Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/tools/cmd/godoc: jquery can be updated to a newer version #39535

Open
joegrasse opened this issue Jun 11, 2020 · 12 comments
Open

x/tools/cmd/godoc: jquery can be updated to a newer version #39535

joegrasse opened this issue Jun 11, 2020 · 12 comments
Assignees
@adonovan
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security Tools This label describes issues relating to any tools in the x/tools repository.
Milestone
Unreleased

Comments

@joegrasse
Copy link

The version of jquery in godoc is susceptible to a security vulnerability.
@gopherbot gopherbot added the Tools This label describes issues relating to any tools in the x/tools repository. label Jun 11, 2020
@gopherbot gopherbot added this to the Unreleased milestone Jun 11, 2020
@toothrot toothrot added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jun 12, 2020
@toothrot
Copy link
Contributor

/cc @dmitshur

@dmitshur
Copy link
Contributor

Thanks for the report.

The godoc command does not have code paths that involve passing HTML from untrusted sources, so I don't believe this is a security issue. If you think I'm missing something, please use the "Flagging Existing Issues as Security-related" process described at https://golang.org/security.

It can still be updated to a newer version.

@dmitshur dmitshur changed the title x/tools/cmd/godoc: jquery version needs to be upgraded x/tools/cmd/godoc: jquery can be updated to a newer version Jun 12, 2020
@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Jun 12, 2020
@l-lindsay
Copy link

Any intention on upgrading jquery to a later version? Seeing this issue pop up in a scan.

@Brookke
Copy link

Brookke commented Mar 18, 2022

Looks like there's a fix for this awaiting review: golang/tools#250

@bcmills
Copy link
Contributor

bcmills commented Dec 9, 2022

(CC @golang/security)

@bcmills bcmills mentioned this issue Dec 9, 2022
Closed
@bcmills bcmills added Security and removed Security labels Dec 9, 2022
@gmonni
Copy link

gmonni commented Dec 12, 2022
edited

Hello would be possible upgrading jquery to 3.51. Security scanners identify the following vulnerabilities re jquery version currently in use?
image

@ghost
Copy link

ghost commented Jan 9, 2023

I'm seeing the same issues on our projects... Can the aforementioned pr be re-opened and merged to fix our vulnerability scanners?
image

@adonovan adonovan self-assigned this Jan 18, 2023
@jakinniranye
Copy link

For people facing similar issues
Fixed it by updating the static jQuery file, then replaced the tools version in the go.mod file

replace golang.org/x/tools v0.5.0 => github.com/jakinniranye/go-tools-jquery-3_5 v0.5.1

I'm new to Go, its literally my second week, so there could be a better solution out there

@gmonni
Copy link

gmonni commented Feb 23, 2023

@jakinniranye thanks for sharing, unfortunately your fix requires to pull the dependency from a forked repo, not from the original repo, and this is not acceptable in some environments.

@jakinniranye
Copy link

Yes, you are correct. It's just a temporary fix. The original repo should be forked into the organisation and made read-only, they might help with approval.

@FiloSottile
Copy link
Contributor

We have established that golang.org/x/tools is not affected by the reported vulnerabilities, see #39535 (comment).

If your scanner erroneously reports these false positives and provides no way to override the incorrect flag, that's a shortcoming in your scanner that should be addressed by the scanner vendor.

@gmonni
Copy link

gmonni commented Feb 23, 2023
edited

@FiloSottile thanks for your help! the issue tho is that If golang.org/x/tools is not affected by this vulnerability then it would help if this issue was "officially" closed with a comment: this way we could request to mark this issue as false positive on our scanners. As of now, the issue is still open, hence an override request would hardly be accepted.

This was referenced Feb 28, 2023
Closed
Closed
Closed
@adonovan adonovan mentioned this issue Mar 15, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adonovan adonovan

Labels
NeedsFix The path to resolution is known, but the work has not been done. Security Tools This label describes issues relating to any tools in the x/tools repository.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests