Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microsoft.VisualStudio.Web.CodeGenerators.Mvc 2.2.3 ships vulnerable version of jQuery #1000

Closed
wasker opened this issue May 28, 2019 · 13 comments
Closed

Microsoft.VisualStudio.Web.CodeGenerators.Mvc 2.2.3 ships vulnerable version of jQuery #1000

wasker opened this issue May 28, 2019 · 13 comments
Assignees
@HaoK
Labels
3 - Done bug

Comments

@wasker
Copy link

wasker commented May 28, 2019
edited
Loading

Steps to reproduce:

  1. Use Microsoft.VisualStudio.Web.CodeGenerators.Mvc 2.2.3 in a project covered by Azure Component Governance

Expected behavior:

Not have an alert from Component Governance

Actual behavior:

Receive alert as following:

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

The vulnerability could be tracked down to Templates\Identity\wwwroot\lib\jquery\dist
@seancpeters
Copy link
Contributor

@vijayrkn @danroth27

@seancpeters
Copy link
Contributor

@mkArtakMSFT

@seancpeters
Copy link
Contributor

@vijayrkn @danroth27 @mkArtakMSFT @HaoK - To fix this, we'll need to update the scaffolded content under wwwroot/ for identity scaffolding. I think we'd want to stay in sync with other identity content providers - you all would know more about the content than me.

@mkArtakMSFT
Copy link
Member

We actually go through a bunch of dependency updates at the moment. @ryanbrandenburg is the jQuery dependency being updated too?

@mkArtakMSFT
Copy link
Member

@HaoK are you handling the Identity UI updates?

@HaoK
Copy link
Member

HaoK commented Jun 18, 2019

Sure but I haven't done this before, are we just updating the scaffolded files to jquery 3.4?

@seancpeters
Copy link
Contributor

That should be all that's necessary - just the bootstrap3 files under the wwwroot dir, here:
https://github.com/aspnet/Scaffolding/tree/master/src/VS.Web.CG.Mvc/Templates/Identity/Bootstrap3/wwwroot
If the list of files to serve up changes, corresponding changes will need to be made in the config file here:
https://github.com/aspnet/Scaffolding/blob/master/src/VS.Web.CG.Mvc/Identity/bootstrap3_identitygeneratorfilesconfig.json
But if the file list remains the same, no changes will need to be made there.

@HaoK HaoK mentioned this issue Jun 19, 2019
Merged
@HaoK
Copy link
Member

HaoK commented Jun 19, 2019

I updated bootstrap 3 and 4 since both seemed to be using jquery 3.3.1

@HaoK HaoK self-assigned this Jun 19, 2019
@HaoK HaoK added the 3 - Done label Jun 19, 2019
@HaoK
Copy link
Member

HaoK commented Jun 19, 2019

Merged

@HaoK HaoK closed this as completed Jun 19, 2019
@HaoK HaoK added the bug label Jun 19, 2019
@vijayrkn
Copy link
Contributor

@HaoK - Which branch was this merged? Is this a 3.0 change?

@HaoK
Copy link
Member

HaoK commented Aug 14, 2019

It was merged back in Jun into master #1011

@vijayrkn
Copy link
Contributor

Thanks!

@wasker
Copy link
Author

wasker commented Aug 14, 2019

@HaoK When is the next release going to be? The one on /releases is still from Feb.

JamieMagee referenced this issue May 19, 2020
@wenz
Update jQuery in Identity scaffolding to v3.5.1 (#1328)
1e703d2 
Fixes #1327
@martinknafvework martinknafvework mentioned this issue Jan 14, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@HaoK HaoK

Labels
3 - Done bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@wasker @vijayrkn @HaoK @seancpeters @mkArtakMSFT