Closed serg-odessa closed 3 years ago
tw2113
commented
3 years ago At least thus far, it looks like Underscores is still a dependency in the 2.x dev branch, so I am assuming it's still needed at the moment for the rest of the plugins' scripts. Not presently aware of plans regarding this detail, but I'll let others chime in with their own thoughts as well.
richaber
commented
3 years ago I run some research and discovered that your plugin uses underscore.js library from Wrodpress.
Underscore.js is bundled with WordPress Core and used for wp.template Mustache-style JS templating, probably most notably in the Customizer section of WP-Admin.
Since that functionality is available out-of-the-box with WordPress Core, WPSWA also uses wp.template for it's Mustache-style JS templating. Leveraging functionality that WordPress Core provides reduces the number of external vendor dependencies we would need to bundle with our plugin, and allows WordPress developers to work with the familiar wp.template syntax. wp.template is used in both the autocomplete.php and instantsearch.php template files.
Wordpress has the library of version 1.8.3, which has a vulnerability issue.
We do not control the versions of JS libraries that are bundled with WordPress Core.
May I ask you if you know about this issue and if you are going to fix that?
According to the CVE-2021-23358 advisory:
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Looking into wp.template in WordPress Core, we can see that the variable option is not taken from _.templateSettings, and is set to the literal string 'data':
options = {
evaluate: /<#([\s\S]+?)#>/g,
interpolate: /\{\{\{([\s\S]+?)\}\}\}/g,
escape: /\{\{([^\}]+?)\}\}(?!\})/g,
variable: 'data'
};So that particular vector does not appear to directly affect our usage of wp.template.
There are no plans at the moment to implement an alternative JS templating strategy. That could change in the future, but not at this time.
You could potentially customize your own copies of autocomplete.php and instantsearch.php template files in your child theme, so they are not dependent on wp.template, deregister our registered scripts, and register your own without the wp.template dependency.
I discovered a bad mark from Google Lighthouse when activated your plugin on my website https://nektony.com.
Any time I enable Algolia search plugin and check the page quality using Google Lighthouse I get a report saying there is a vulnerability on my website.
I run some research and discovered that your plugin uses underscore.js library from Wrodpress. Wordpress has the library of version 1.8.3, which has a vulnerability issue. So, every time I enable the Algolia wordpress plugin I get lower Google mark result and a vulnerability report.
Now, I disabled the wp-search-with-algolia plugin to avoid such vulnerability issue.
May I ask you if you know about this issue and if you are going to fix that? Thank you, Serge
There are several screenshots: https://www.dropbox.com/s/idntwhraueqs0ge/Screen%20Shot%202021-06-03%20at%2019.35.34.png?dl=0 https://www.dropbox.com/s/v0tkv3nqsd605cx/Screen%20Shot%202021-06-03%20at%2019.31.11.png?dl=0 https://www.dropbox.com/s/mpdjz7ps02but82/Screen%20Shot%202021-06-03%20at%2019.40.57.png?dl=0 https://www.dropbox.com/s/b9eswturlieb8cj/Screen%20Shot%202021-06-03%20at%2019.40.00.png?dl=0
Snyk report https://snyk.io/vuln/npm:underscore?lh=1.8.3&utm_source=lighthouse&utm_medium=ref&utm_campaign=audit