Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Issue in UI Classic node package codemirror #7527

Open
bhadrim opened this issue Dec 2, 2020 · 8 comments
Open

Security Issue in UI Classic node package codemirror #7527

bhadrim opened this issue Dec 2, 2020 · 8 comments
Assignees
@kavyanekkalapu
Labels
bug dependencies help wanted

Comments

@bhadrim
Copy link

bhadrim commented Dec 2, 2020

Affected component: UI Classic
Current Version: 5.47.0
Remediation: 5.58.2 or higher
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-7760
CVE: CVE-2020-7760
@himdel himdel self-assigned this Dec 2, 2020
@bhadrim
Copy link
Author

bhadrim commented Jan 18, 2021

Any update on this one. Thank you.

@bhadrim
Copy link
Author

bhadrim commented Jan 19, 2021
edited
Loading

@himdel any update on this one? Thank you.

@himdel
Copy link
Contributor

himdel commented Jan 20, 2021

We can probably ignore this, we're running codemirror in htmlmixed, xml, shell, or ruby modes.
It's never used to edit javascript.

@himdel
Copy link
Contributor

himdel commented Feb 1, 2021

Follow up for whoever ends up doing this...

= render :partial => "/layouts/my_code_mirror",... - used in old forms, this depends only on the codemirror package, via miqInitCodeMirror, uses window.CodeMirror set by the global pack

"ui-codemirror" => {... - used in angular, via the angular-ui-codemirror package; that package is archived, we're using the latest version, but it also doesn't specify a codemirror dependency, so in theory it should work as long as the api stays the same

CodeEditor - our react component wrapping CodeMirror from react-codemirror2, has a 5.x codemirror peerDependency

@bhadrim
Copy link
Author

bhadrim commented Feb 19, 2021

@himdel Can we ignore this issue or do you plan on fixing this issue. If you believe this security issue will not affect ManageIQ then I can close this issue. Thank you.

@himdel
Copy link
Contributor

himdel commented Feb 19, 2021

Well, there is no security issue, if a user pastes malicious javascript on a htmlmixed form (that would be Edit description in old forms), their UI might hang, but that's it. The solution to that is not pasting malicious javascript into the editor. :)

I do think we should be keeping our dependencies up to date, so I would not necessarily close this, fixing this one might be a good start for the new UI team, but there's no urgency :).

@bhadrim
Copy link
Author

bhadrim commented Feb 19, 2021

Okay thank you.

@miq-bot miq-bot added the stale label Feb 27, 2023
@miq-bot
Copy link
Member

miq-bot commented Feb 27, 2023

This issue has been automatically marked as stale because it has not been updated for at least 3 months.

If you can still reproduce this issue on the current release or on master, please reply with all of the information you have about it in order to keep the issue open.

Thank you for all your contributions! More information about the ManageIQ triage process can be found in the triage process documentation.

@Fryguy Fryguy removed the stale label Mar 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kavyanekkalapu kavyanekkalapu

Labels
bug dependencies help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Fryguy @gtanzillo @himdel @miq-bot @bhadrim @kavyanekkalapu