-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Phpunit 10 and dev tools script #119
Conversation
Overview
Labels (3 changes)
-org.opencontainers.image.created=2024-03-13T03:00:48.546Z
+org.opencontainers.image.created=2024-03-14T01:50:19.710Z
org.opencontainers.image.description=Cmfive in a docker image
org.opencontainers.image.licenses=GPL-3.0
-org.opencontainers.image.revision=4f0244d3b1021dae8718b43da0f620da160672a4
+org.opencontainers.image.revision=91f8b7a16c84e070566546122f21908fa9c29788
org.opencontainers.image.source=https://github.com/2pisoftware/cmfive-boilerplate
org.opencontainers.image.title=Cmfive
org.opencontainers.image.url=https://github.com/2pisoftware/cmfive-boilerplate
org.opencontainers.image.vendor=2pisoftware
-org.opencontainers.image.version=develop
+org.opencontainers.image.version=pr-119 |
🔍 Vulnerabilities of
|
digest | sha256:33d06f8b02e1954069d819cc38d532fa3d789481cca8871d540c58ea197273a6 |
vulnerabilities | |
platform | linux/amd64 |
size | 357 MB |
packages | 205 |
📦 Base Image alpine:3
also known as |
|
digest | sha256:6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0 |
vulnerabilities |
twig/twig
|
Affected range | >=3.0.0 |
Fixed version | 3.4.3 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Description
Description
When using the filesystem loader to load templates for which the name is a user input, it is possible to use the
source
orinclude
statement to read arbitrary files from outside the templates directory when using a namespace like@somewhere/../some.file
(in such a case, validation is bypassed).Resolution
We fixed validation for such template names.
Even if the 1.x branch is not maintained anymore, a new version has been released.
Credits
We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.
chart.js 2.5.0
(npm)
pkg:npm/[email protected]
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Affected range | <2.9.4 |
Fixed version | 2.9.4 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Description
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
libxml2 2.11.7-r0
(apk)
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.19
Affected range | <2.12.5-r0 |
Fixed version | 2.12.5-r0 |
Description
jquery-ui 1.10.4
(npm)
pkg:npm/[email protected]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected range | <1.13.0 |
Fixed version | 1.13.0 |
CVSS Score | 6.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
Description
Impact
Accepting the value of the
of
option of the.position()
util from untrusted sources may execute untrusted code. For example, invoking the following code:$( "#element" ).position( { my: "left top", at: "right bottom", of: "<img onerror='doEvilThing()' src='/404' />", collision: "none" } );will call the
doEvilThing()
function.Patches
The issue is fixed in jQuery UI 1.13.0. Any string value passed to the
of
option is now treated as a CSS selector.Workarounds
A workaround is to not accept the value of the
of
option from untrusted sources.For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected range | <1.13.0 |
Fixed version | 1.13.0 |
CVSS Score | 6.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
Description
Impact
Accepting the value of various
*Text
options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:$( "#datepicker" ).datepicker( { showButtonPanel: true, showOn: "both", closeText: "<script>doEvilThing( 'closeText XSS' )</script>", currentText: "<script>doEvilThing( 'currentText XSS' )</script>", prevText: "<script>doEvilThing( 'prevText XSS' )</script>", nextText: "<script>doEvilThing( 'nextText XSS' )</script>", buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>", appendText: "<script>doEvilThing( 'appendText XSS' )</script>", } );will call
doEvilThing
with 6 different parameters coming from all*Text
options.Patches
The issue is fixed in jQuery UI 1.13.0. The values passed to various
*Text
options are now always treated as pure text, not HTML.Workarounds
A workaround is to not accept the value of the
*Text
options from untrusted sources.For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected range | <1.13.0 |
Fixed version | 1.13.0 |
CVSS Score | 6.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
Description
Impact
Accepting the value of the
altField
option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:$( "#datepicker" ).datepicker( { altField: "<img onerror='doEvilThing()' src='/404' />", } );will call the
doEvilThing
function.Patches
The issue is fixed in jQuery UI 1.13.0. Any string value passed to the
altField
option is now treated as a CSS selector.Workarounds
A workaround is to not accept the value of the
altField
option from untrusted sources.For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected range | <1.13.2 |
Fixed version | 1.13.2 |
CVSS Score | 6.1 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Description
Impact
Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call
.checkboxradio( "refresh" )
on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.For example, starting with the following initial secure HTML:
<label> <input id="test-input"> <img src=x onerror="alert(1)"> </label>and calling:
$( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" );will turn the initial HTML into:
<label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label>and the alert will get executed.
Patches
The bug has been patched in jQuery UI 1.13.2.
Workarounds
To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the
label
in aspan
:<label> <input id="test-input"> <span><img src=x onerror="alert(1)"></span> </label>References
https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected range | <1.12.0 |
Fixed version | 1.12.0 |
CVSS Score | 6.1 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Description
Affected versions of
jquery-ui
are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of thecloseText
parameter in thedialog
function.jQuery-UI is a library for manipulating UI elements via jQuery.
Version 1.11.4 has a cross site scripting (XSS) vulnerability in the
closeText
parameter of thedialog
function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.Recommendation
Upgrade to jQuery-UI 1.12.0 or later.
curl 8.5.0-r0
(apk)
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.19
Affected range | <8.6.0-r0 |
Fixed version | 8.6.0-r0 |
Description
codemirror 4.4.0
(npm)
pkg:npm/[email protected]
Uncontrolled Resource Consumption
Affected range | <5.58.2 |
Fixed version | 5.58.2 |
CVSS Score | 5.3 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Description
This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2.
The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/.?/)
aws/aws-sdk-php 3.224.0
(composer)
pkg:composer/aws/[email protected]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Affected range | <3.288.1 |
Fixed version | 3.288.1 |
CVSS Score | 6 |
CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |
Description
Impact
Within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot, a URI path traversal is possible. The issue exists in the
buildEndpoint
method in theRestSerializer
component of the AWS SDK for PHP v3 prior to 3.288.1. ThebuildEndpoint
method relies on the Guzzle Psr7UriResolver
utility, which strips dot segments from the request path in accordance with RFC 3986. Under certain conditions, this could lead to an arbitrary object being accessed.Versions of the AWS SDK for PHP v3 before 3.288.1 are affected by this issue.
Patches
Upgrade to the AWS SDK for PHP >= 3.288.1, if you are on version < 3.288.1.
References
RFC 3986 - https://datatracker.ietf.org/doc/html/rfc3986
For more information
If you have any questions or comments about this advisory, please contact AWS's Security team.
@DerekCrannaford Selenium and Codeception are removed as we discussed. Let me know if you're happy with that. |
@adam-buckley = Inviting you to have a quick think about this. I like where it is heading, and now boilerplate/core do not lean on Codecept tests for actions (or feature reviews) removing Composer build for Codecept & the Selenium container stands to majorly speedup build times for various environments. !!! BUT !!! Is it safe to skip ahead, if this hits from DEV into MASTER, while other (custom) modules demand test support? In use, eg: CRM & STAFF modules are not yet entirely mature to run on Playwright alone. |
Codespace patch: https://github.com/2pisoftware/codespace_dev_box/pull/42 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great, as per discussion with Derek I think we just need to rip the band-aid off and turf Codeception. I wanna give it a go locally first
Patch for core CI here 2pisoftware/cmfive-core#278 Boilerplate still has some Codeception embedded that we need to remove. Seems to be coming from cmfiveTests.php? |
cmfiveTests.php needs to be "de-codeceptionised" before we merge. Needs a meeting. |
Happy for this to merge now @adam-buckley @DerekCrannaford. Needs to merge at the same time as 2pisoftware/cmfive-core#278 |
Changelog
Phpunit 10
This seems to run OK if you keep the filename the same as the class name. So I've separated tests in to subdirectories instead and I've tested to see if they execute the same. It seems to work great, no warnings/errors.
Please review, happy to refactor if needed.
Dev tools script
When I went to install phpunit 10 I noticed another problem. We have phpunit 8 defined in many other places.
Currently there are several test platforms. This is to provide a single source of truth for the test platform. I would like this to eventually be used locally, in CI and in codespaces. The idea is if any of these dev tool packages require an update, just change one of these files and it would propagate to all systems.
It's based on the CI in cmfive-core.
Removal of codeception and selenium
As discussed with @DerekCrannaford we've decided to drop these from the develop branch as they are no longer used. @Dane-2pi heads up this will likely affect codespaces. I will get a PR ready.
Test PHPUnit 10
To test PHPUnit 10, run
.codepipeline/docker/install_dev_tools.sh
thendocker compose exec webapp php cmfive.php tests unit all
.Documentation
The scripts are well commented. Cmfive documentation could be created for
.codepipeline/docker/install_dev_tools.sh
for devs without a codespace, perhaps when it's more widely used.