Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jQuery 1.12.4 Security Risks in ydata-profiling HTML Reports #1617

Closed
3 tasks done
AndresDiagoM opened this issue Jul 10, 2024 · 1 comment
Closed
3 tasks done

jQuery 1.12.4 Security Risks in ydata-profiling HTML Reports #1617

AndresDiagoM opened this issue Jul 10, 2024 · 1 comment
Labels
needs-triage

Comments

@AndresDiagoM
Copy link

Current Behaviour

The ydata-profiling project is currently using jQuery version 1.12.4 in the HTML reports generated by the HTMLReport() function located in ydata_profiling/src/ydata_profiling/profile_report.py. This version of the library is known to have multiple security vulnerabilities that are documented in the National Vulnerability Database (NVD), including CVE-2020-11023 and CVE-2020-11022. These vulnerabilities expose users to potential cross-site scripting (XSS) attacks, which can compromise user security by allowing attackers to execute malicious scripts in users' browsers.

The HTMLReport() function is specifically responsible for creating the HTML output that includes the outdated and vulnerable version of jQuery. This incorporation of a vulnerable library directly affects the security of the application, putting user data at risk of XSS exploits.

For more details on these vulnerabilities, refer to the NVD:

CVE-2020-11023 on NVD
CVE-2020-11022 on NVD

Expected Behaviour

The project ydata-profiling should be using a version of jQuery that is free from known security vulnerabilities to ensure the safety and security of its users. Ideally, the library should be updated to the latest stable version, such as jQuery 3.x, which has addressed and resolved the existing vulnerabilities found in earlier versions like 1.12.4.

Using a secure version of jQuery would prevent potential cross-site scripting (XSS) attacks that can be leveraged through vulnerabilities in older versions. This would help in maintaining the integrity and confidentiality of the user data processed by the ydata-profiling tool.

Data Description

N/A

Code that reproduces the bug

The issue with the outdated jQuery version being imported into the project occurs in the create_html_assets function located within the file templates.py at ydataai/ydata-profiling/src/ydata_profiling/report/presentation/flavours/html/templates.py. This function is responsible for setting up and copying the HTML assets used in the profiling reports, including CSS and JavaScript files.

def create_html_assets(config: Settings, output_file: Path) -> None:
    theme = config.html.style.theme
    path = output_file.with_name(str(config.html.assets_prefix))

    if path.is_dir():
        shutil.rmtree(path)
    path.joinpath("images").mkdir(parents=True, exist_ok=True)

    css = []
    js = []

    # Local assets configuration check
    if config.html.use_local_assets:
        if theme is not None:
            css.append(f"wrapper/assets/{theme.value}.bootstrap.min.css")
        else:
            css.append("wrapper/assets/bootstrap.min.css")
            css.append("wrapper/assets/bootstrap-theme.min.css")
        
        # Here jQuery 1.12.4 is added to the JavaScript assets list
        js.append("wrapper/assets/jquery-1.12.4.min.js")
        js.append("wrapper/assets/bootstrap.min.js")

    css.append("wrapper/assets/style.css")
    js.append("wrapper/assets/script.js")

    # Writing CSS files
    css_dir = path / "css"
    if not css_dir.exists():
        css_dir.mkdir()
        for css_file in css:
            (css_dir / Path(css_file).name).write_text(
                template(css_file).render(
                    primary_colors=config.html.style.primary_colors,
                    nav=config.html.navbar_show,
                    style=config.html.style,
                )
            )

    # Writing JavaScript files
    js_dir = path / "js"
    if not js_dir.exists():
        js_dir.mkdir()
        for js_file in js:
            (js_dir / Path(js_file).name).write_text(template(js_file).render())

pandas-profiling version

4.7.0

Dependencies

ydata-profiling==4.7.0

OS

No response

Checklist

  • There is not yet another bug report for this issue in the issue tracker
  • The problem is reproducible from this bug report. This guide can help to craft a minimal bug report.
  • The issue has not been resolved by the entries listed under Common Issues.
@fabclmnt
Copy link
Contributor

Hi @AndresDiagoM ,

this is a duplicated issue from #1600 and #1599.

Also, the team is working actively on this as you can see by the development in the following PRs:

If you have more details to add to one of those I'll ask you to add there and upvote the issues. I'll be closing this one to avoid duplication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fabclmnt @azory-ydata @AndresDiagoM