Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump dompurify to a version >= 3.1.3 & => 2.5.4 #4721

Closed
4 tasks done
tasso94 opened this issue Oct 14, 2024 · 9 comments
Closed
4 tasks done

Bump dompurify to a version >= 3.1.3 & => 2.5.4 #4721

tasso94 opened this issue Oct 14, 2024 · 9 comments
Assignees
@venetrius
Labels
type:task Issues that are a change to the project that is neither a feature nor a bug fix. version:7.20.10 version:7.21.7 version:7.22.2 version:7.23.0-alpha3 version:7.23.0

Comments

@tasso94
Copy link
Member

tasso94 commented Oct 14, 2024
edited by venetrius
Loading

Acceptance Criteria (Required on creation)

Bump dompurify to a version >= 3.1.3

Hints

Links

Breakdown

Pull Requests
Preview Give feedback
  1. chore(webapps, engine-rest/docs): bump dompurify #4892
    venetrius

Dev2QA handover

  • Does this ticket need a QA test and the testing goals are not clear from the description? Add a Dev2QA handover comment
@tasso94 tasso94 added type:task Issues that are a change to the project that is neither a feature nor a bug fix. version:7.23.0 potential:7.20.10 potential:7.22.2 potential:7.21.7 labels Oct 14, 2024
@venetrius venetrius changed the title Bump dompurify to a version >= 3.1.3 Bump dompurify to a version >= 3.1.3 & => 2.5.4 Jan 14, 2025
@venetrius
Copy link
Member

Engine rest docs use 2.4.7 updated issue title to specify min. bump version for 2.x as well.

venetrius added a commit that referenced this issue Jan 14, 2025
@venetrius
chore(webapps): bump dompurify to 3.16
eea9815 
related to: /issues/4721
venetrius added a commit that referenced this issue Jan 14, 2025
@venetrius
chore(webapps): bump dompurify to 2.5.8
1147c1d 
related to: /issues/4721
venetrius added a commit that referenced this issue Jan 14, 2025
@venetrius
chore(webapps): bump dompurify to 3.1.6
962a4d9 
related to: /issues/4721
venetrius added a commit that referenced this issue Jan 14, 2025
@venetrius
chore(engine-rest/docs): bump dompurify to 2.5.8
cf5b61d 
related to: /issues/4721
@venetrius venetrius mentioned this issue Jan 14, 2025
Merged
@venetrius
Copy link
Member

/set-version-labels

@venetrius
Copy link
Member

venetrius commented Jan 14, 2025
edited
Loading

I realised that webapps already uses a safe version of dompurify ( CE uses 3.1.3 in all Camunda version, EE uses mixed versions >=3.1.6) 🙃 🙃
The package-lock.json does contain both 3.1.2 (vulnerable) & 3.1.3 (safe) versions in CE but version is resolved to 3.1.3. I think this is what confused me when qualifying the security tickets.
engine-rest/docs/ uses a vulnerable 2.4.7 version I am bumping that up to a safe 2.5.6.

app version env dompurify v. in webbapps dompurify v. in rest-docs action
7.23-SNAPSHOT CE 3.1.3 2.4.x updated rest-dcos
7.23-SNAPSHOT EE 3.1.7 N/A N/A
7.22 CE 3.1.6 2.4.x updated rest-dcos
7.22 EE 3.1.7 NA N/A
7.21 CE 3.1.3 2.4.x updated rest-dcos
7.21 EE 3.1.3 N/A N/A
7.20 CE 3.1.3 2.4.7 updated rest-dcos
7.20 EE 3.2.0 N/A N/A

@venetrius venetrius assigned tasso94 and unassigned venetrius Jan 20, 2025
@venetrius
Copy link
Member

@tasso94 please see the previous comment related to code changes

@tasso94 tasso94 assigned venetrius and unassigned tasso94 Jan 20, 2025
venetrius added a commit that referenced this issue Jan 20, 2025
@venetrius
chore(engine-rest/docs): bump dompurify to 2.5.8
12d4289 
related to: /issues/4721
@KBGenerali
Copy link

@venetrius & @tasso94 our OWASP Dependencycheck still finds vulnerable version 3.0.9 of DOMPurify in deps.js

camunda-webapp-webjar-ee-7.22.2-ee.jar: deps.js (pkg:javascript/[email protected], pkg:javascript/[email protected]) : CVE-2024-45801, CVE-2024-47875, CVE-2024-6484, Bootstrap before 4.0.0 is end-of-life and no longer maintained.

Is this fix not included in Camunda 7.22.2-ee? Could you please check again if there is anything missing or is this a false positive?

@venetrius
Copy link
Member

@KBGenerali ,
Thanks for letting us know. We will investigate to see if the vulnerable version is still present or if this is a false positive.

@venetrius venetrius reopened this Jan 24, 2025
@venetrius
Copy link
Member

@KBGenerali,

Thanks, for the heads up. The investigation has the following results:

  • pkg:javascript/[email protected] is a false positive hit, we are shipping long term support version of bootstrap that is not effected.
  • an old version of DOMPurify is included in one of our dependencies but it does not effect Camunda.

In the future ( or if you have more questions) please create an issue via Camunda trust-center.

@monsieur-gurr
Copy link

@venetrius
Thanks for investigating.
Will the old version of DOMPurify (which is not effecting Camunda) still be updated in the next patch/minor release?

@tasso94
Copy link
Member Author

tasso94 commented Jan 29, 2025

Hi @monsieur-gurr,

Yes. We have a ticket for that: #4913

Best,
Tassilo

bzzzil pushed a commit to cibseven/cibseven that referenced this issue Jan 30, 2025
@venetrius @bzzzil
chore(engine-rest/docs): bump dompurify to 2.5.8
b488db5 
related to: camunda/camunda-bpm-platform/issues/4721
bzzzil pushed a commit to cibseven/cibseven that referenced this issue Jan 30, 2025
@venetrius @bzzzil
chore(engine-rest/docs): bump dompurify to 2.5.8
1170805 
related to: camunda/camunda-bpm-platform/issues/4721
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@venetrius venetrius

Labels
type:task Issues that are a change to the project that is neither a feature nor a bug fix. version:7.20.10 version:7.21.7 version:7.22.2 version:7.23.0-alpha3 version:7.23.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tasso94 @PHWaechtler @venetrius @KBGenerali @monsieur-gurr