Splunkbase blocking issues for cloud vetting v4.1.0

[jorritfolmer]

1. check_for_vulnerable_javascript_library_usage

   3rd party CORS request may execute
   parseHTML() executes scripts in event handlers
   jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
   Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
   Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
   reDOS - regular expression denial of service
   Regular Expression Denial of Service (ReDoS)
   Regular Expression Denial of Service (ReDoS)
   This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
   

2. check_python_sdk_version

   Detected an outdated version of the Splunk SDK for Python (1.6.0). Please upgrade to version 1.6.16 or later. File: bin/ta_dmarc/solnlib/packages/splunklib/binding.py
   Detected an outdated version of the Splunk SDK for Python (1.6.6). Please upgrade to version 1.6.16 or later. File: bin/ta_dmarc/aob_py2/splunklib/binding.py
   Detected an outdated version of the Splunk SDK for Python (1.6.6). Please upgrade to version 1.6.16 or later. File: bin/ta_dmarc/aob_py3/solnlib/packages/splunklib/binding.py
   Detected an outdated version of the Splunk SDK for Python (1.6.6). Please upgrade to version 1.6.16 or later. File: bin/ta_dmarc/aob_py2/solnlib/packages/splunklib/binding.py
   Detected an outdated version of the Splunk SDK for Python (1.6.0). Please upgrade to version 1.6.16 or later. File: bin/ta_dmarc/splunklib/binding.py
   

[jorritfolmer]

The JS vuln seems to refer to appserver/static/js/build/common.js. This doesn't seem like something to patch manually so I'll wait for a new version of the Splunk add-on builder before looking at this again.

[hkelley]

Do you already have the solution for the check_python_sdk_version? If so, I'll do a little research into the jQuery issue.

I'm assuming that if I took the current release and moved it to a local search head (from web), I'd lose all the KVstore context about prior messages, so I'm eager to get this cloud-vetted.

[jorritfolmer]

Yes check_python_sdk_version seems to involve downloading the newest 1.6.x from https://pypi.org/project/splunk-sdk/1.6.20/#files and replacing it in 5 separate directories.

[hkelley]

Does this seem like a jQuery solution? I see a few posts in https://community.splunk.com/t5/Building-for-the-Splunk-Platform/ that mention this technique (both to clean up old junk and to pick up newer jQuery).

To update your add-on, you will need to export your current project, then import it into this new Add-on Builder release. You can find more information in the “Import and export an add-on project ” section of the user guide.

[jorritfolmer]

No that would have been the solution if there were a new add-on builder version that included the updated moment.js or jQuery or whatever. But there isn't yet. In July I rebuilt the add-on from scratch to pass then longstanding cloud vetting issues involving older jQuery versions. It worked then, see below, but AoB hasn't been updated yet.

Good news: check_python_sdk_version failure is gone.
One failure left:

[jorritfolmer]

Ah I think I found the origin of the vulnerability. Currently at the top of https://github.com/moment/moment/blob/develop/CHANGELOG.md:

2.29.4

Release Jul 6, 2022
moment/moment#6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex

[jorritfolmer]

Interesting... appserver/static/js/build/common.js appears to contain a lot of stuff from around the year 2014:

• jQuery UI Widget 1.10.4
• jQuery UI Datepicker 1.10.4
• jQuery UI Core 1.10.4
• jQuery UI Mouse 1.10.4
• jQuery resize event - v1.1 - 3/14/2010
• jQuery JavaScript Library v2.1.0
• Sizzle CSS Selector Engine v1.10.16
• moment.js v2.8.3

That can't be right.

[jorritfolmer]

Fixed! I deleted common.js, the TA keeps working and passes validation. I compared the appserver directory from a fresh TA generated by AoB. And. It didn't contain the common.js file! Apparently I copied the entire appserver directory over when recreating "from scratch" instead of just the appserver/img directory for the icon and screenshot.

I'll keep this issue open until the TA is passing the 2nd cloud vetting stage.

[hkelley]

Any update from Splunk vetting?

[jorritfolmer]

Nothing, still pending…

[hkelley]

I'll open a support case to see if that nudges the approval/review process. It's now been more than 30d, which I believe is unusual.

[jorritfolmer]

Ha! It worked! Well done!