Skip to content

/prometheus

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS vulnerable bootstrap version needs to be upgraded to 4.0.0 #4754

Closed
harche opened this Issue Oct 18, 2018 · 13 comments

Comments

Assignees
No one assigned
Labels
component/ui help wanted
Projects
None yet
Milestone
No milestone
6 participants
@harche @x86party @ksherryBAE @simonpasquier @achiuBAE @dbambro
@harche
Copy link

harche commented Oct 18, 2018

Proposal

Use case. Why is this important?

Bootstrap version included is vulnerable for XSS attack, https://snyk.io/test/npm/bootstrap/3.3.1

It needs to be upgraded to 4.0.0

Bug Report

What did you do?
Everything works fine but the bootstrap js lib included has XSS vulnerability so needs to be upgraded

What did you expect to see?
N/A

What did you see instead? Under which circumstances?
N/A

Environment
N/A

N/A
  • Alertmanager configuration file:
N/A
  • Logs:
N/A

@simonpasquier simonpasquier added help wanted component/ui labels Oct 18, 2018

@x86party

This comment has been minimized.

Sign in to view
Copy link

x86party commented Oct 22, 2018
edited

Possibly a duplicate of #3494.
Could argue that it should still be updated in case some future merge doesn't use Go templating correctly and introduces an XSS issue by virtue of the outdated dependency.
@ksherryBAE

This comment has been minimized.

Sign in to view
Copy link

ksherryBAE commented Oct 23, 2018

Does this issue still require fixing?
@harche

This comment has been minimized.

Sign in to view
Copy link
Author

harche commented Oct 23, 2018

@ksherryBAE yes, very much. It's the known vulnerability that's getting shipped with Prometheus.
@ksherryBAE

This comment has been minimized.

Sign in to view
Copy link

ksherryBAE commented Oct 23, 2018

Ok, I will have a look at it.
@harche

This comment has been minimized.

Sign in to view
Copy link
Author

harche commented Oct 23, 2018

@ksherryBAE thanks.
@ksherryBAE

This comment has been minimized.

Sign in to view
Copy link

ksherryBAE commented Oct 23, 2018

Current plan is to bring in bootstrap v4.0.0 and then go through all the templates and ensure that all the tags and functionality is up to date
@harche

This comment has been minimized.

Sign in to view
Copy link
Author

harche commented Oct 24, 2018

@ksherryBAE thanks, that sounds awesome. Also, would it be possible to backport the fix to release 2.3.1?
@simonpasquier

This comment has been minimized.

Sign in to view
Copy link
Member

simonpasquier commented Oct 25, 2018

@harche FYI we may only backport patches to the current stable release.
@harche

This comment has been minimized.

Sign in to view
Copy link
Author

harche commented Oct 25, 2018

@simonpasquier No problem. Thanks.
@ksherryBAE

This comment has been minimized.

Sign in to view
Copy link

ksherryBAE commented Oct 26, 2018

Just to quickly check, glyphicons are no longer supported in bootstrap 4.0.0 however there is a work around utilising https://github.com/Darkseal/bootstrap4-glyphicons
Would it be suitable to use this? Or would something else be more appropriate?
@achiuBAE

This comment has been minimized.

Sign in to view
Copy link
Contributor

achiuBAE commented Nov 1, 2018

Hi, i've also been contributing to this with ksherryBAE; i'll be making the pull request soon.

@achiuBAE achiuBAE referenced this issue Nov 5, 2018

Closed

web: Update from bootstrap 3.3.1 to bootstrap 4.0.0 #4821

@dbambro

This comment has been minimized.

Sign in to view
Copy link

dbambro commented Nov 27, 2018

The following are bootstrap 3.3.1 XSS vulnerabilities:
CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
CVE-2018-14041: In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
CVE-2108-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
The bootstrap version needs to be upgraded to 4.1.2 or newer.
@simonpasquier

This comment has been minimized.

Sign in to view
Copy link
Member

simonpasquier commented Feb 20, 2019

Closed by #5226

@simonpasquier simonpasquier closed this Feb 20, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.