jQuery UI 1.12.1 vulnerabilities

[Charles-Mancuso]

When doing PEN testing for our app, we noticed that jQuery UI 1.12.1 contained a vulnerability that we needed to address. We couldn't find any reference to it in our code, but after some further investigation we noticed that activeadmin was using a vendored version of it. From that I have a couple of questions:

• Are you able to upgrade jQuery UI to at least 1.13.0 for activeadmin?
• I noticed that anything below the 4.~ beta versions use jQuery UI, but any of the beta versions don't include it at all.
  • When will 4.~ get out of beta version?
  • Will using the beta version affect my app if it doesn't include jQuery UI?

Thanks for taking the time!

[tagliala]

Hi,

thanks for this report

I think that v3 should update its vendored version of jQuery UI, however this should affect only application that uses the vendored version of jQuery UI.

In example, applications using the node package @activeadmin/activeadmin@^3.2.1 via webpacker/shakapacker/webpack/jsbundling-rails, should bundle the latest released jQuery UI version which is not affected by the issue

This is an excerpt from my bundle:

This is how I'm using activeadmin at the moment: #7376 (comment)

When will 4.~ get out of beta version?

Roadmap to v4 is or will be discussed here #8319

Will using the beta version affect my app if it doesn't include jQuery UI?

It will not because v4 dropped jQuery entirely. It will vendor flowbite instead

[Charles-Mancuso]

Hi @tagliala,

Thanks for your response!

I include ActiveAdmin as a gem in my Gemfile with the version specified as gem 'activeadmin', "~> 3.2.1". After running bundle install and yarn install, my application pulls in the necessary assets.

Given this setup, could you please let me know the best approach for ensuring that the latest jQuery UI version is included when using ActiveAdmin v3.2.1?

Additionally, if updating jQuery UI in the ActiveAdmin repository itself is feasible, I'd appreciate guidance on how to proceed with that process.

Thank you for your assistance!

[tagliala]

Can you check if everything works fine with this branch? https://github.com/tagliala/activeadmin/tree/security/update-vendored-jquery-ui

[Charles-Mancuso]

Thank you @tagliala! I was able to use that branch and I saw the updated jQuery UI version using Google Lighthouse. Login worked perfectly, but when clicking on certain elements in the app I was getting errors related to Ransack. Could it be possible to create a new branch using ActiveAdmin 2.12 and the upgraded vendored jQuery UI version? That's the original AA version I'm using that has a Ransack version <4.

I appreciate all of your help thus far! Cheers 😄

[tagliala]

I was getting errors related to Ransack.

I guess that it happens because of the upgrade to Ransack v4, which requires explicit allowlisting of ransackable attributes

Since this is also a security (information disclosure) concern, please check out https://github.com/activeadmin/activeadmin/releases/tag/v3.0.0 and #8009

Could it be possible to create a new branch using ActiveAdmin 2.12 and the upgraded vendored jQuery UI version?

Please fork the repo and make the changes on 2-12-stable just like in the branch above if you need support on 2.x

[Charles-Mancuso]

Thank you @tagliala. Here are the changes: #8335

Happy to make any necessary adjustments if needed, just let me know!

[javierjulio]

@Charles-Mancuso there was a misunderstanding here. The fork is for you to include in your project. We don't support v2 anymore. Your PR will be closed. Once this update is available in a new v3 release, please update as noted there are other security concerns as part of v3. Thank you.

[Charles-Mancuso]

Ah understood. Thank you both @javierjulio and @tagliala for your help here. I appreciate it!