Upgrade jQueryUI

[florianm]

First of all, servus and thanks for this wonderful admin integration. We've been using it in various projects for a decade now at @dbca-wa and recently at @wagov.

Our security audit flagged a mildly outdated dependency of django-grappelli to jQueryUI 1.13.0 whereas the latest version at the time of writing is jQueryUI 1.13.2 requiring jQuery 1.8+ (django-grappelli uses jQuery 3.6.0).

Would it be possible to bump jQueryUI to 1.13.2, and possibly enabling Dependabot dependency scanning?
Happy to submit a PR if this helps.

[sehmaschine]

dependabot scanning is already active. but we don't see an alert for jqueryui. any details on this?

[florianm]

We commissioned a security audit from a consultancy for a Django project that uses django-grappelli. The project is about to go live to a wider audience, so we're keen to address as many findings as possible, as menial as they seem. Happy to assist where I can.

The consultants flagged as a "low priority" finding:

APP-2 Software Flaws: Outdated and Vulnerable JavaScript Libraries

Description

When vulnerabilities are identified in software the vendor of that product generally releases a ‘patch’ to fix the problem. Where these patches are not deployed in a timely manner, the vulnerabilities in the unpatched components could be exploited by an attacker.

We identified that the Application Portal application makes use of outdated JavaScript libraries with known security flaws, which could potentially be leveraged to perform attacks against application users under specific circumstances.

The vulnerabilities within the libraries include Cross-Site Scripting (XSS) and Prototype Pollution.

Proof of Concept

Vulnerable libraries:

• jQuery-UI version 1.13.0 https:/DOMAIN/static/grappelli/jquery/ui/jqueryui.min.js

Consequence Moderate: If exploited, the issues affecting these JavaScript libraries could be leveraged to execute attacker-controlled scripts within the victim browser, thereby potentially allowing an attacker to compromise the confidentiality, integrity or availability of Application Portal web application.

Likelihood Rare: Exploitation of these flaws is only possible under very specific circumstances, and no specifically exploitable condition was identified in the time available.

Risk

Low

Remediation

Update to the latest version of the affected libraries.
References https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html#keeping-javascript-libraries-updated
https://security.snyk.io/package/npm/jquery-ui/1.13.0
Vulnerability: https://security.snyk.io/vuln/SNYK-JS-JQUERYUI-2946728

jquery-ui is a library for manipulating UI elements via jQuery.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the initialization of check-box-radio widget on an input tag enclosed within a label, which leads to the parent label contents being considered as the input label.

Exploiting this vulnerability is possible if a .checkboxradio( "refresh" ) call is executed on such a widget, and the initial HTML contains encoded HTML entities, leading them to be erroneously decoded.

Upgrade jquery-ui to version 1.13.2 or higher.

I hope the above helps. Let me know if a PR would make your life easier.

[sehmaschine]

I've updated jQuery UI with the stable branch. I'm waiting a bit before a new release, so users can check if there are any issues (although everything looks fine with my local tests).

[florianm]

Thanks for the quick turnaround!