Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Datatables version security issue #5628

Open
willyedoo opened this issue Apr 9, 2024 · 6 comments
Open

Datatables version security issue #5628

willyedoo opened this issue Apr 9, 2024 · 6 comments
Labels
bug Occurrence of an unintended or unanticipated behaviour that causes a vulnerability or fatal error

Comments

@willyedoo
Copy link

willyedoo commented Apr 9, 2024
edited

Setup

  • SMW version:4.1.3
  • MW version:1.39.4
  • PHP version:8
  • DB system (MySQL, Blazegraph, etc.) and version:Postgresql
  • Datatables:1.10.13 to 1.10.21

Issue

Hello @JeroenDeDauw ,
Am geting a security issue with Datatables version on upgrade from SMW 4.1.2 According to the security team, Semantic should be bundled with datatable 1.10.23, or 2.0.3, published on 22 Mar, 2024 see discussion on version safe
image007

Detailed description of the issue and a stack trace if applicable:
When installation is launched, the SMW is sent to quarantaine by security system
https://github.com/SemanticMediaWiki/SemanticMediaWiki/tree/master/res/onoi/jquery.dataTables

Steps to reproduce the observation (recommendation is to use the sandbox):
Upgrade with composer
Regards!
@willyedoo willyedoo added the bug Occurrence of an unintended or unanticipated behaviour that causes a vulnerability or fatal error label Apr 9, 2024
@krabina
Copy link
Contributor

krabina commented Apr 22, 2024

@thomas-topway-it , can you upgrade to 1.10.23?

@krabina krabina transferred this issue from SemanticMediaWiki/SemanticMediaWiki Apr 22, 2024
@krabina
Copy link
Contributor

krabina commented Apr 22, 2024

If I understand, we have 1.13.2 in there which is several versions above 1.10.23
https://github.com/SemanticMediaWiki/SemanticResultFormats/blob/d0ec0d5b810567ca9df1fdd4cbd57f999c8124ea/resources/jquery/datatables/datatables.min.js#L7-L13

Oh. I see this is related to the something in SMW core, not the new result format. Thus moving back to SMW.

@krabina krabina transferred this issue from SemanticMediaWiki/SemanticResultFormats Apr 22, 2024
@krabina
Copy link
Contributor

krabina commented Apr 22, 2024

see also #766 and https://github.com/onoi/shared-resources/tree/master/res/jquery.dataTables

@kghbln
Copy link
Member

kghbln commented Apr 23, 2024
edited

Since it is SMW core it is about the "datatable" class to the table format.

"onoi/shared-resources" was already merged into SMW last year. The dataTables stuff is now sitting in this spot.

@krabina
Copy link
Contributor

krabina commented Apr 23, 2024

I guess we have three options

  1. kick out the "datatable" class for the table format, since now we have a feature-rich and maintained datatables format in SRF (not my preffered option either, since it will break things, but better to throw unmaintained code if nobody fixes it)
  2. make the "datatable" class of the table format in SMW dependent on SRF. This way we could avoid having two places where to maintain external resources that are being used. But AFAIK it is not only the datatables sources, but there is some custom code as well to make the datatables class work with table format, so I don't know if it can so easily point to the source we use in SRF
  3. update the existing solution in SMW

@gesinn-it-gea
Copy link
Member

@krabina if SRF datatables could be a drop in replacement for the datatables class, I suggest to maintain only one and drop the other.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Occurrence of an unintended or unanticipated behaviour that causes a vulnerability or fatal error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kghbln @willyedoo @krabina @gesinn-it-gea