✨ jQuery v1.3.3-sec

ctcpip · Feb 15, 2024 · 507478b · 507478b
1 parent ac014c5
commit 507478b
Show file tree

Hide file tree

Showing 4 changed files with 140 additions and 116 deletions.
diff --git a/README.md b/README.md
@@ -35,7 +35,7 @@ In a perfect world, at least every MAJOR EOL jQuery release line would have a se
 | jQuery version | jQuery-sec version | Branch      | PR             | Release | CVEs Patched                                                                                                                         |
 | -------------- | ------------------ | ----------- | -------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------ |
 | `1.2.6`        | `1.2.7-sec`        | [1.2.7-sec] | [PR][1.2.7-pr] |         | [CVE-2011-4969] \| [CVE-2012-6708] \| <del>CVE-2015-9251</del>* \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
-| `1.3.2`        | `1.3.3-sec`        |             |                |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
+| `1.3.2`        | `1.3.3-sec`        | [1.3.3-sec] | [PR][1.3.3-pr] |         | [CVE-2011-4969] \| [CVE-2012-6708] \| <del>CVE-2015-9251</del>* \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
 | `1.4.4`        | `1.4.5-sec`        |             |                |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
 | `1.5.2`        | `1.5.3-sec`        |             |                |         | [CVE-2011-4969] \| [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023] |
 | `1.6.4`        | `1.6.5-sec`        | [1.6.5-sec] | [PR][1.6.5-pr] |         | [CVE-2012-6708] \| [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-7656] \| [CVE-2020-11022] \| [CVE-2020-11023]                    |
@@ -45,7 +45,7 @@ In a perfect world, at least every MAJOR EOL jQuery release line would have a se
 | `2.2.4`        | `2.2.5-sec`        |             |                |         | [CVE-2015-9251] \| [CVE-2019-11358] \| [CVE-2020-11022] \| [CVE-2020-11023] \| [CVE-2020-23064]                                      |
 
 > [!IMPORTANT]
-> *CVE-2015-9251 is not reproducible in `1.2.6`
+> *CVE-2015-9251 is not reproducible in `1.2.6` and `1.3.2`
 
 > [!NOTE]
 > The 3.x release line is currently supported by jQuery, so we have no need to provide patched versions of 3.x at this time. jQuery 3.5 introduced a breaking change, but it was necessary to fix CVE-2020-11022 and CVE-2020-11023. However, since these vulnerabilities are present in virtually all versions of jQuery, there would be no value in providing a patched version of 3.4 as it would need to include that breaking change anyway.
@@ -60,8 +60,13 @@ Ultimately, our hope is that these patched versions can be approved and accepted
 
 [1.2.7-sec]: https://github.com/ctcpip/jquery-security-patches/tree/1.2.7-sec
 [1.2.7-pr]: https://github.com/ctcpip/jquery-security-patches/pull/2
+
+[1.3.3-sec]: https://github.com/ctcpip/jquery-security-patches/tree/1.3.3-sec
+[1.3.3-pr]: https://github.com/ctcpip/jquery-security-patches/pull/3
+
 [1.6.5-sec]: https://github.com/ctcpip/jquery-security-patches/tree/1.6.5-sec
 [1.6.5-pr]: https://github.com/ctcpip/jquery-security-patches/pull/1
+
 [CVE-2011-4969]: https://github.com/advisories/GHSA-579v-mp3v-rrw5
 [CVE-2012-6708]: https://github.com/advisories/GHSA-2pqj-h3vj-pqgw
 [CVE-2015-9251]: https://github.com/advisories/GHSA-rmxg-73gg-4p98

diff --git a/security/README.md b/security/README.md
@@ -1,45 +1,52 @@
-# Testing
+# Testing (and building) jQuery
 
 > [!IMPORTANT]
-> In order to keep the version PRs clean, you will need to use different branches depending on whether you want to run the jQuery tests or the A/B CVE tests. For the A/B CVE tests, you need to checkout the `main` branch. For the jQuery tests, you need to checkout the branch of the version you are interested in, e.g. `1.6.5-sec`.
+> In order to keep the version PRs clean, you will need to use different branches depending on whether you want to run the jQuery tests, build jQuery, or run the A/B CVE tests. For the A/B CVE tests, you need to checkout the `main` branch. For the jQuery tests or to build jQuery, you need to checkout the branch of the version you are interested in, e.g. `1.6.5-sec`.
 
-## jQuery tests
+## Testing
 
-### How to run jQuery tests
+### jQuery tests
 
-Includes instructions only for how to run the tests on MacOS. (PRs welcome for instructions for other platforms!)
+#### How to run jQuery tests
 
-#### 1.2.6 / 1.2.7-sec
+##### 1.2.6 / 1.2.7-sec
 
+- Checkout the `1.2.6` or `1.2.7-sec` branch
 - Run `make test` from the root folder of the repo
 - Open `/tests/index.html` in your browser
 
-#### 1.6.4 / 1.6.5-sec
+##### 1.3.2 / 1.3.3-sec
 
-##### Prerequisites
+<!-- - Checkout the `1.3.2` or `1.3.3-sec` branch
+- Run `make test` from the root folder of the repo
+- Open `/tests/index.html` in your browser -->
+
+##### 1.6.4 / 1.6.5-sec
+
+###### Prerequisites
 
 - Install php 5.6
-  - We recommend using [homebrew-php](https://github.com/shivammathur/homebrew-php)
+  - For Macs, We recommend using [homebrew-php](https://github.com/shivammathur/homebrew-php)
 
-##### Running the tests
+###### Running the tests
 
-- Checkout the branch of the version you are interested in, e.g. `1.6.5-sec`
+- Checkout the `1.6.4` or `1.6.5-sec` branch
 - Run php server from the root folder of the repo: `php -S 127.0.0.1:8000`
 - Open `127.0.0.1:8000/tests/index.html` in your browser
 
-## A/B end-to-end acceptance tests
+### A/B end-to-end acceptance tests
 
 Tests run on every push in CI via [GitHub workflow](https://github.com/ctcpip/jquery-security-patches/actions/workflows/security-test.yml)
 
 You can run the A/B tests locally in CI mode or manually in the browser
 
-### How to run A/B end-to-end acceptance tests in CI mode
+#### How to run A/B end-to-end acceptance tests in CI mode
 
 - Checkout the `main` branch
 - Run `nom test` in `/security/test`
 - Rejoice!
 
-### How to run A/B end-to-end acceptance tests manually
+#### How to run A/B end-to-end acceptance tests manually
 
 - Checkout the `main` branch
 - Run `nom run serve` in `/security/test`
@@ -49,3 +56,22 @@ You can run the A/B tests locally in CI mode or manually in the browser
 - Check the `Patched` checkbox to load the patched version of the jQuery version you selected
 - An attempt is made to trigger all CVEs automatically, but you can attempt to trigger them again by clicking their respective buttons
 - Rejoice!
+
+## Building
+
+<!-- markdownlint-disable-next-line MD024 -->
+### 1.2.6 / 1.2.7-sec
+
+- Checkout the `1.2.6` or `1.2.7-sec` branch
+- Run `make jquery` from the root folder of the repo
+  - this will output `./dist/jquery.js`
+
+<!-- markdownlint-disable-next-line MD024 -->
+### 1.3.2 / 1.3.3-sec
+
+- Checkout the `1.3.2` or `1.3.3-sec` branch
+- Run `make jquery` from the root folder of the repo
+  - this will output `./dist/jquery.js`
+
+<!-- markdownlint-disable-next-line MD024 -->
+### 1.6.4 / 1.6.5-sec