New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS (High Level Vulnerability Security Warning) #350

Closed
TinkerJack opened this Issue Jun 8, 2018 · 6 comments

Comments

Projects
None yet
2 participants
@TinkerJack

TinkerJack commented Jun 8, 2018

Hi everyone.

Facing an XSS security vuln issue here when installing the library using :

node: 8.11.2
npm: 6.1.0
Jquery: 3.2.1

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Cross-Site Scripting (XSS)                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ pptxgenjs                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ pptxgenjs > jquery-node > jquery                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/328                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

Steps Taken:
1- Ran npm audit fix, but no it didn't work .
2- Checked my version of Jquery (since according to the info, this problem was patched in >=3.0.0),
but I'm at jquery@^3.2.1 so I was wondering if I should post the issue here or at the jquery repo.

I'm new to posting issues regarding errors (used to posting ones about features), so please let me know if I'm missing any information you need.

Edit:

Jquery version being used in /libs/jquery.min.js is 2.1.4 so that might be the issue.

@gitbrent

This comment has been minimized.

Show comment
Hide comment
@gitbrent

gitbrent Jun 10, 2018

Owner

I've updated jQuery to 3.3.1

Owner

gitbrent commented Jun 10, 2018

I've updated jQuery to 3.3.1

@TinkerJack

This comment has been minimized.

Show comment
Hide comment
@TinkerJack

TinkerJack Jun 11, 2018

@gitbrent Thank you for the upgrade Sir.

The error hasn't disappeared yet even though the fix has been successfully applied.

I've tried installing using npm install, and it installed the old version of PptxGenJSso I used

npm install gitbrent/PptxGenJS#master

and it gave me the correct version with the following error

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Cross-Site Scripting (XSS)                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ effd0e18c333fbd86e3bffa73c31bec73ba47442cbd75d7988ae98e402a… │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ effd0e18c333fbd86e3bffa73c31bec73ba47442cbd75d7988ae98e402a… │
│               │ > jquery-node > jquery                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/328                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

I'm not very proficient in NPM, so I can't say for sure, but it seems like the current error is a reference to a place in memory and perhaps if the latest version of PptxGenJS on node can be updated,
then the vuln log showing up when using npm audit or npm install
can be avoided.

TinkerJack commented Jun 11, 2018

@gitbrent Thank you for the upgrade Sir.

The error hasn't disappeared yet even though the fix has been successfully applied.

I've tried installing using npm install, and it installed the old version of PptxGenJSso I used

npm install gitbrent/PptxGenJS#master

and it gave me the correct version with the following error

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Cross-Site Scripting (XSS)                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ effd0e18c333fbd86e3bffa73c31bec73ba47442cbd75d7988ae98e402a… │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ effd0e18c333fbd86e3bffa73c31bec73ba47442cbd75d7988ae98e402a… │
│               │ > jquery-node > jquery                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/328                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

I'm not very proficient in NPM, so I can't say for sure, but it seems like the current error is a reference to a place in memory and perhaps if the latest version of PptxGenJS on node can be updated,
then the vuln log showing up when using npm audit or npm install
can be avoided.

@gitbrent

This comment has been minimized.

Show comment
Hide comment
@gitbrent

gitbrent Jun 13, 2018

Owner

I believe this is coming from jquery-node

It's a dependency i'd like to not have, so i'll see if i can segment the few places i use the jQuery DOM and pull in jQuery from NPM instead to avoid issues like this.

Owner

gitbrent commented Jun 13, 2018

I believe this is coming from jquery-node

It's a dependency i'd like to not have, so i'll see if i can segment the few places i use the jQuery DOM and pull in jQuery from NPM instead to avoid issues like this.

@gitbrent gitbrent self-assigned this Jun 13, 2018

@gitbrent

This comment has been minimized.

Show comment
Hide comment
@gitbrent

gitbrent Jun 20, 2018

Owner

Branch created for work on removal of jquery-node

jquery-update-issue-350

Owner

gitbrent commented Jun 20, 2018

Branch created for work on removal of jquery-node

jquery-update-issue-350

@gitbrent

This comment has been minimized.

Show comment
Hide comment
@gitbrent

gitbrent Jun 20, 2018

Owner

Current Report:

[brentely@Brents-Air 22:14:04] ~/Documents/GitHub/PptxGenJS 
=> npm audit
(...)
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Cross-Site Scripting (XSS)                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jquery-node                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jquery-node > jquery                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/328                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 21 vulnerabilities (8 low, 4 moderate, 9 high) in 639 scanned packages
  run `npm audit fix` to fix 14 of them.
  6 vulnerabilities require semver-major dependency updates.
  1 vulnerability requires manual review. See the full report for details.
Owner

gitbrent commented Jun 20, 2018

Current Report:

[brentely@Brents-Air 22:14:04] ~/Documents/GitHub/PptxGenJS 
=> npm audit
(...)
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Cross-Site Scripting (XSS)                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jquery-node                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jquery-node > jquery                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/328                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 21 vulnerabilities (8 low, 4 moderate, 9 high) in 639 scanned packages
  run `npm audit fix` to fix 14 of them.
  6 vulnerabilities require semver-major dependency updates.
  1 vulnerability requires manual review. See the full report for details.

gitbrent added a commit that referenced this issue Jun 20, 2018

Merge pull request #358 from gitbrent/jquery-update-issue-350
Remove jquery-node dependency (Issue #350)

@gitbrent gitbrent added this to the 2.3.0 milestone Jun 20, 2018

@gitbrent

This comment has been minimized.

Show comment
Hide comment
@gitbrent

gitbrent Jun 20, 2018

Owner

New Report:

[brentely@Brents-Air 22:21:11] ~/Documents/GitHub/PptxGenJS/examples 
=> npm audit
(...)
│ Dependency of │ gulp [dev]   
(...)
found 11 vulnerabilities (7 low, 4 high) in 1635 scanned packages
  11 vulnerabilities require semver-major dependency updates.

The 11 vulnerabilities above are all from a DevDependency (gulp), so there are zero core library vulnerabilities at this time.

XSS vulnerability is now gone:

=> npm audit | grep -i XSS
Owner

gitbrent commented Jun 20, 2018

New Report:

[brentely@Brents-Air 22:21:11] ~/Documents/GitHub/PptxGenJS/examples 
=> npm audit
(...)
│ Dependency of │ gulp [dev]   
(...)
found 11 vulnerabilities (7 low, 4 high) in 1635 scanned packages
  11 vulnerabilities require semver-major dependency updates.

The 11 vulnerabilities above are all from a DevDependency (gulp), so there are zero core library vulnerabilities at this time.

XSS vulnerability is now gone:

=> npm audit | grep -i XSS

@gitbrent gitbrent closed this Jun 20, 2018

gitbrent pushed a commit that referenced this issue Jun 20, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment