Loading...

XML

Word

Printable

Type: New Feature
Resolution: Unresolved
Priority: Critical
Fix Version/s: None
Affects Version/s: 9.5.1.3
Component/s: None
Security Level: Jimmy
Labels:
- security
- zk10todo

Safety specification requirements:
None

User Story

As an application developer, I don't want to load an unsed third-party javascript library bundled in zk jar, e.g. vue.js, so that when there is a security vulnerability in these libraries, my system won't be affected.
For example, if I use <drawer> and don't use <fragment>, zk still load vue.min.js in zkmax.wgt.wpd.

Acceptance Criteria

Details

Since there is a feasible workaround, we can treat this feature as a low priority.

proposed solution:

separate fragment into an independent js package
only when using fragment will load vue.js.
But there is a potential risk that someone still can load vue.js by zk js function. Because zk supports to load any wpd dynamically.

support a setting to avoid third-party library being loaded

Use case

A customer reported vue vulnerability
The current workaround is to replace vue.min.js in zkmax.jar with a new version vue.js
zk 10 contains vue 2.6.14 which is also reported to have a vulnerability, see https://www.herodevs.com/vulnerability-directory/cve-2024-9506

relates to

ZK-5824 separate fragment widget into an independent library or another jar

Closed

Assignee:: Unassigned

Reporter:: hawk

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 21/Jul/21 6:18 AM

Updated:: 12/Dec/24 7:46 AM

Details

Description

User Story

Acceptance Criteria

Details

proposed solution:

Use case

Attachments

Issue Links

Activity

People

Dates