Vulnerable JavaScript libraries

h5p / h5p-php-library

GNU General Public License v3.0

121 stars 117 forks source link

Vulnerable JavaScript libraries #83

Open weblendweb opened 4 years ago

weblendweb commented 4 years ago

Security alert

Your app contains one or more libraries with known security issues. Please see this Google Help Center article for details.

Vulnerable JavaScript libraries:

Name Version Known issues Identified files jquery 1.9.1 SNYK-npm:jquery:20110606 SNYK-npm:jquery:20150627 SNYK-JS-JQUERY-174006 assets/www/h5p/js/jquery.js Affects APK version 30801.

Error in Moodle Mobile App 3.8.1

donbowman commented 4 years ago

v1.9.1 (~2013 release) was the last to support IE6/7/8. It is not supported on Cordova (https://blog.jquery.com/2013/04/18/jquery-2-0-released/). v2.0 was released in 2013. v3.0 was released in 2016

there are some breaking changes between each of these major. Definitely for the moodleapp 1.9 is no good.

Does anyone know of a reason not to upgrade to latest jquery? It would seem the steps are to first frun the v1 migration tool (to get from v1.9 to v1.12) then the v2 migration tool https://github.com/jquery/jquery-migrate/#README

icc commented 4 years ago

H5P was originally created with support for IE8 which has since been dropped. However, some of the content types are still dependant on jQuery 1.9. I believe an upgrade would require a fair amount of time with refactoring and testing. So, until now the 1.9 in H5P has been manually patched for any known issues.

donbowman commented 4 years ago

any comment on what manually patched means?

Doing a diff against the upstream from https://code.jquery.com/jquery/, it appears the one in the h5p git repo only has 1 difference, the following is appended:

// Snap this specific version of jQuery into H5P. jQuery.noConflict will
// revert the globals to what they were before this file was loaded.
var H5P = window.H5P = window.H5P || {};

/**
 * jQuery v1.9.1
 *
 * @member
 */
H5P.jQuery = jQuery.noConflict(true);
H5P.jQuery.ajaxPrefilter(function (s) {
  if (s.crossDomain) {
    s.contents.script = false;
  }
});

the concern is since there are known sec vulnerabilities against that version (and probably many unknown since people stopped reporting them about 5 years ago).

cescobedo commented 4 years ago

Hi,

from MoodleHQ we are working on fix this issue (https://tracker.moodle.org/browse/MDL-68704) and once this issue will be fixed we would like to do a pull-request in order to H5P could integrate the solution. It is important to notice that there are two vulnerabilities:

SNYK-JS-JQUERY-174006 - Manual patch fix this. Easy to fix.
SNYK-npm:jquery:20150627 - I would require to upgrade to 1.12.2 with the previous patch applied.

Cheers.

fehwalker commented 1 year ago

I see this old jquery library is updated in the master branch but not in the most current release from Dec 2022. Do you know when this will be added to a release?

cmurtagh commented 1 year ago

This is also becoming an issue, as we have 3rd party scans that are revealing this vulnerability. Any guess as to the effort of bringing jQuery up to date here?

fehwalker commented 8 months ago

The code is already updated, but hasn't yet been released.