Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS (High Level Vulnerability Security Warning) #350

Closed
TinkerJack-zz opened this issue Jun 8, 2018 · 6 comments
Closed

XSS (High Level Vulnerability Security Warning) #350

TinkerJack-zz opened this issue Jun 8, 2018 · 6 comments
Assignees
@gitbrent
Milestone
2.3.0

Comments

@TinkerJack-zz
Copy link

TinkerJack-zz commented Jun 8, 2018
edited
Loading

Hi everyone.

Facing an XSS security vuln issue here when installing the library using :

node: 8.11.2
npm: 6.1.0
Jquery: 3.2.1

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Cross-Site Scripting (XSS)                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ pptxgenjs                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ pptxgenjs > jquery-node > jquery                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/328                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

Steps Taken:
1- Ran npm audit fix, but no it didn't work .
2- Checked my version of Jquery (since according to the info, this problem was patched in >=3.0.0),
but I'm at jquery@^3.2.1 so I was wondering if I should post the issue here or at the jquery repo.

I'm new to posting issues regarding errors (used to posting ones about features), so please let me know if I'm missing any information you need.

Edit:

Jquery version being used in /libs/jquery.min.js is 2.1.4 so that might be the issue.
@gitbrent
Copy link
Owner

I've updated jQuery to 3.3.1

@TinkerJack-zz
Copy link
Author

TinkerJack-zz commented Jun 11, 2018
edited
Loading

@gitbrent Thank you for the upgrade Sir.

The error hasn't disappeared yet even though the fix has been successfully applied.

I've tried installing using npm install, and it installed the old version of PptxGenJSso I used

npm install gitbrent/PptxGenJS#master

and it gave me the correct version with the following error

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Cross-Site Scripting (XSS)                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ effd0e18c333fbd86e3bffa73c31bec73ba47442cbd75d7988ae98e402a… │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ effd0e18c333fbd86e3bffa73c31bec73ba47442cbd75d7988ae98e402a… │
│               │ > jquery-node > jquery                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/328                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

I'm not very proficient in NPM, so I can't say for sure, but it seems like the current error is a reference to a place in memory and perhaps if the latest version of PptxGenJS on node can be updated,
then the vuln log showing up when using npm audit or npm install
can be avoided.

@gitbrent
Copy link
Owner

I believe this is coming from jquery-node

It's a dependency i'd like to not have, so i'll see if i can segment the few places i use the jQuery DOM and pull in jQuery from NPM instead to avoid issues like this.

@gitbrent gitbrent self-assigned this Jun 13, 2018
@gitbrent
Copy link
Owner

Branch created for work on removal of jquery-node

jquery-update-issue-350

@gitbrent
Copy link
Owner

Current Report:

[brentely@Brents-Air 22:14:04] ~/Documents/GitHub/PptxGenJS 
=> npm audit
(...)
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Cross-Site Scripting (XSS)                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jquery-node                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jquery-node > jquery                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/328                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 21 vulnerabilities (8 low, 4 moderate, 9 high) in 639 scanned packages
  run `npm audit fix` to fix 14 of them.
  6 vulnerabilities require semver-major dependency updates.
  1 vulnerability requires manual review. See the full report for details.

@gitbrent gitbrent mentioned this issue Jun 20, 2018
Merged
gitbrent added a commit that referenced this issue Jun 20, 2018
@gitbrent
Merge pull request #358 from gitbrent/jquery-update-issue-350
eab6c16 
Remove jquery-node dependency (Issue #350)
@gitbrent gitbrent added this to the 2.3.0 milestone Jun 20, 2018
@gitbrent
Copy link
Owner

New Report:

[brentely@Brents-Air 22:21:11] ~/Documents/GitHub/PptxGenJS/examples 
=> npm audit
(...)
│ Dependency of │ gulp [dev]   
(...)
found 11 vulnerabilities (7 low, 4 high) in 1635 scanned packages
  11 vulnerabilities require semver-major dependency updates.

The 11 vulnerabilities above are all from a DevDependency (gulp), so there are zero core library vulnerabilities at this time.

XSS vulnerability is now gone:

=> npm audit | grep -i XSS

gitbrent pushed a commit that referenced this issue Jun 20, 2018
added Issue #350
e3a58a0
ericrockey pushed a commit to WeTransfer/PptxGenJS that referenced this issue Mar 24, 2020
@gitbrent
Merge pull request gitbrent#358 from gitbrent/jquery-update-issue-350
a8d3cc8 
Remove jquery-node dependency (Issue gitbrent#350)
ericrockey pushed a commit to WeTransfer/PptxGenJS that referenced this issue Mar 24, 2020
added Issue gitbrent#350
ee0a6a9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gitbrent gitbrent

Labels
None yet
Projects
None yet
Milestone
2.3.0
Development

No branches or pull requests
2 participants
@gitbrent @TinkerJack-zz