OpenStack Dashboard (Horizon)

  1. Bug #1955556
  2. Comment #4

Comment 4 for bug 1955556

Revision history for this message
Corey Bryant (corey.bryant) wrote (last edit ):

I checked the Ubuntu code, assuming the scanned code is all in /usr/lib/python3/dist-packages/horizon/xstatic/, here are my findings. I haven't assessed whether the code is actually vulnerable from the horizon dashboard.

## jQuery 1.12.4

This appears to be patched in focal:

ubuntu@juju-e9cc66-zaza-906d385905ca-7:/usr/lib/python3/dist-packages/horizon/xstatic$ grep -r -A 5 2432
pkg/angular/data/angular-scenario.js:// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
pkg/angular/data/angular-scenario.js-jQuery.ajaxPrefilter( function( s ) {
pkg/angular/data/angular-scenario.js- if ( s.crossDomain ) {
pkg/angular/data/angular-scenario.js- s.contents.script = false;
pkg/angular/data/angular-scenario.js- }
pkg/angular/data/angular-scenario.js-} );

## jQuery Migrate 1.2.1

This appears to be patched in focal:

ubuntu@juju-e9cc66-zaza-906d385905ca-7:/usr/lib/python3/dist-packages/horizon/xstatic$ grep -r -A 2 'Strict HTML'
pkg/jquery/data/jquery.js: // Strict HTML recognition (#11290: must start with <)
pkg/jquery/data/jquery.js- rquickExpr = /^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,
pkg/jquery/data/jquery.js-
--
pkg/angular/data/angular-scenario.js: // Strict HTML recognition (#11290: must start with <)
pkg/angular/data/angular-scenario.js- // Shortcut simple #id case for speed
pkg/angular/data/angular-scenario.js- rquickExpr = /^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]+))$/,

## AngularJS 1.5.8

This appears to be unpatched in all Ubuntu and upstream releases, see the following files:

/usr/lib/python3/dist-packages/horizon/xstatic/pkg/angular/data/angular.js
/usr/lib/python3/dist-packages/horizon/xstatic/pkg/angular/data/angular-scenario.js

This is fixed upstream in 1.8.2.0 of https://opendev.org/openstack/xstatic-angular, however
upper-constraints for stable/ussuri->master are still limited to 1.5.8.0 [1], which doesn't
have the fix.

[1]
https://github.com/openstack/requirements/blob/master/upper-constraints.txt#L95
https://github.com/openstack/requirements/blob/stable/ussuri/upper-constraints.txt#L169