search

wp-media / imagify-plugin

Speed up your website with lighter images without losing quality.
https://imagify.io
69 stars 24 forks source link

Chart.js version 2.7.1 vulnerability #742

Closed stathopoulosgeorge closed 7 months ago

stathopoulosgeorge commented 10 months ago

Describe the bug

We received a WordPress.org ticket for Imagify, regarding the current version of Chart.js used (2.7.1 which was released 6 years ago).

The user has done a web application penetration test which revealed a Prototype Pollution vulnerability, rated as critical on the NVD database.

[File location]: Imagify > assets > js > chart.js

CrochetFeve0251 commented 8 months ago

Scope a solution

To update chart.js we will have to download the new version from chart.js here: https://cdn.jsdelivr.net/npm/chart.js

Then change the content from the file `imagify/assets/js/chart.js` to the new content.

While doing so we need to be careful to keep the 3 lines: https://github.com/wp-media/imagify-plugin/blob/cfe6f77940b520500d8ef00be18b4ee24167b49f/assets/js/chart.js#L10 https://github.com/wp-media/imagify-plugin/blob/cfe6f77940b520500d8ef00be18b4ee24167b49f/assets/js/chart.js#L718C1-L718C31 https://github.com/wp-media/imagify-plugin/blob/cfe6f77940b520500d8ef00be18b4ee24167b49f/assets/js/chart.js#L1736

Then compile the js again and check for potential issues.

If the time allows it we should refactor it by adding chart.js into the node dependencies and import it inside the chart.js file. Then setup the window.imagify using the values exported by chartjs.

Estimate effort

Effort S

PS: S for the high potential of issue cause we are passing from 2.xx to 4.xx

Miraeld commented 8 months ago

Seems good to me, Like you said, we need to pay attention to potential issues that will be caused by the major version upgrade.