Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid links exist in jquery #4981

Closed
cjchnwscqwsbsy opened this issue Dec 2, 2021 · 15 comments · Fixed by #4991
Closed

Invalid links exist in jquery #4981

cjchnwscqwsbsy opened this issue Dec 2, 2021 · 15 comments · Fixed by #4991

Comments

@cjchnwscqwsbsy
Copy link

jquery/dist/jquery.js:
// https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/
The 'http://blindsignals.com/index.php/2009/07/jquery-delay/' is a malicious web site

@wenz
Copy link
Contributor

wenz commented Dec 2, 2021

The blindsignals site indeed seems to be malicious now, but the link goes to the Web Archive copy (which is not malicious). Still probably worth removing (or replacing) the link.

@wenz
Copy link
Contributor

wenz commented Dec 2, 2021

Related issue: #4980

@mgol
Copy link
Member

mgol commented Dec 2, 2021

This happens pretty often with old sites - they expire & are bought by folks trying to leverage the domain being saved for many users.

That said, we are referring to a Web Archive snapshot which is fine. There's no other way to still refer to the old content. Should we just delete the link? I'm not sure if it's always a good strategy.

For example, this old jQuery blog post refers to an expired jquery14.com domain: https://blog.jquery.com/2010/01/08/14-days-of-jquery-and-the-new-api-browser/. I think we should replace the links with Web Archive ones for posterity but why remove them completely, losing history? Would Wikipedia remove a Web Archive link because the current version of the site is malicious? I'm not sure.

@timmywil @gibson042 @dmethvin what do you think?

@mgol mgol added the Discuss in Meeting Reserved for Issues and PRs that anyone would like to discuss in the weekly meeting. label Dec 2, 2021
@timmywil timmywil removed the Discuss in Meeting Reserved for Issues and PRs that anyone would like to discuss in the weekly meeting. label Dec 6, 2021
@timmywil
Copy link
Member

timmywil commented Dec 6, 2021

We'll remove these links from source, but leave the blog posts for now.

@mgol mgol added the Docs label Dec 6, 2021
@mgol mgol added this to the 3.6.1 milestone Dec 6, 2021
ncklengyel added a commit to ncklengyel/jquery that referenced this issue Dec 16, 2021
ncklengyel added a commit to ncklengyel/jquery that referenced this issue Dec 16, 2021
@adiGershon
Copy link

we are using angular js , which use jqlite. Is this vulnerability exist also in jqlite?

@jquery jquery deleted a comment from Mansalol Jan 3, 2022
@jquery jquery deleted a comment from Mansalol Jan 3, 2022
@mgol
Copy link
Member

mgol commented Jan 3, 2022

@adiGershon There's no vulnerability here, neither in jQuery, nor in jqLite. The issue is just a link in a code comment and comments are ignored when code is run.

mgol added a commit to mgol/jquery that referenced this issue Jan 3, 2022
Both of the removed links are not crucial; one of them refers to a site that
has since started being malicious; while the Web Archive links remain safe,
some scanners warn about such links. Removing them is the safest thing to do.

Fixes jquerygh-4981
@mgol
Copy link
Member

mgol commented Jan 3, 2022

PR: #4991

mgol added a commit to mgol/jquery that referenced this issue Jan 3, 2022
Neither of the removed links is crucial; one of them refers to a site that has
since started being malicious; while the Web Archive links remain safe, some
scanners warn about such links. Removing them is the safest thing to do.

Fixes jquerygh-4981
mgol added a commit to mgol/jquery that referenced this issue Jan 4, 2022
Neither of the removed links is crucial; one of them refers to a site that has
since started being malicious; while the Web Archive links remain safe, some
scanners warn about such links. Removing them is the safest thing to do.

Fixes jquerygh-4981
@mgol mgol closed this as completed in #4991 Jan 4, 2022
mgol added a commit that referenced this issue Jan 4, 2022
Neither of the removed links is crucial; one of them refers to a site that has
since started being malicious; while the Web Archive links remain safe, some
scanners warn about such links. Removing them is the safest thing to do.

Fixes gh-4981
Closes gh-4991
mgol added a commit that referenced this issue Jan 4, 2022
Neither of the removed links is crucial; one of them refers to a site that has
since started being malicious; while the Web Archive links remain safe, some
scanners warn about such links. Removing them is the safest thing to do.

Fixes gh-4981
Closes gh-4991

(cherry picked from commit e24f2dc)
timmywil added a commit to timmywil/jquery that referenced this issue Jan 6, 2022
timmywil added a commit to timmywil/jquery that referenced this issue Jan 7, 2022
@adiGershon
Copy link

Do you know when supposed to release a new version of JQuery without this issue?

@wenz
Copy link
Contributor

wenz commented Jan 11, 2022

Those links do not show up in the production version of jQuery anyway?!

@mgol
Copy link
Member

mgol commented Jan 11, 2022

We can't provide any dates. We still have a few things to fix for the next release.

@scottkuhl
Copy link

FYI: My company is requiring this to be closed by April 6th. Fortify found this issue back on December 6th. I suspect this is going to effect a lot of large companies. If the release is not ready soon, we would appreciate at least some sort of patch release to address it.

@rfg76
Copy link

rfg76 commented Mar 10, 2022

FYI: My company is requiring this to be closed by April 6th. Fortify found this issue back on December 6th.

This is getting really ridiculous, non-technical people are asking to replace jquery just because some old url in commented out code and that raised some alert. This is not even a real security problem.

@scottkuhl
Copy link

scottkuhl commented Mar 11, 2022

FYI: My company is requiring this to be closed by April 6th. Fortify found this issue back on December 6th.

This is getting really ridiculous, non-technical people are asking to replace jquery just because some old url in commented out code and that raised some alert. This is not even a real security problem.

Yup. The joys of running Fortify in a big company. And while I can use this actual issue to open a discussion with our security team to apply common sense, I can’t say every company will. The 120 day moderate security issue I believe is a default Fortify policy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment