If you're creating a bug/problem report, please include followings:
- ABP Framework version: v3.3.2
- UI type: Angular
- DB provider: EF Core
- Tiered (MVC) or Identity Server Separated (Angular): yes
- Exception message and stack trace:
- Steps to reproduce the issue:"
Our source code scan has got the following critical finding:
Description The application is found to be using outdated JavaScript libraries with known vulnerabilities over the web. Below is a list of libraries with known vulnerabilities over the web: jquery-form 4.3.0 - Cross-Site Scripting • https://security.snyk.io/vuln/SNYK-JS-JQUERYFORM-574783 - CVSS Score: 9.8 jquery-validate 1.19.2 - Regular Expression Denial of Service vulnerability • https://nvd.nist.gov/vuln/detail/CVE-2021-21252 – CVSS Score: 7.5 datatables 1.10.22 - Prototype Pollution • https://nvd.nist.gov/vuln/detail/CVE-2020-28458 – CVSS Score: 7.3 lodash 4.17.20 - Regular Expression Denial of Service (ReDoS) • https://nvd.nist.gov/vuln/detail/CVE-2020-28500 - CVSS Score: 5.3
Impact Successful exploitation of the vulnerabilities could result in the web application crashing or modification of the data stored by the application.
Recommendation • jQuery-form Latest version of the library still contains the security bug.
Qn - Is this affected library is still required? If so, can you confirm that the vulnerable functionality is not being used by the application? How can we fix this?
• jQuery-validate Update to the latest version v1.19.3. Qn - Any impact if we proceed to update?
• Datatables Update to the latest version v1.11.5 Qn - Any impact if we proceed to update?
• Lodash Update to the latest version v4.17.21 Qn - Any impact if we proceed to update?
24 Answer(s)
-
0
Hi,
We have upgraded all NPM packages to the latest. See: https://github.com/abpframework/abp/issues/11329
You can upgrade to 5.2.0, we will release a preview version today.
If you don't want to upgrade the ABP version, you can replace js files to the latest via the bundle system. see: https://docs.abp.io/en/abp/latest/UI/AspNetCore/Bundling-Minification
-
0
Hi,
- Are there any impacts to our current version, v3.3.2 if we replace the js files to the latest via the bundle system? If so, what are they?
- With regards to jQuery-form, can you confirm that the vulnerable functionality is not being used by the application?
-
0
Are there any impacts to our current version, v3.3.2 if we replace the js files to the latest via the bundle system? If so, what are they?
I think there is no problem, you can try it.
With regards to jQuery-form, can you confirm that the vulnerable functionality is not being used by the application?
We prevent cross-site scripting in all places possible. you can refer to this: https://github.com/abpframework/abp/pull/7753 it's a new feature in the 4.3 version, you can manually add to your project
-
0
Hi,
This critical finding was flagged out after we have done what was advised on "https://github.com/abpframework/abp/pull/7753". As such, with regards to jQuery-form, can you confirm that the vulnerable functionality is not being used by the application?
-
0
Hi,
We use the standard usage. By the way, I see that you are using
angularUI, thejquery.formlibary will not used, so I can confirm that.However, if you care about it, you can replace the
jquery-formlibrary.The fixed version is available here: https://github.com/jquery-form/form/pull/586/files
-
0
Hi, what is this version? Has this version been officially opened for general consumption?
Thanks.
-
0
Hi,
Has this version been officially opened for general consumption
No, it's just a PR, not merged yet.
-
0
Can ABP provide us a copy of jquery-form library with the fix?
-
0
See https://github.com/jquery-form/form/blob/af5459eb9447931148f57edc1e01389647225f30/src/jquery.form.js
-
0
Can you send us the above js file in jquery.form.min.js ?
-
0
https://raw.githubusercontent.com/jquery-form/form/af5459eb9447931148f57edc1e01389647225f30/src/jquery.form.js
-
0
Hi, our source code scanning vendor has feedback that it is not possible to just replace the js file as it could be breaking out of the package management. And more importantly, this fix has not been officially accepted.
Could we have a more Zoom call on this so that we may explain our situation clearly and see how ABP can help to address?
-
0
Hi,
See https://github.com/abpframework/abp/issues/11936, we will fix it in our npm package.
-
0
Hi,
- This npm package has be installed in our current version of ABP Framework version 3.3.2. Can it be done?
- This fix has to be updated in https://security.snyk.io/vuln/SNYK-JS-JQUERYFORM-574783. Will it be done?
- When will this npm package be ready?
-
0
Hi,
For your case, there are two options:
- Upgrade to version 5.1.5 (will release soon)
- Use script bundle to replace the
jquery-form.min.jsfile with https://raw.githubusercontent.com/jquery-form/form/af5459eb9447931148f57edc1e01389647225f30/src/jquery.form.js.
-
0
Hi,
- As shared earlier, we have no immediate plan to upgrade yet.
- If we use the script bundle to replace the jquery-form.min.js file, the fix has to be updated and reflected in https://security.snyk.io/vuln/SNYK-JS-JQUERYFORM-574783 to officiate it. Will it?
-
0
HI,
the fix has to be updated and reflected in https://security.snyk.io/vuln/SNYK-JS-JQUERYFORM-574783 to officiate it. Will it?
Sorry, I don't know how it works.
If it's scanning the jquery-form npm package to compare versions, then I think it will not pass. I will check it and get back to you.
-
0
Hi, In addition, the version number with the fix has be reflected in the lib yarn file as well. How can this be done?
-
0
the version number with the fix has be reflected in the lib yarn file as well
I don't think it will fix in the yarn file. because it just replaces the file while the program is on runtime, how to affect yran files?
If you care about it, we have another option:
Open
package.jsonfiles and remove"@volo/abp.aspnetcore.mvc.ui.theme.lepton": "^3.3.2"Then add these lines:
"@abp/flag-icon-css": "~3.3.2", "@abp/aspnetcore.mvc.ui": "~3.3.2", "@abp/bootstrap": "~3.3.2", "@abp/bootstrap-datepicker": "~3.3.2", "@abp/datatables.net-bs4": "~3.3.2", "@abp/font-awesome": "~3.3.2", "@abp/jquery-validation-unobtrusive": "~3.3.2", "@abp/lodash": "~3.3.2", "@abp/luxon": "~3.3.2", "@abp/jquery": "~3.3.2", "@abp/malihu-custom-scrollbar-plugin": "~3.3.2", "@abp/select2": "~3.3.2", "@abp/sweetalert": "~3.3.2", "@abp/timeago": "~3.3.2", "@abp/toastr": "~3.3.2"Now, there is no
jquery-formlibrary dependency anymore.Then remove
yarn.lockfile and runyarn&gulpcommand.Put the https://raw.githubusercontent.com/jquery-form/form/af5459eb9447931148f57edc1e01389647225f30/src/jquery.form.js file under the
wwwroot/myLibs[DependsOn(typeof(JQueryScriptContributor))] public class MyJQueryFormScriptContributor: BundleContributor { public override void ConfigureBundle(BundleConfigurationContext context) { context.Files.AddIfNotContains("/myLibs/jquery.form.js"); } } Configure<AbpBundlingOptions>(options => { options.ScriptBundles.Configure(StandardBundles.Scripts.Global, bundle => { bundle.Contributors.Replace<JQueryFormScriptContributor, MyJQueryFormScriptContributor>(); }); }); -
0
Hi, The yarn file is what the source code scanning tool will scan, hence the version in the yarn file has to be updated as well.
We have another instance of ABP Framework running that is not using Angular, thus we care about it.
-
0
Hi, are following libraries used by the Identity Server only? • jQuery-form • jQuery-validate • Datatables • Lodash
-
0
Hi,
Yes
-
0
Hi, What are all the functions in the Identity Server that make use of jQuery-form?
-
0
JQuery Form for AJAX forms.
See: https://docs.abp.io/en/abp/latest/UI/AspNetCore/Theming#the-base-libraries
https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery-form/jquery-form-extensions.js#L6
