WordPress.org
Get WordPress

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#50242 closed defect (bug) (reported-upstream)

update jQuery version string in file to confirm not stock 1.12.4?

Reported by: optimizingmatters's profile OptimizingMatters Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: External Libraries Keywords:
Focuses: Cc:

Description

This is a follow-up to #47020.

The security test at https://snyk.io (which is now included in the webpagetest.org tests) detects jQuery as vulnerable in spite of the security fixes having been backported and results in a big red F for security on the webpagetest.org test page.

jQuery is now requested as "wp-includes/js/jquery/jquery.js?ver=1.12.4-wp" but the file itself does not have that "-wp" string appended in the version string, making it harder for tools not see this is not stock jQuery 1.12.4:

/*! jQuery v1.12.4 | (c) jQuery Foundation | jquery.org/license | WordPress 2019-05-16 */

updating this into
/*! jQuery v1.12.4-wp | (c) jQuery Foundation | jquery.org/license | WordPress 2019-05-16 */

could make it easier for tools such as Snyk to distinguish between patched and vulnerable version?

Change History (7)

#1 @OptimizingMatters
3 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Discussed this with Liran Tal at Snyk and they use https://github.com/johnmichel/Library-Detector-for-Chrome which does not look at version strings in URL or comments, but uses jQuery's built in .jquery to retrieve the version string and then removes all non-digits except periods and the plus-sign.

Changing 

m=1.12.4

into e.g. 

m=1.12.4++

in the minified jQuery code itself works, as the added plusses make the version not match 1.12.4, but I have no idea what the consequences could be as who knows what plugins have JS that checks the jQuery version before doing stuff? :-/

So this might become a wontfix I guess, unless someone sees a solution?

Last edited 3 years ago by OptimizingMatters (previous) (diff)

#2 @OptimizingMatters
3 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

Patrick Meenan on Twitter just announced the security test result will get hidden to avoid said jQuery vulnerability false positive, following up with

At ~40% of all websites, it would be REALLY nice to find a way to get it to work though.

Given the important of webpagetest.org in the web performance optimization world, I fully agree and I will re-open this hoping this can be looked into despite the limitations described earlier.

#3 @peterwilsoncc
3 years ago

@OptimizingMatters

I've reached out to a member of the devrel team at Snyk. As other open-source CMS projects patched jQuery 1.12.4 in the same way WordPress did, if the issue can be resolved at a reporting level then it will result in fewer false positives.

I'll keep this open for now but potentially close it as reported-upstream once I hear back.

#4 @whyisjake
3 years ago

/cc @azaozz too.

#5 @OptimizingMatters
3 years ago

Current status; this has been discussed on Twitter yesterday and Snyk will now suppress warning of JS vulns. for WordPress.

This ticket was mentioned in Slack in #core by audrasjb. View the logs.
3 years ago

#7 @desrosj
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to reported-upstream
  • Status changed from reopened to closed

I think this can be closed out as it was addressed upstream.

Note: See TracTickets for help on using tickets.