- Loading branch information
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,6 +4,13 @@ define( [ | |
| "../ajax" | ||
| ], function( jQuery, document ) { | ||
|
|
||
| // Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432) | ||
| jQuery.ajaxPrefilter( function( s ) { | ||
| if ( s.crossDomain ) { | ||
| s.contents.script = false; | ||
| } | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
markelog
Author
Member
|
||
| } ); | ||
|
|
||
| // Install script dataType | ||
| jQuery.ajaxSetup( { | ||
| accepts: { | ||
|
|
||
11 comments
on commit f60729f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a question regarding this mitigation. I am a vulnerability analyst and am trying to fully understand how this can be properly mitigated. Is this code provided here a recommended fix that someone would have to manually add to their instance of jQuery? Or is this implemented already if the "ajaxPrefilter" is present? For example, a code snippet from example.com/jquery-1.12.3.min.js, doing a Ctrl+f for "ajaxPrefilter" shows this:
...ajaxPrefilter:Tb(Ob),ajaxTransport:Tb(Pb),ajax:function(b,c)...
....n.ajaxPrefilter("script",function(a){void 0===a.cache&&(a.cache=!1),a.crossDomain&&(a.type="GET",a.global=!1)}),n.ajaxTransport("script",function(a){if(a.crossDomain){var b,c=d.head||n("head")[0]||d.documentElement;return{send:function(e,f)......
.....n.ajaxPrefilter("json jsonp",function(b,c,d){var e,f,g,h=b.jsonp!......
Is this how one would determine if this mitigation has been implemented? Or is this an addition to the ajaxPrefilter function that someone would need to manually add to their running instance of jQuery. Thanks all!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why examine the minified version of the code when the unminified is available? If you look at the CDN copies of the unminified source you can see whether this code is present. Search for "Prevent auto-execution".
http://code.jquery.com/jquery-3.3.1.js
If you have the commit hash (it's above) you can use the command git describe --contains f60729f3903d17917dc351f3ac87794de379b0cc to find the first release where the commit appeared.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The path including "jquery-1.12.3.min.js" was detected in a vulnerability scan. So I was just taking the path that the scanner provided. The scanned website has source code that links to this version. I am still trying to figure this vulnerability out and how it is implemented on people's websites. When you say to look at the unminified version, is that specific to a particular website that implements jQuery, or is it used globally, as in all 1.12.3 versions are the same and not modified/customized when used on someone's website?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since I'm not being paid to do this research, I'll try to restrict my comments to the volunteer work that I do on the project. The output of git describe --contains f60729f3903d17917dc351f3ac87794de379b0cc gives 1.12.0~111 which says that version 1.12.0 was the first containing this particular commit. That does not indicate whether the web site uses the API in a way that would even invoke this particular code. If you need more assistance in your work, I'm available for consulting and you can find my contact info via Google.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jorgsmash the fix is not applied to 1.12.3 and 1.12.4
see #3011
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To implement this, do I need to have the offending codebase of jQuery local and customize it from there, or can these files be something that's separate and called in via the HTML?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lucasatace just use JQuery 1.12.2, unless you need features from 12.3 or 12.4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lucasatace You can also invoke the code from the patch:
b078a62#diff-bee4304906ea68bebadfc11be4368419
manually just after loading jQuery:
// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
if ( s.crossDomain ) {
s.contents.script = false;
}
} );There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lucasatace, were you able to achieve compliance? I'm having the same issue at the moment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@luisten, yes, we were. Follow the above recommendations. You may also need to let your PCI scanning company know that you have included that so that they can add an exception to your account. Should be good after that.
Good luck!
The indentation here seems wrong (it's 4 spaces)