Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prototype Pollution vulnerability on jQuery < 3.4.0: Does it affect Django? #916

Closed
agu3rra opened this issue May 23, 2019 · 1 comment

Comments

Projects
None yet
2 participants
@agu3rra
Copy link

commented May 23, 2019

One of the reported vulnerabilities on jQuery prior to version 3.4.0 (CVE-2019-11358) has popped up in one of my open-source security scanners while I upgraded to Django 2.2.1. I downloaded Django's source code and it appears to be using jQuery v1.11.2.

The only js file I noticed uses the mentioned __proto__ property within the whole django package was in djangoproject\static\js\lib\clipboard\dist\clipboard.js:
if (superClass) Object.setPrototypeOf ? Object.setPrototypeOf(subClass, superClass) : subClass.__proto__ = superClass;

Can anyone from the core development team validate whether this jQuery vulnerability affects Django in any way?

Thank you!


Vulnerability description:

The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype. An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code.

jQuery fix description:

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

References:
https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
https://snyk.io/blog/after-three-years-of-silence-a-new-jquery-prototype-pollution-vulnerability-emerges-once-again/
https://hackerone.com/reports/454365

@carltongibson

This comment has been minimized.

Copy link
Member

commented May 24, 2019

Hi. Security questions are best handled via the security@djangoproject.com address.

You appear to have searched the code for the djangoproject.com website, rather than Django itself.

Django usage is quite basic. It does not directly use the extend(true,...) call mentioned in the ticket.

Django 2.2 ships jQuery 3.3.1, which was the latest release when the branch was tagged. We will update the jQuery version for Django 3.0.

We will investigate if any other action is needed.

As with all static files, if you wish override the provided version of jQuery, you may provide at alternate version, to be discovered first according to your STATICFILES_FINDERS configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.