core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon dotCMS

[EPIC]: Review security-related PRs created by Dependabot

Open jcastro-dotcms opened this issue 9 months ago • 0 comments

Parent Issue

No response

Task

Review the PRs generated by Dependabot related to upgrading libraries used by dotCMS to a safer newer version. We need to make sure that (1) the suggested version is still the right one, and (2) vulnerable versions of such libraries are not being pulled as part of transitive dependencies.

### Dependabot PRs
- [ ] https://github.com/dotCMS/private-issues/issues/36
- [x] [Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file](https://github.com/dotCMS/core/security/dependabot/348)
- [x] [Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file](https://github.com/dotCMS/core/security/dependabot/341)
- [x] [Apache XML Graphics Batik Server-Side Request Forgery vulnerability # 301](https://github.com/dotCMS/core/security/dependabot/301)
- [x] [Apache XML Graphics Batik Server-Side Request Forgery vulnerability # 300](https://github.com/dotCMS/core/security/dependabot/300)
- [x] [Password exposure in H2 Database](https://github.com/dotCMS/core/security/dependabot/252)
- [ ] [XML external entity injection in Terracotta Quartz Scheduler](https://github.com/dotCMS/core/security/dependabot/182)
- [x] [GraphQL Java vulnerable to stack consumption](https://github.com/dotCMS/core/security/dependabot/225)
- [x] [graphql-java vulnerable to Denial of Service via GraphQL query that consumes CPU resources](https://github.com/dotCMS/core/security/dependabot/220)
- [x] [XML External Entity (XXE) Injection in JDOM](https://github.com/dotCMS/core/security/dependabot/200)

Proposed Objective

Core Features

Proposed Priority

Priority 2 - Important

Acceptance Criteria

It's important to analyze what specific parts of the system rely on the upgraded libraries so that we can test accordingly.

External Links... Slack Conversations, Support Tickets, Figma Designs, etc.

No response

Assumptions & Initiation Needs

No response

Quality Assurance Notes & Workarounds

Because of the high number of reported vulnerabilities and their respective code fixes, both IQA and QA tasks will require an important amount of effort. In this particular case, there are several parts of dotCMS that will need to be tested:

  • Features dealing with generating XML files, such as Push Publishing.
  • Quartz Job scheduling.
  • GraphQL query executions.
  • Initialization of Custom Portlets and their respective CRUD operations.
  • Ideally, smoke testing of as many features as possible.

Sub-Tasks & Estimates

No response

jcastro-dotcms avatar Apr 30 '24 22:04 jcastro-dotcms