-
-
Notifications
You must be signed in to change notification settings - Fork 35.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docs: Only load trusted iframe #23245
Conversation
Thanks! |
Hi @mrdoob |
Done 👍 |
I know it's better safe than sorry, but I'd like to ask what warranted marking this as a security vulnerability on This issue/fix affects only the index page of the docs, which is not at all in the published In this particular case, I upgraded from r135 to r137 figuring that it would probably be fine. However it seems that this introduces Line 14 in 2d80739
The whole point of I know I sound a bit ungrateful, but I think this is a situation where I think there was an easy alternative call. |
In case anyone also runs into this while upgrading, what worked for me was to explicitly add -import { BoxLineGeometry } from "three/examples/jsm/geometries/BoxLineGeometry";
+import { BoxLineGeometry } from "three/examples/jsm/geometries/BoxLineGeometry.js"; (I also want to note, I'm a big fan of |
Can't agree more! Do you know how to fix it? |
I work at GitHub, which |
So, we picked up the severity automatically from https://huntr.dev/bounties/16901080-99b4-4fb5-8c5b-931bfbf33cba/ — it sounds like the bet path forward is if you could revise it there. I'm told maintainers can ask for revisions to severity on Would you mind trying that? |
I already wrote a message in that link 4 hours ago. What else can I do? |
Ah, apologies, I didn't see that before. (I've never used In this case it sounds like by far the best is for (I'll also send a contact to your committer email in case you ever need to address issues with GitHub vuln alerts the future, although I'm not sure how much it would help in this particular case.) |
You have to add the -import { BoxLineGeometry } from "three/examples/jsm/geometries/BoxLineGeometry";
+import { BoxLineGeometry } from "three/examples/jsm/geometries/BoxLineGeometry.js"; When the library has Here is an example of webpack telling you to do so: |
Hello, the GitHub security advisory at GHSA-7vvq-7r29-5vg3 seems to be misleading. The XSS was only on the Three.js website at https://threejs.org/docs/ correct? If so, please contact GitHub to update their advisory and ensure the CVE at https://nvd.nist.gov/vuln/detail/CVE-2022-0177 also reflects the correct information. For future reference, this is what the GHSA currently shows: |
@alesandroortiz If you read the thread you'll see that @lgarron works at Github and is already taking care of it. |
Hi everyone, The vulnerability only exists in The CVE publishing process and other miscellaneous tasks are performed by |
Following up here: the CVE was updated to zero vulnerability on GitHub has picked up that change. This actually 404s GHSA-7vvq-7r29-5vg3 for the general public (see @alesandroortiz's screenshot above for historical reference). That should stop Dependabot alerts and banners on |
@lgarron FYI the URL still loads for me, shows updated description indicating it was withdrawn but still has |
Description
An XSS vulnerability was reported by me on huntr.dev platform. The vulnerability has been validated by @mrdoob
This PR is the patch for that vulnerability.