Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport CVE-2024-34341 to trix v1 #1150

Closed
tagliala opened this issue May 8, 2024 · 8 comments
Closed

Backport CVE-2024-34341 to trix v1 #1150

tagliala opened this issue May 8, 2024 · 8 comments

Comments

@tagliala
Copy link

tagliala commented May 8, 2024

Hello,

is there by any chance the possibility to backport the fix for CVE-2024-34341 to v1 and release a new version?
@eric-hemasystems
Copy link

I was coming here to post the same thing.

I know Trix is a separate product from Rails but Rails' maintenance policy is currently set to support the 6.1, 7.0 and 7.1 series. I'm on the 7.0 series and the latest of that series is still bound to Trix v1.

It's just a peer dependency so I did try actually using Trix 2 and got no problem after some quick testing. But I'm unsure what unintended consequences that might have.

@tagliala
Copy link
Author

It's just a peer dependency so I did try actually using Trix 2 and got no problem after some quick testing. But I'm unsure what unintended consequences that might have.

This is the problem for us, we can't upgrade to 7.1 and this is the warning we get:

warning " > @rails/[email protected]" has incorrect peer dependency "trix@^1.3.1".

I'm not confident in using @rails/[email protected] on Rails 7.0, maybe it is safe for this specific use case?

@afcapel
Copy link
Contributor

afcapel commented May 10, 2024
edited

There are no plans to backport the fix to 1.3, I'm afraid. The 1.3. dev environment doesn't even run on modern Mac hardware with Apple silicon, so it'd be hard for me to validate any changes. Also, we validate 2.x releases against our products, so we're reasonably confident that they work. Can't do that with a 1.3 release.

I'm not sure why ActionText 7.0 has pinned the dependency on Trix to 1.3.x. The main change from 1.3 to 2.x was the decaffeination of the code base, and then we've done maintenance work and added a few features, but 2.x should be compatible with 1.3, unless you're reaching to Trix innards.

Looking at the code in ActionText 7.0 I don't see anything that's incompatible with Trix 2. I think the best way to resolve this would be to relax the dependency on ActionText 7.0 so you can use Trix 2 there.

@tagliala
Copy link
Author

tagliala commented May 10, 2024
edited

Hi, thanks for your answer

Looking at the code in ActionText 7.0 I don't see anything that's incompatible with Trix 2. I think the best way to resolve this would be to relax the dependency on ActionText 7.0 so you can use Trix 2 there.

You mean to relax the dependency in a custom fork?

Also, I can't see a branch related to v1, is it safe to assume that a "1-stable" branch starts from commit c97f990 ?

@eric-hemasystems
Copy link

You mean to relax the dependency in a custom fork?

The dependency is just a peer dependency so you don't need to use a custom fork. You can just specify Trix 2 in your package.json. It will issue the above warning you posted but if @afcapel is correct and v2 is 100% compatible (I guess Trix isn't using semantic versioning?) there should be no further harm.

Sounds like he is also suggesting that Rails issue an update to ActionText on the v7.0 line that allows v2 of Trix to remove the warning. I'm going open up an issue over on the Rails repo to suggest that.

@eric-hemasystems eric-hemasystems mentioned this issue May 10, 2024
Closed
@afcapel afcapel mentioned this issue May 14, 2024
Merged
@tagliala
Copy link
Author

Thanks, I can see 1.3.2 has been released with the fix.

I gusse that now the advisory should be updated with the proper affected versions: GHSA-qjqp-xr96-cj99

@afcapel
Copy link
Contributor

afcapel commented May 15, 2024

I've updated the description in our repo's advisory, but I think Github needs to update the description on their end.

@afcapel afcapel closed this as completed May 15, 2024
@tagliala
Copy link
Author

Thanks, yarn audit does not generate an alert anymore and if it generates an alert the version number is correct

yarn audit v1.22.21
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Trix Editor Arbitrary Code Execution Vulnerability           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ trix                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.3.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ trix                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ trix                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1097309                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@afcapel @tagliala @eric-hemasystems