Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade the bundled jQuery UI package #1786

Open
hedsnz opened this issue Nov 26, 2024 · 0 comments
Open

Upgrade the bundled jQuery UI package #1786

hedsnz opened this issue Nov 26, 2024 · 0 comments

Comments

@hedsnz
Copy link

hedsnz commented Nov 26, 2024

The version of jQuery UI bundled in https://github.com/posit-dev/py-shiny/blob/main/shiny/www/shared/jqueryui/jquery-ui.min.js is 1.13.2.

According to Sonatype, this version is vulnerable to prototype pollution (SONATYPE-2024-011918):

The $.widget() function in widget.js does not properly check if the name parameter contains a risky JavaScript accessor such as __proto__ or constructor when creating a new widget. An attacker can exploit this vulnerability by providing a crafted name to override the original JavaScript prototype and therefore values of objects used by the application. This may result in arbitrary code execution, data corruption, or application crashes.

This was fixed in jQuery UI 1.14.1: https://jqueryui.com/changelog/1.14.1/#widget-factory.

To be clear, a) I have on idea what shiny uses jQuery UI for, and b) I suspect the probablility that this is exploitable via shiny to be very low. However, it's probably good to keep these dependencies up-to-date anyway.

I'd offer a PR to upgrade jQuery UI, but I think you probably do it via htmlDependencies.R (https://github.com/posit-dev/py-shiny/blob/main/scripts/htmlDependencies.R), and therefore it's just a matter of running that script to get the latest versions? I haven't looked too closely at it. Happy to help in any way.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant