New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix vulnerability in jQuery used in ScalaDoc #8179
Conversation
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not an expert, but this looks awesome!
TBH, I'd like to question the value of all that machinery to pull jQuery from a webjar, check its integrity, then insert it into our own jar, versus the old way of simply having a copy of the file in this repo. It seems to me that the old system was simpler. What is the real reason for this change? What value does it bring? |
@sjrd I believe that the value is that in some not so far future @scala-steward will be able to create a PR with the "Update jQuery to x.x.x" comment. |
or perhaps as an alternative, next time we want to update jQuery the diff will only be a couple lines. |
@plokhotnyuk In this specific case we wouldn't be able to trust a scala-steward PR, because we still need to check out the branch, run Scaladoc locally and then test the generated doc manually by navigating a bit through it. That's because we're talking about dynamically typed code, for which I'm pretty sure we don't have nearly enough automated tests. |
True, the PR will need manual validation, but at least it'll be a 1-line PR (instead of the diff of jQuery code) and we won't be using a version of jQuery that's 7 years old. |
There are 3 external JavaScripts for scala/src/scaladoc/scala/tools/nsc/doc/html/page/Entity.scala Lines 65 to 69 in 26f34d0
I think machinary extraction from webjars can be applied to those 3, and achieve fully offline view, instead of bundling those 3 large files into repository. Updating dependencies can be 1-line and be performed by bots (Scala Steward or something). |
I don't see why a bot couldn't get the SRI hash from your local JS CDN |
It could be automated if bots support rewriting SRI hash |
6ac3ef7
to
7beb436
Compare
input.attr("value") read only the initial value, does not read the updated value.
It will throw instead of {top:0,left:0} from jQuery 3.
Now CI is all green |
Thank you @exoego!! |
This is a backport of scala#8179 - Use browser-native tooltip instead of outdated plugin. - Replace input.attr("value") with input.val(). - Replace event handler shorthands with on/off. - Do not use offset on invalid jQuery object. It will throw instead of {top:0,left:0} from jQuery 3. - Add SRI check to verify the resource is correct
Closes scala/bug#11567
This PR updates jQuery bundled in scaladoc mainly to fix potential vulnerabilities of XSS.
Changes
1.8.2
(released in 2012-9-20) to3.4.1
(latest release as of 2019-6-27) using webjars, so that no need to include jQuery file in this repository.tools.tooltip
jQuery plugin with browser's native tooltip (title
attribute). Because this plugin uses the deprecated-and-removedjQuery.browser.msie
and there are no direct alternative for that. Native tooltip is fine I think.Internet Explorer 8 and below will no longer be supported, since jQuery 3.x dropped them.
I think dropping IE8 is reasonable, since
Where to find SRI
https://www.jsdelivr.com/package/npm/jquery
http://code.jquery.com/
Note
I will open PRs of same fixes to
2.12.x
branche, once this PR is merged.Scala
2.11.x
seems not actively mainated, so I guess that no fix on2.11.x
branche is fine.But I will open a PR if it is desired.