Split Bootstrap version reference in Tooltip .scss #3979
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bootstrap 3.3.5 has XSS vulnerabilities and some security scanners report that Nextcloud is using a vulnerable dependency. However, this is a false positive, as only some SCSS from that version is included and nothing can be exploited. It seems that the scanners just look for the version string instead of actually checking the vulnerability, so the version reference was split to avoid that (although the version is not simply removed to keep the proper copyright assignment). Signed-off-by: Daniel Calviño Sánchez <[email protected]>
danxuliu
added
3. to review
nickvergessen
approved these changes
Apr 17, 2023
skjnldsv
approved these changes
Apr 17, 2023
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Equivalent of nextcloud/server#35485 for nextcloud-vue
Bootstrap 3.3.5 has XSS vulnerabilities and some security scanners report that Nextcloud is using a vulnerable dependency. However, this is a false positive, as only some SCSS from that version is included (originally in server, then in nextcloud-vue) and nothing can be exploited.
It seems that the scanners just look for the version string instead of actually checking the vulnerability, so the version reference was split to avoid that (although the version is not simply removed to keep the proper copyright assignment).
Note that to get rid of the
Bootstrap v3.3.5string in Nextcloud server it will be needed to also release new versions of:nextcloud-vue-dashboard(latest release, 2.0.1, uses nextcloud-vue 3.9.0)nextcloud-vue-collections(latest release, 0.10.0, uses nextcloud-vue 3.10.2)nextcloud-password-confirmation(latest release, 4.0.4, uses nextcloud-vue 7.5.0).