Grav & security vulnerability in jquery?

Hello there!

I am evaluating if Grav suits my usecase, some things I like, one thing leaves me headscratching.

When I run the audit¹ on getgrav.org or on a starterkit it returns 2 security vulnerabilities related to jquery 2.2.4:

Cross-site Scripting (XSS) <1.12.2,>=1.12.3 <2.2.2,>=2.2.3 <3.0.0 Not available 27 Nov, 2016

[ Prototype Pollution ](can only put one link as new user, replace last part with vuln/SNYK-JS-JQUERY-174006) <3.4.0 Not available 27 Mar, 2019

Is chromium right? Is this something I can resolve or something being already addressed, is it a will not fix, needs no fix, ..?

I m feeling concerned, please elaborate : )

1: Chromium -> Webinpector (strg+alt+i) -> audit

I can't speak about the vulerability specifically, but it's part of the theme you are using rather than Grav itself. It will be very simple to switch versions of Jquery or use another theme.

However, please consider reporting this to the maintainer of the theme you are using.

i just ran snyk.io/test/website-scanner on my website, built with Grav, updated to the latest version. I modified the latest version of the Photographer skeleton.

I have the same report of vulnerabilities to jquery 2.2.4 Tested 22 May 2020.

Can I change the jquery version from within Admin? Or do I have to go looking at the guts of the theme?

Grav uses jquery. It loads 2.1.4, 2.x, & 3.x (at least these are in system/assets)

Suppose I delete 2.1.4 and 2.x?

@finanalyst, It depends on how the theme adds jQuery...

If it uses something similar to assets.addJs('jquery', 101) it will include the jQuery library set in /user/config/system.yaml:

assets:             # Configuration for Assets Manager (JS, CSS)
  collections:
    jquery: system://assets/jquery/jquery-2.x.min.js

You could download jQuery and add it to folder /system/assets/jquery and change the settings accordingly. You could also point the config to a CDN instead of downloading:

assets:             # Configuration for Assets Manager (JS, CSS)
  collections:
    jquery: https://code.jquery.com/jquery-3.5.1.min.js

If the template adds a path inside the theme, you will probably have to update the template.

I tried to locate where the 2.4.2 dependency is by deleting the jquery library in system/assets.
admin still works, my website still loaded, but photographer uses isotope to filter images in a gallery.
The filter stopped working.
The security problem caught by the website test is with jquery 2.4.2, not with where or how jquery is loaded.

@finanalyst

The security problem caught by the website test is with jquery 2.4.2, not with where or how jquery is loaded.

That's correct, the vulnerability is in the jQuery library v2.4.2 and needs to be replaced with an updated version. Hence you will have to download a newer version which does not have vulnerabilities. Either download or point to a newer CDN version.

And another library depending on jQuery might break when updating jQuery...

I am trying to figure out where the jquery 2.4.2 dependency is.
I deleted from system/assets the reference to jquery 2.4.* and a plugin (isotope) broke.
But I am looking at isotope - which is being updated all the time, and I do not see any explicit 2.4.2 dependency.
Is there a quick way of finding which part of Grav loaded the asset?

@finanalyst, I don't think Grav adds jQuery, that's the responsibility of the theme or the plugin.

You could try a search in your favorite editor on addJs('jquery' or a regex search addJs.*jquery

I'm a noob, but you can fix the jquery here:

@finanalyst, According the package.json of the github repo of isotope, it uses jquery 3.3.1 which is also marked as having vulnerabilities.

@unleashed Thanks. I looked through the Admin interface. Found that reference. But jquery v 2.4.2 is still being added somewhere.

I looked in the assets and js folders of the theme, but I haven't found it yet. (Still looking).

However, as pointed out, it is probably added by a grav twig function (addJs), so I was wondering if there was a way of logging that.

Vulnerabilities are a going to be a pest in internet land for ever!

So, in a sense finding a good way of tracking down where Jquery is loaded would be useful.

Using a search in an editor assumes all the sources are in the editor. I'm using a photographer skeleton from the Grav download page. The meta information indicated that the theme was updated for the latest Grav update.

lol, I'm a hunt and grunt troublshooter. If it's being added by a plugin, disable plugins one at a time until the problem goes away.

Been trying to do that. Broke Grav admin, broke my site. Now trying to get back to where I was this morning. Not happy at this moment!
Can't discover whether Grav Admin plugin needs Jquery 2.1.4 or not

I have restored the site's operation by allowing Jquery 1. to be loaded.

The Jquery version is embedded in the Photographer skeleton. I do not know to upgrade all the plugins to get to the latest versions of Jquery.

I chose the Theme because it provided a nice interface and seemed to be an easy way to get to a look and feel that I wanted.

But if I need to work through every plugin used by the Theme, that is a lot of effort.

Which Grav theme is the most modern/most secure?

Just for grins I installed the photographer skeleton, added admin, and looked at the testing results. Yup out of the box it is using jquery 2.x.

I then made the one change in admin>Configuration>System>Assets: system://assets/jquery/jquery-3.x.min.js (like the screenshot above) and re-tested the site. Now it passes with jquery 3.x. No need to delete any of the stuff in system/assets.

This was done on a totally new install of the Photographer skeleton, so if you've made any custom changes or installed additional plugins your results may vary.

@unleashed Thanks for the effort.
Yes I was also able to change the jquery version in Admin with photographer. And with no other change, everything worked. (Eventually :) )..
BUT photographer itself loads JQ 2.1 and 2.2 within base.html.twig.
This means that changing the JQ version for Grav does not Prevent another version of JQ from being loaded. A website security audit only picks up the fact that JQ 2.2.4 is loaded. So even implementing the change you suggested will allo cause the website to fail a security check.
Photographer also uses an old version of isotope and a couple of other plugins that rely on a JQ 2.1 version (via a migration library, I think) to be available.
I tried changing various things, and managed to screw things up. So I will have to work though each of the plugins used by Photographer and update or replace those that require JQ 2.1 or JQ 2.2

What is a bit irritating though, is that don't know whether the security issues that are flagged by the automated sites are generic warnings, and that they may not even be applicable to GRAV. In which case, there would be no need to eradicate JQ 2.1 / 2.4.2 dependencies.

I would appreciate a link to a discussion of the JQuery security issues in the context of GRAV. I chose GRAV originally because I did not want a SQL db driven website, for the very reason that SQL related attacks seemed to be the most common security risk for websites.

So after working at the security problem for a while, I discovered that the biggest issues flagged by automatic site testing is due to HTTP headers.

I have documented my solutions in another post.

Once these issues were dealt with, the JQuery vulnerabilities remain, but are scored much lower. So the overall score for the site was B, rather than F (the worst).

I haven't resolved this issue completely, as I would like to remove dependencies on old software, but it does not seem to urgent at present.