I modified the code in Application#init getJavaScriptLibrarySettings().setJQueryReference(JQueryResourceReference.getV3());
Now, when I surfed the url [https://mysite/….jquery-2.2.4….js], it showed not found Thanks a lot From: Martin Grigorov <mgrigo...@apache.org> Date: Wednesday, October 20, 2021 at 19:06 To: users@wicket.apache.org <users@wicket.apache.org> Subject: Re: About jQuery 2.2.4 vulnerability On Wed, Oct 20, 2021 at 1:34 PM Martin Grigorov <mgrigo...@apache.org> wrote: > > > On Wed, Oct 20, 2021 at 1:30 PM Martin Grigorov <mgrigo...@apache.org> > wrote: > >> >> >> On Wed, Oct 20, 2021 at 1:21 PM Shengche Hsiao <shengchehs...@gmail.com> >> wrote: >> >>> Dear Martin >>> >>> After I applied the code, the website showed exceptions below >>> >>> >>> ERROR [org.apache.wicket.DefaultExceptionMapper] (default task-2521) >>> Unexpected error occurred: org.apache.wicket.WicketRuntimeException: An >>> error occurred while generating an Url for handler >>> 'ResourceReferenceRequestHandler{resourceReference=scope: >>> org.apache.wicket.resource.JQueryResourceReference; name: >>> jquery/jquery-2.2.4.js; locale: null; style: null; variation: null, >>> pageParameters=}' >>> >>> >>> >>> Caused by: >>> org.apache.wicket.request.resource.PackageResource$PackageResourceBlockedException: >>> Access denied to (static) package resource >>> org/apache/wicket/resource/jquery/jquery-2.2.4.js. See IPackageResourceGuard >>> >> >> I think this should be a WARNING and the stacktrace should be printed >> only if DEBUG is enabled. >> Also the response code should be 404! >> I will create a ticket! >> > > https://issues.apache.org/jira/browse/WICKET-6928 > I've closed the ticker because this is already implemented. The ERROR with the stacktrace is logged only in DEV mode so that the developer is made aware that his/her application has a ResourceReference for a forbidden resource. Is the scanner making the request to https://mysite/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-2.2.4-v-6233386130326534.js ? I have the feeling your application contributes it itself in some #renderHead() method in your components. > > >> >> You could use another solutuion - use a custom Servlet Filter that is >> declared before WicketFilter. If the tequest is to jquery-2*.js then return >> 404 and do not pass the request & response to the filter chain. >> > > Or use IRequestCycleListener and do the above in its #onException() > > >> >> >>> >>> >>> >>> From: Martin Grigorov <mgrigo...@apache.org> >>> Date: Wednesday, October 20, 2021 at 14:34 >>> To: users@wicket.apache.org <users@wicket.apache.org> >>> Subject: Re: About jQuery 2.2.4 vulnerability >>> You could use SecurePackageResourceGuard to forbid access to a resource. >>> In YourApplication#init(): >>> >>> SecurePackageResourceGuard guard = (SecurePackageResourceGuard) >>> getResourceSettings().getPackageResourceGuard(); >>> guard.addPattern("-**/jquery-2*.js"); >>> >>> On Wed, Oct 20, 2021 at 9:25 AM Shengche Hsiao <shengchehs...@gmail.com> >>> wrote: >>> >>> > Dear Martin >>> > >>> > I actually configured with jQuery version 3 on Application, and on >>> browser >>> > console showed jquery version with 3.6.0. But the scanner still find >>> this >>> > url [ >>> > >>> https://mysite/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-2.2.4-v-6233386130326534.js >>> ]< >>> https://mysite/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-2.2.4-v-6233386130326534.js%5d >>> > >>> > appears. I know this resource is generated automatically by Wicket >>> 8.13.0 >>> > (our project), and I don’t want this url resource be retrieved by >>> scanner. >>> > How to do that? >>> > >>> > >>> > From: Martin Grigorov <mgrigo...@apache.org> >>> > Date: Wednesday, October 20, 2021 at 14:17 >>> > To: users@wicket.apache.org <users@wicket.apache.org> >>> > Subject: Re: About jQuery 2.2.4 vulnerability >>> > Hi, >>> > >>> > On Wed, Oct 20, 2021 at 5:46 AM Shengche Hsiao < >>> shengchehs...@gmail.com> >>> > wrote: >>> > >>> > > Dear All >>> > > >>> > > Recently, our website made a vulnerability scanning. The report shows >>> > > >>> > >>> [/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-2.2.4-v- >>> > > 6233386130326534.js] as a vulnerability library. How do I disallow >>> output >>> > > this jquery version to avoid scan? >>> > > >>> > >>> > I don't understand your question. Please re-phrase if the following >>> does >>> > not help you! >>> > >>> > You can upgrade jQuery by adding such code to YourApplication#init(): >>> > >>> > getJavaScriptLibrarySettings().setJQueryReference(new >>> > JavaScriptResourceReference(MyClass.class, "jquery-x.y.z.js")); >>> > you could >>> > use org.apache.wicket.resource.JQueryResourceReference#INSTANCE_3, for >>> > example >>> > >>> > >>> > > >>> > > Thanks >>> > > >>> > >>> >>
