch removed
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopen for 5.2.

#11 follow-up: @azaozz
5 weeks ago

@netweb A quick look at the build changes would be great before merging to 5.2 :)

#12 in reply to: ↑ 11 ; follow-up: @netweb
5 weeks ago

Replying to azaozz:

@netweb A quick look at the build changes would be great before merging to 5.2 :)

~[45342] looks good to me except for the change to the package-lock.json file.~

~https://core.trac.wordpress.org/changeset/45342/trunk/package-lock.json~

~jQuery should no longer be in the lock file~

The build changes also look good:

https://build.trac.wordpress.org/changeset/45153

Edit: Per replies below, the lock file is correct as is

Last edited 4 weeks ago by netweb (previous) (diff)

#13 @desrosj
4 weeks ago

Looked at this a bit. I believe that jquery is still in the lock file because it is a dependency for other packages. However, the latest version is now being included. It's unclear to me if this is actually a problem.

The version downloaded by NPM will not be used in the build process anymore, but I'm not sure if that version is used by any other packages directly.

This ticket was mentioned in Slack in #core-js by desrosj. View the logs.


4 weeks ago

#15 @desrosj
4 weeks ago

After some discussion, it seems that the issue in the lock file is trivial.

The correct version of jQuery is being included when building (confirmed in the build change set), and jQuery only appears to be in the lock file because it is a specified dependency.

Since everything is checking out except the lock file, this does not seem like a blocker for 5.2.1-RC!, and can be sorted out after.

#16 in reply to: ↑ 12 @netweb
4 weeks ago

Replying to desrosj:

Looked at this a bit. I believe that jquery is still in the lock file because it is a dependency for other packages.

This is correct

However, the latest version is now being included. It's unclear to me if this is actually a problem.

I don't believe it will be an issue

#17 @desrosj
4 weeks ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 45354:

jQuery: bring jquery.js back into the WordPress SVN repo and backport the patch from 3.4.0.

Merges [45342] to the 5.2 branch.

Props MikeNGarrett, peterwilsoncc, azaozz.
Fixes #47020.

#19 @azaozz
4 weeks ago

Thanks @netweb and @desrosj.

Looked at this a bit. I believe that jquery is still in the lock file because it is a dependency for other packages.

Right. Was just wondering if it should be the latest version (as per the package-lock.json update after running npm install) or it should be the same version we have in core. Looking at WP 5.0 (that still had jquery.js in wp-includes/js/jquery/), the version in package-lock there is the latest at the time too: 3.3.1, and that didn't cause problems.

#20 @netweb
4 weeks ago

Yes, the jQuery dependencies are child dependencies and I don't believe they'll cause any issues being the latest:

WordPress@5.3.0 /Users/netweb/Code/WordPress/develop-git-github-ntwb
...
...
├── jquery-color@2.1.1 (github:jquery/jquery-color#95402e5b2f1184ab2de7014aeef0a90f2bee0a40)
├─┬ jquery-form@4.2.1
│ └── jquery@3.4.1
├─┬ jquery-hoverintent@1.8.3
│ └── jquery@3.4.1 deduped
├── jquery-migrate@1.4.1
├── jquery-ui@1.11.4 (github:jquery/jquery-ui#d6713024e16de90ea71dc0544ba34e1df01b4d8a)
...

#22 @superpoincare
4 weeks ago

There seems to be another vulnerability as reported here:

https://snyk.io/vuln/npm:jquery

The third in the list.

The patch was for some reason removed from jQuery 1.12.3 although present in 1.12.2 (and hence not present in 1.12.4).

The modification is to add

// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
	if ( s.crossDomain ) {
		s.contents.script = false;
	}
} );

Line 10368 here: https://code.jquery.com/jquery-1.12.2.js

as per the last comment here:

https://github.com/jquery/jquery/issues/2432#issuecomment-403761229

Apologies in advance if irrelevant.

Note: See TracTickets for help on using tickets.