-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: DataTables.net prototype pollution #3627
Comments
Yes, it would be good to get some clarity on this. In the meantime our only option is to downgrade back to shiny version 1.5.0 (the most recent version not flagged for the vulnerability). |
Here's what I can find about this issue: I believe that it's only a problem if it's running DataTables in a NodeJS server environment (which we are not doing). From that page:
That said, it's a good idea to update it anyway. |
@wch Would you accept a PR for this update? Looks like it was fixed in DatTables 1.10.22: DataTables/Dist-DataTables@e2e19ea |
Just a heads up: The To use the version from DT, call @hedsnz A PR would be helpful, thanks! |
@wch It's been semi-deprecated since 2015... at what point do we just remove those functions (or have them simply error with a pointer to DT)? |
BTW, I recommend you use |
@jcheng5 Unfortunately, the deprecation message currently only prints when in dev mode. So it would be a good idea to first make it print the deprecation message without dev mode, and then at some point in the future remove the function entirely. |
There's a fair amount of code out there that explicitly calls I just had another idea, though. Maybe we could have |
Absolutely in favor of deprecating and removing obsolete code. Especially if it gets shiny out of the doghouse. |
@wch Incredibly, |
Hi all. I am also having this issue with this prototype pollution that is affecting
If so, would it be possible to remove the package definition from package.json#L24? Otherwise, if we need to keep it in |
@foobar0000 If you need immediate mitigation to satisfy security concerns, using I can't speak for the Shiny devs, but my reading of the above conversation is that ultimately, the DataTables dependency should be removed from Shiny, given that DT already packages a more up-to-date version. However, more time is needed to warn users to replace The first step is therefore to print the deprecation message by default, which I've made a PR for (#3718). Then, in a subsequent release (ideally only a short time later), the DataTables dependency (and hence the |
The description of the Superseded label might make things a bit tricky/confusing:
Making |
So there are two alternatives, each with problems:
I don't know the details of the potential incompatibility between |
Any update on this? If not, when might we reasonably expect resolution? |
System details
Browser Version:
Output of
sessionInfo()
:Example application or steps to reproduce the problem
# Minimal, self-contained example app code goes here
Describe the problem in detail
EXPLANATION
The datatables.net package is vulnerable to Prototype Pollution. The setData function in jquery.dataTables.js fails to protect prototype attributes when objects are created during the application's execution. A remote attacker can exploit this to modify the behavior of object prototypes which, depending on their use in the application, may result in a Denial of Service (DoS), Remote Code Execution (RCE), or other unexpected execution flow.
DETECTION
The application is vulnerable by using this component.
ROOT CAUSE
shiny_1.7.1.tar.gzshiny/inst/www/shared/datatables/js/jquery.dataTables.min.js( ,1.10.13)
shiny_1.7.1.tar.gzshiny/inst/www/shared/datatables/js/jquery.dataTables.min.js(,)
The text was updated successfully, but these errors were encountered: