#47020 closed defect (bug) (fixed)
jQuery Update 3.4.0 vulnerability
| Reported by: |  | Owned by: |  | 
|---|---|---|---|
| Milestone: | 5.2.1 | Priority: | normal | 
| Severity: | normal | Version: | 5.1.1 | 
| Component: | External Libraries | Keywords: | fixed-major | 
| Focuses: | javascript | Cc: | |
| PR Number: | 
Description
jQuery's latest release contains a fix for jQuery.extend which allows for unintended behavior which could lead to cross site scripting attacks. 
From jQuery's 3.4.0 release notes:
jQuery 3.4.0 includes a fix for some unintended behavior when using
jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable__proto__property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.
This vulnerability affects all previous version of jQuery. As they mention in the release notes, "patch diffs exist to match previous jQuery versions."
For reference, Drupal released a core patch for 7 and 8 which replaced jQuery.extend() completely with minor changes compatible with all old versions of jQuery. See Drupal's core patch.
Attachments (1)
Change History (31)
    
      
         
        
This ticket was mentioned in Slack in #core-js by mikengarrett. View the logs.
      
      
6 months ago
    
    
  
              
    
      
    #3
  
    
        
          
             @
 @
            
6 months ago
        
    
  
  
  - Component changed from General to External Libraries
- Focuses javascript added
- Keywords needs-patch added
    
      
    #4
  
    
        
          
             @
 @
            
6 months ago
        
    
  
  
  - Milestone changed from Awaiting Review to 5.2.1
Core still uses 1.12.4 for backward compatibility, looks like we'll need to apply the patch manually.
    
      
    #5
  
    
        
          
             @
 @
            
6 months ago
        
    
  
  
    
I think we have two options here:
- Bring jQuery back into our SVN repo and patch.
- Publish a forked version (1.12.4.1 maybe) to NPM.
    
      
         
        
This ticket was mentioned in Slack in #core by elrae. View the logs.
      
      
6 months ago
    
    
  
              
    
      
    #7
  
    
        
          
             @
 @
            
6 months ago
        
    
  
  
    
Seems the best would be to patch jQuery 1.12.4 and bring it back to our SVN.
Patch coming up.
    
      
    #8
  
    
        
          
             @
 @
            
6 months ago
        
    
  
  
    
In 47020.diff:
- Patch jquery.js and add it to src/js/_enqueues/vendor/jquery/.
- Change Gruntfile.js to use the local copy.
- Remove jQuery from dependenciesin package.json.
Note: the patch doesn't include changes to package-lock.json as it gets changed a lot when I update it locally.
    
      
    #9
  
    
        
          
             @
 @
            
6 months ago
        
    
  
  
  - Owner set to azaozz
- Resolution set to fixed
- Status changed from new to closed
In 45342:
    
      
    #10
  
    
        
          
             @
 @
            
6 months ago
        
    
  
  
  - Keywords fixed-major added; needs-patch removed
- Resolution fixed deleted
- Status changed from closed to reopened
Reopen for 5.2.
    
      
    #11
  
          follow-up:
    ↓ 12
    
        
          
             @
 @
            
6 months ago
        
    
  
  
    
@netweb A quick look at the build changes would be great before merging to 5.2 :)
    
      
    #12
  
        in reply to:
    ↑ 11
        ;
          follow-up:
    ↓ 16
    
        
          
             @
 @
            
6 months ago
        
    
  
  
    
Replying to azaozz:
@netweb A quick look at the build changes would be great before merging to 5.2 :)
~[45342] looks good to me except for the change to the ~package-lock.json file.
~https://core.trac.wordpress.org/changeset/45342/trunk/package-lock.json~
~jQuery should no longer be in the lock file~
The build changes also look good:
Edit: Per replies below, the lock file is correct as is
    
      
    #13
  
    
        
          
             @
 @
            
6 months ago
        
    
  
  
    
Looked at this a bit. I believe that jquery is still in the lock file because it is a dependency for other packages. However, the latest version is now being included. It's unclear to me if this is actually a problem.
The version downloaded by NPM will not be used in the build process anymore, but I'm not sure if that version is used by any other packages directly.
    
      
         
        
This ticket was mentioned in Slack in #core-js by desrosj. View the logs.
      
      
6 months ago
    
    
  
              
    
      
    #15
  
    
        
          
             @
 @
            
6 months ago
        
    
  
  
    
After some discussion, it seems that the issue in the lock file is trivial.
The correct version of jQuery is being included when building (confirmed in the build change set), and jQuery only appears to be in the lock file because it is a specified dependency.
Since everything is checking out except the lock file, this does not seem like a blocker for 5.2.1-RC!, and can be sorted out after.
    
      
    #16
  
        in reply to:
    ↑ 12
    
        
          
             @
 @
            
6 months ago
        
    
  
  
    
Replying to desrosj:
Looked at this a bit. I believe that
jqueryis still in the lock file because it is a dependency for other packages.
This is correct
However, the latest version is now being included. It's unclear to me if this is actually a problem.
I don't believe it will be an issue
    
      
    #18
  
    
        
          
             @
 @
            
6 months ago
        
    
  
  
    
https://build.trac.wordpress.org/changeset/45165 looks good for 5.2 branch.
    
      
    #19
  
    
        
          
             @
 @
            
6 months ago
        
    
  
  
    
Thanks @netweb and @desrosj.
Looked at this a bit. I believe that jquery is still in the lock file because it is a dependency for other packages.
Right. Was just wondering if it should be the latest version (as per the package-lock.json update after running npm install) or it should be the same version we have in core. Looking at WP 5.0 (that still had jquery.js in wp-includes/js/jquery/), the version in package-lock there is the latest at the time too: 3.3.1, and that didn't cause problems.
    
      
    #20
  
    
        
          
             @
 @
            
6 months ago
        
    
  
  
    
Yes, the jQuery dependencies are child dependencies and I don't believe they'll cause any issues being the latest:
WordPress@5.3.0 /Users/netweb/Code/WordPress/develop-git-github-ntwb ... ... ├── jquery-color@2.1.1 (github:jquery/jquery-color#95402e5b2f1184ab2de7014aeef0a90f2bee0a40) ├─┬ jquery-form@4.2.1 │ └── jquery@3.4.1 ├─┬ jquery-hoverintent@1.8.3 │ └── jquery@3.4.1 deduped ├── jquery-migrate@1.4.1 ├── jquery-ui@1.11.4 (github:jquery/jquery-ui#d6713024e16de90ea71dc0544ba34e1df01b4d8a) ...
    
      
    #22
  
    
        
          
             @
 @
            
5 months ago
        
    
  
  
    
There seems to be another vulnerability as reported here:
https://snyk.io/vuln/npm:jquery
The third in the list. 
The patch was for some reason removed from jQuery 1.12.3 although present in 1.12.2 (and hence not present in 1.12.4). 
The modification is to add 
// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
	if ( s.crossDomain ) {
		s.contents.script = false;
	}
} );
Line 10368 here: https://code.jquery.com/jquery-1.12.2.js
as per the last comment here: 
https://github.com/jquery/jquery/issues/2432#issuecomment-403761229
Apologies in advance if irrelevant. 

 
                       
               
 
			 
                
related #37110