Re: About jQuery 2.2.4 vulnerability

Wed, 20 Oct 2021 03:26:21 -0700 

On Wed, 20 Oct 2021 at 17:21, Shengche Hsiao <shengchehs...@gmail.com>
wrote:

> Dear Martin
>
> After I applied the code, the website showed exceptions below
>
>
> ERROR [org.apache.wicket.DefaultExceptionMapper] (default task-2521)
> Unexpected error occurred: org.apache.wicket.WicketRuntimeException: An
> error occurred while generating an Url for handler
> 'ResourceReferenceRequestHandler{resourceReference=scope:
> org.apache.wicket.resource.JQueryResourceReference; name:
> jquery/jquery-2.2.4.js; locale: null; style: null; variation: null,
> pageParameters=}'
>
>
>
> Caused by:
> org.apache.wicket.request.resource.PackageResource$PackageResourceBlockedException:
> Access denied to (static) package resource
> org/apache/wicket/resource/jquery/jquery-2.2.4.js. See IPackageResourceGuard
>
>
It seems you are still using 2.2.4
Please ensure it is switched via
`getJavaScriptLibrarySettings().setJQueryReference`

>
>
> From: Martin Grigorov <mgrigo...@apache.org>
> Date: Wednesday, October 20, 2021 at 14:34
> To: users@wicket.apache.org <users@wicket.apache.org>
> Subject: Re: About jQuery 2.2.4 vulnerability
> You could use SecurePackageResourceGuard to forbid access to a resource.
> In YourApplication#init():
>
> SecurePackageResourceGuard guard = (SecurePackageResourceGuard)
> getResourceSettings().getPackageResourceGuard();
> guard.addPattern("-**/jquery-2*.js");
>
> On Wed, Oct 20, 2021 at 9:25 AM Shengche Hsiao <shengchehs...@gmail.com>
> wrote:
>
> > Dear Martin
> >
> > I actually configured with jQuery version 3 on Application, and on
> browser
> > console showed jquery version with 3.6.0. But the scanner still find this
> > url [
> >
> https://mysite/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-2.2.4-v-6233386130326534.js
> ]<
> https://mysite/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-2.2.4-v-6233386130326534.js%5d
> >
> > appears. I know this resource is generated automatically by Wicket 8.13.0
> > (our project), and I don’t want this url resource be retrieved by
> scanner.
> > How to do that?
> >
> >
> > From: Martin Grigorov <mgrigo...@apache.org>
> > Date: Wednesday, October 20, 2021 at 14:17
> > To: users@wicket.apache.org <users@wicket.apache.org>
> > Subject: Re: About jQuery 2.2.4 vulnerability
> > Hi,
> >
> > On Wed, Oct 20, 2021 at 5:46 AM Shengche Hsiao <shengchehs...@gmail.com>
> > wrote:
> >
> > > Dear All
> > >
> > > Recently, our website made a vulnerability scanning. The report shows
> > >
> >
> [/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-2.2.4-v-
> > > 6233386130326534.js] as a vulnerability library. How do I disallow
> output
> > > this jquery version to avoid scan?
> > >
> >
> > I don't understand your question. Please re-phrase if the following does
> > not help you!
> >
> > You can upgrade jQuery by adding such code to YourApplication#init():
> >
> > getJavaScriptLibrarySettings().setJQueryReference(new
> > JavaScriptResourceReference(MyClass.class, "jquery-x.y.z.js"));
> > you could
> > use org.apache.wicket.resource.JQueryResourceReference#INSTANCE_3, for
> > example
> >
> >
> > >
> > > Thanks
> > >
> >
>


-- 
Best regards,
Maxim

Reply via email to