search

ManageIQ / manageiq-ui-classic

Classic UI of ManageIQ
Apache License 2.0
49 stars 360 forks source link

Security Issue in UI Classic node package codemirror #7527

Open bhadrim opened 3 years ago

bhadrim commented 3 years ago

Affected component: UI Classic Current Version: 5.47.0 Remediation: 5.58.2 or higher Link: https://nvd.nist.gov/vuln/detail/CVE-2020-7760 CVE: CVE-2020-7760

bhadrim commented 3 years ago

Any update on this one. Thank you.

bhadrim commented 3 years ago

@himdel any update on this one? Thank you.

himdel commented 3 years ago

We can probably ignore this, we're running codemirror in htmlmixed, xml, shell, or ruby modes. It's never used to edit javascript.

himdel commented 3 years ago

Follow up for whoever ends up doing this...

= render :partial => "/layouts/my_code_mirror",... - used in old forms, this depends only on the codemirror package, via miqInitCodeMirror, uses window.CodeMirror set by the global pack

"ui-codemirror" => {... - used in angular, via the angular-ui-codemirror package; that package is archived, we're using the latest version, but it also doesn't specify a codemirror dependency, so in theory it should work as long as the api stays the same

CodeEditor - our react component wrapping CodeMirror from react-codemirror2, has a 5.x codemirror peerDependency

bhadrim commented 3 years ago

@himdel Can we ignore this issue or do you plan on fixing this issue. If you believe this security issue will not affect ManageIQ then I can close this issue. Thank you.

himdel commented 3 years ago

Well, there is no security issue, if a user pastes malicious javascript on a htmlmixed form (that would be Edit description in old forms), their UI might hang, but that's it. The solution to that is not pasting malicious javascript into the editor. :)

I do think we should be keeping our dependencies up to date, so I would not necessarily close this, fixing this one might be a good start for the new UI team, but there's no urgency :).

bhadrim commented 3 years ago

Okay thank you.

miq-bot commented 1 year ago

This issue has been automatically marked as stale because it has not been updated for at least 3 months.

If you can still reproduce this issue on the current release or on master, please reply with all of the information you have about it in order to keep the issue open.

Thank you for all your contributions! More information about the ManageIQ triage process can be found in the triage process documentation.