Angular Version Security Update

[Blackbaud-SpencerMurphy]

Expected behavior

SkyUX should be up to date with latest angular version

Actual behavior

SkyUX is on angular version 1.6.1 which apparently has a security vulnerability

Steps to reproduce

In our latest OWASP security scan, it brought to our attention that there is a security vulnerability in angular versions less than 1.6.5. Here is the text from the scan: "In angular versions below 1.6.5 both Firefox and Safari are vulnerable to XSS in $sanitize if an inert document created via document.implementation.createHTMLDocument() is used. Angular version 1.6.5 checks for these vulnerabilities and then use a DOMParser or XHR strategy if needed. Please refer to vendor documentation (https://github.com/angular/angular.js/commit/ 8f31f1ff43b673a24f84422d5c13d6312b2c4d94) for latest security updates."

I went ahead and pulled down a local copy of the repo, updated the package.json to the latest version of angular 1 (1.6.8) and ran all the tests. It appears that everything is passing, although I have not actually had anything up and running on it outside of the tests. Should I go ahead and submit a pull request with the updates?

Update

After looking closer at the scan, it also flagged jquery-ui (currently 1.11.4, needs to be 1.12.1) and jquery (currently 2.1.3, needs to be 3.0.0). Locally updating jquery-ui only resulted in one failure in one of the datepicker unit tests, but the jquery update was super problematic causing basically all of the visual tests to fail. With that being a much more drastic change, I'm not sure the best way to move forward with this, but wanted to at least make it aware as this could potentially affect anyone using SKYUX.

[Blackbaud-BobbyEarl]

I'm surprised we didn't get automated security vulnerability warnings through GitHub for the angularjs and jquery-ui related vulnerabilities. We have that service enabled and have received a couple to date.

Specifically, we recently received two such reports regarding upgrading jQuery. CVE-2015-9251 and CVE-2016-10707. We were able to evaluate those and deem them as not applicable.

Not having such a link makes it harder to evaluate the vulnerabilities you've mentioned. Are you able to provide such links @Blackbaud-SpencerMurphy?

[Blackbaud-SpencerMurphy]

I don't have those exact same type of links, but I can provide the OWASP Scan output which has links to the github's issues from the libraries. The jQuery vulnerability our scan found appears to be the same as CVE-2015-9251.

Vulnerable javascript library: Angular version: 1.6.1 Details: In angular versions below 1.6.5 both Firefox and Safari are vulnerable to XSS in $sanitize if an inert document created via document.implementation.createHTMLDocument() is used. Angular version 1.6.5 checks for these vulnerabilities and then use a DOMParser or XHR strategy if needed. Please refer to vendor documentation (https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94) for latest security updates.

Vulnerable javascript library: jQuery.ui.dialog version: 1.11.4 Details: jquery.ui.dialog version below 1.12.0 is vulnerable to XSS if the user input is allowed to pass through to the closeText property. Please refer vendor documentatation (https://github.com/jquery/api.jqueryui.com/issues/281)for latest security updates.

Some of this will probably require more investigation on our end, but we wanted to bring it up here

[Blackbaud-IsaacAggrey]

@Blackbaud-BobbyEarl - you think these are along the same lines as what you validated as not applicable?

[Blackbaud-BobbyEarl]

I agree they are related, and I would feel comfortable marking both of these as resolved.

[Blackbaud-PaulCrowder]

AngularJS was updated to 1.6.5 in #1117.