Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Old version of jQuery is present in the JRuby builds #5872

Closed
joshbressers opened this issue Sep 11, 2019 · 3 comments
Closed

Old version of jQuery is present in the JRuby builds #5872

joshbressers opened this issue Sep 11, 2019 · 3 comments
Milestone

Comments

@joshbressers
Copy link

@joshbressers joshbressers commented Sep 11, 2019

I was asked by the security team to open a public issue for this, it's not an urgent security issue.

This CVE ID
https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Describes the following jQuery vulnerability

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

If you unpack the JRuby jar, jquery.js can be found here
META-INF/jruby.home/lib/ruby/stdlib/rdoc/generator/template/darkfish/js/jquery.js

In that file we see "jQuery v1.6.4".

CRuby recently fixed this by not shipping the jquery.js file anymore.
ruby/ruby@e82719c

@joshbressers

This comment has been minimized.

Copy link
Author

@joshbressers joshbressers commented Sep 11, 2019

@headius

This comment has been minimized.

Copy link
Member

@headius headius commented Sep 11, 2019

As pointed out, CRuby fixed this by removing the offending files.

This only affects generated rdoc. Because we do not generate rdoc by default for gem installs, I think it would be fine for us to just mimic the CRuby change for JRuby 9.2.9.

@headius headius added this to the JRuby 9.2.9.0 milestone Sep 11, 2019
@headius headius closed this in ab0d110 Sep 11, 2019
@headius

This comment has been minimized.

Copy link
Member

@headius headius commented Sep 11, 2019

CRuby removed the files directly, but we vendor the gem. I have updated it to the first safe version, rdoc 6.1.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.