Thanks
From: Martin Grigorov <mgrigo...@apache.org>
Date: Wednesday, October 20, 2021 at 18:35
To: users@wicket.apache.org <users@wicket.apache.org>
Subject: Re: About jQuery 2.2.4 vulnerability
On Wed, Oct 20, 2021 at 1:30 PM Martin Grigorov <mgrigo...@apache.org>
wrote:
>
>
> On Wed, Oct 20, 2021 at 1:21 PM Shengche Hsiao <shengchehs...@gmail.com>
> wrote:
>
>> Dear Martin
>>
>> After I applied the code, the website showed exceptions below
>>
>>
>> ERROR [org.apache.wicket.DefaultExceptionMapper] (default task-2521)
>> Unexpected error occurred: org.apache.wicket.WicketRuntimeException: An
>> error occurred while generating an Url for handler
>> 'ResourceReferenceRequestHandler{resourceReference=scope:
>> org.apache.wicket.resource.JQueryResourceReference; name:
>> jquery/jquery-2.2.4.js; locale: null; style: null; variation: null,
>> pageParameters=}'
>>
>>
>>
>> Caused by:
>> org.apache.wicket.request.resource.PackageResource$PackageResourceBlockedException:
>> Access denied to (static) package resource
>> org/apache/wicket/resource/jquery/jquery-2.2.4.js. See IPackageResourceGuard
>>
>
> I think this should be a WARNING and the stacktrace should be printed only
> if DEBUG is enabled.
> Also the response code should be 404!
> I will create a ticket!
>
https://issues.apache.org/jira/browse/WICKET-6928
>
> You could use another solutuion - use a custom Servlet Filter that is
> declared before WicketFilter. If the tequest is to jquery-2*.js then return
> 404 and do not pass the request & response to the filter chain.
>
Or use IRequestCycleListener and do the above in its #onException()
>
>
>>
>>
>>
>> From: Martin Grigorov <mgrigo...@apache.org>
>> Date: Wednesday, October 20, 2021 at 14:34
>> To: users@wicket.apache.org <users@wicket.apache.org>
>> Subject: Re: About jQuery 2.2.4 vulnerability
>> You could use SecurePackageResourceGuard to forbid access to a resource.
>> In YourApplication#init():
>>
>> SecurePackageResourceGuard guard = (SecurePackageResourceGuard)
>> getResourceSettings().getPackageResourceGuard();
>> guard.addPattern("-**/jquery-2*.js");
>>
>> On Wed, Oct 20, 2021 at 9:25 AM Shengche Hsiao <shengchehs...@gmail.com>
>> wrote:
>>
>> > Dear Martin
>> >
>> > I actually configured with jQuery version 3 on Application, and on
>> browser
>> > console showed jquery version with 3.6.0. But the scanner still find
>> this
>> > url [
>> >
>> https://mysite/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-2.2.4-v-6233386130326534.js
>> ]<
>> https://mysite/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-2.2.4-v-6233386130326534.js%5d
>> >
>> > appears. I know this resource is generated automatically by Wicket
>> 8.13.0
>> > (our project), and I don’t want this url resource be retrieved by
>> scanner.
>> > How to do that?
>> >
>> >
>> > From: Martin Grigorov <mgrigo...@apache.org>
>> > Date: Wednesday, October 20, 2021 at 14:17
>> > To: users@wicket.apache.org <users@wicket.apache.org>
>> > Subject: Re: About jQuery 2.2.4 vulnerability
>> > Hi,
>> >
>> > On Wed, Oct 20, 2021 at 5:46 AM Shengche Hsiao <shengchehs...@gmail.com
>> >
>> > wrote:
>> >
>> > > Dear All
>> > >
>> > > Recently, our website made a vulnerability scanning. The report shows
>> > >
>> >
>> [/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-2.2.4-v-
>> > > 6233386130326534.js] as a vulnerability library. How do I disallow
>> output
>> > > this jquery version to avoid scan?
>> > >
>> >
>> > I don't understand your question. Please re-phrase if the following does
>> > not help you!
>> >
>> > You can upgrade jQuery by adding such code to YourApplication#init():
>> >
>> > getJavaScriptLibrarySettings().setJQueryReference(new
>> > JavaScriptResourceReference(MyClass.class, "jquery-x.y.z.js"));
>> > you could
>> > use org.apache.wicket.resource.JQueryResourceReference#INSTANCE_3, for
>> > example
>> >
>> >
>> > >
>> > > Thanks
>> > >
>> >
>>
>
