Multiple Security Vulnerabilities reported by Lighthouse in 2.4.1 JQuery and JQuery-Ui

[gwharton]

Preconditions (*)

1. Deploy 2.4.1

Steps to reproduce (*)

1. Using Google Chrome as Browser
2. Launch Dev tools and go to Lighthouse Tab
3. Analyse the 2.4.1 homepage
4. View the "Trust and Safety" section in "Best Practices"

Expected result (*)

1. There should be no security Vulnerabilities found

Actual result (*)

1. Lighthouse reports several, including one high security vulnerability.

Search of source code and google didn't bring up much for the following in relation to Magento

CVE-2020-11022
CVE-2020-11023
CVE-2019-11358
CVE-2019-5428
CVE-2015-9251
CVE-2017-16012
CVE-2016-7103

I see @DanielRuf has produced some patches for a subset of these. Have these made it into core?????

Attached another screenshot that shows the issue is reproducible.

---

Please provide Severity assessment for the Issue as Reporter. This information will help during Confirmation and Issue triage processes.

• Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[m2-assistant]

Hi @gwharton. Thank you for your report.
To help us process this issue please make sure that you provided the following information:

• Summary of the issue
• Information on your environment
• Steps to reproduce
• Expected and actual results

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, please, review the Magento Contributor Assistant documentation.

Please, add a comment to assign the issue: @magento I am working on this

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

🕙 You can find the schedule on the Magento Community Calendar page.

📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.

🎥 You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel

✏️ Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

[DanielRuf]

I see @DanielRuf has produced some patches for a subset of these. Have these made it into core?????

Yes, afaik.
Lighthouse does only a simple version check and does not check the code of the jQuery files. So basically this is a false positive.

[DanielRuf]

These are covered by https://github.com/DanielRuf/snyk-js-jquery-565129:

CVE-2020-11022
CVE-2020-11023
CVE-2019-11358
(CVE-2019-5428 - rejected as duplicate)

These are covered by https://github.com/DanielRuf/snyk-js-jquery-174006:

CVE-2019-11358
(CVE-2019-5428 - rejected as duplicate)

https://github.com/DanielRuf/snyk-js-jquery-565129/blob/master/jquery-1.12.4.patch

As you can see at https://github.com/magento/magento2/pull/22418/files my PR only covered the Prototype Pollution vulnerability. Not sure if the others landed there too, this is probably not the case. Changing the already modified minified file is not that easy.

Afaik I did not add it there because it's mostly a breaking change as you can read here regarding the html filter: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251 is basically a breaking change as you can not set/change the dataType without further side-effects.

See also jquery/jquery#2588 (comment) and especially jquery/jquery#2432 (comment)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16012 was rejected as this is a duplicate of https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7103 affects only jQuery before 1.12.0. My own patches address only the latest releases of each major jQuery version.

Magento uses jQuery 1.12.4 as you can see in your screenshot and in the code at https://github.com/magento/magento2/blob/2.4.1/lib/web/jquery/jquery.min.js#L1 and https://github.com/magento/magento2/blob/2.4.1/lib/web/jquery.js#L2

[jinnko]

I'm trying to determine whether the patches introduced in https://github.com/DanielRuf/snyk-js-jquery-565129 and https://github.com/DanielRuf/snyk-js-jquery-174006 have made it into Magento 2.3.6. How can this be confirmed?

[gwharton]

In the absence of anyone else piping up, you could do a code analysis comparing the patches to the Magento code, and post the results here. 😁

[DanielRuf]

As you can see at #22418 (files) my PR only covered the Prototype Pollution vulnerability. Not sure if the others landed there too, this is probably not the case.

Afaik I did not add it there because it's mostly a breaking change as you can read here regarding the html filter: blog.jquery.com/2020/04/10/jquery-3-5-0-released

@jinnko

[gwharton]

Someone should target a breaking requirejs/knockout/jQuery update for 2.5-develop and get it over and done with.

[DanielRuf]

Someone should target a breaking requirejs/knockout/jQuery update for 2.5-develop and get it over and done with.

Afaik there are PRs and plans to migrate to jQuery 3 and remove jQuery migrate. So they are already working on this and this is planned for the near future. Makes not much sense to introduce breaking changes now with the patches. As mentioned most of these patches will produce more problems than they solve and the risk is relatively low for the unpatched issues (at least so far).

[ankurAuriga]

@DanielRuf - After applying patch 1.12.4 from https://github.com/DanielRuf/snyk-js-jquery-565129 in Magento 2.2.11, mini cart is stopped working. It does not show any content.

[DanielRuf]

@Anahitmartirosyan please do not simply apply the patch. The supplied jQuery version is already patched.

Also please see the previous comments about the exact parts, which are applied. Not all parts of the patches are applied in Magento.

Check your browser console for any errors.

Please carefully read #31146 (comment).

As you can see at #22418 (files) my PR only covered the Prototype Pollution vulnerability. Not sure if the others landed there too, this is probably not the case. Changing the already modified minified file is not that easy.

Afaik I did not add it there because it's mostly a breaking change as you can read here regarding the html filter: blog.jquery.com/2020/04/10/jquery-3-5-0-released

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 14 days if no further activity occurs. Is this issue still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? Thank you for your contributions!