Offers a set of tools that create Granite UI authoring interfaces for Adobe Experience Manager components from Java code. This is a comprehensive solution that makes different widgets work in a coordinated manner, provides greater interactivity in AEM dialogs, and introduces additional features (customizable data lists, options selection, etc.)
Home Page: https://authoring-kit.com/
License: Apache License 2.0
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Vulnerable Library - glob-parent-5.1.1.tgzExtract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: etoolbox-authoring-kit/ui.apps/package.json
Path to vulnerable library: etoolbox-authoring-kit/ui.apps/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 53a4ed010c444ae5f596dc83a13a2a36a9a25d5f
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - guava-20.0.jarGuava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>
Library home page: https://github.com/google/guava/
Path to dependency file: /tmp/ws-scm/aem-authoring-toolkit/aem-authoring-toolkit-plugin/pom.xml
Path to vulnerable library: /root/.m2/repository/com/google/guava/guava/20.0/guava-20.0.jar
Dependency Hierarchy:
Found in HEAD commit: 50f55f37ec4d09d95e1420d9a7f8f0fdb29bc4a4
Vulnerability Details
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Publish Date: 2018-04-26
URL: CVE-2018-10237
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237
Release Date: 2018-04-26
Fix Resolution: com.google.guava:guava:24.1.1
Step up your Open Source Security Game with WhiteSource here
Currently, OptionProvider reads data from a provided or referenced JCR path.
There is a need to sometimes consume data available directly via a public HTTP JSON endpoint (a somewhat similar feature existed in Classic UI).
The request string must support a way to specify a "relative path" within an endpoint.
E.g.
GET https://acme.com/items.json
[
{
"label": "Hello",
"value": "World"
}
]
... will work straightforward. While
GET https://acme.com/items.json
{
"metadata": {"count" : 365},
"items: [
{
"label": "Hello",
"value": "World"
}
]
}
-- needs to introduce an additional "path suffix", like https://acme.com/items.json/items
The items part will be removed before issuing an HTTP request in HTTP client, then, considered while parsing the result.
The results are then converted to List<ValueMapResource> and processed in the common way. All the facilities of option provider, such as titleMember, valueMember, etc., must stay effective
In certain circumstances, if dialog is rendered with @Dialog(forceIgnoreFreshness=true) the dialog fields are not populated with the stored values when opened for the second time. At the same time, values are stored properly in JCR. Probably an issue with the stack of FormData objects
Vulnerable Library - glob-parent-5.1.1.tgzExtract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: etoolbox-authoring-kit/ui.apps/package.json
Path to vulnerable library: etoolbox-authoring-kit/ui.apps/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 433fb91c54abcfb3b848b5d16f2648e2975348ac
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.
Publish Date: 2021-01-27
URL: WS-2021-0154
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2
Release Date: 2021-01-27
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - async-0.9.2.tgz, async-1.5.2.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-0.9.2.tgz
Path to dependency file: /docs/website/package.json
Path to vulnerable library: /docs/website/node_modules/jake/node_modules/async/package.json
Dependency Hierarchy:
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz
Path to dependency file: /docs/website/package.json
Path to vulnerable library: /docs/website/node_modules/async/package.json
Dependency Hierarchy:
Found in HEAD commit: cfa4858397bb1da99abdf946eafb3a9847b7b494
Found in base branch: master
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 3.2.2
Direct dependency fix Resolution (@11ty/eleventy): 2.0.0-canary.1
Step up your Open Source Security Game with WhiteSource here
A friendly project representative asked for the possibility to render via the OptionProvider truly dynamic data, e.g. different for the different pages the dialog is opened in.
This is achievable with a custom data provider service that could consider the request, its path info, etc, and output data accordingly.
We need the interface for such a data provider and the interoperability with the "generic" OptionProviderService. A relevant provider can be selected with some request param whether each of the providers is specified with its getName() or a similar property, much like e.g. Sling injectors.
API documentation must be added, explaining how to create a custom data provider.
Vulnerable Library - commons-io-2.5.jarThe Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://commons.apache.org/proper/commons-io/
Path to dependency file: etoolbox-authoring-kit/plugin/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar
Dependency Hierarchy:
Found in HEAD commit: e318964eded8dd360025059a5223fb30efe7e329
Vulnerability Details
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution: commons-io:commons-io:2.7
Step up your Open Source Security Game with WhiteSource here
See the following code snippet from Option Provider manual
Expected result: Instead of "update-options", the following string literal is used: DependsOnActions.UPDATE_OPTIONS
Vulnerable Library - hosted-git-info-2.8.8.tgzProvides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz
Path to dependency file: etoolbox-authoring-kit/ui.apps/package.json
Path to vulnerable library: etoolbox-authoring-kit/ui.apps/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in HEAD commit: 6e981243d697ae1e05ae4863a37d9ad13bbbae25
Vulnerability Details
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via shortcutMatch in fromUrl().
Publish Date: 2021-03-23
URL: CVE-2021-23362
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/npm/hosted-git-info/releases/tag/v3.0.8
Release Date: 2021-03-23
Fix Resolution: hosted-git-info - 3.0.8
Step up your Open Source Security Game with WhiteSource here
In versions since 2.1.0, the value of the deprecated @PlaceOnTab annotation is ignored when distributing widgets across multiple dialog tabs
As a content creator
I want to have the ability to create "skeleton" fragments that can be used as the initial content/starting point for configuring complex blocks that consist of several AEM components.
So that I can simplify content creation and unify pages layout
Request background:
This feature aims to close the gap between small, atomic and flexible components that are built according to adobe's best practices and huge and complex components that are the main building blocks of cms-based websites.
The smaller and more flexible the component is, the more work is required from a content creator to configure it in accordance with the provided design
Scope:
add a new "Skeleton page template" that will allow inserting a component\a group of components(a point to discuss)
*note: the template policies should be excluded from filters so that they can be configured in the client project
add a new toolbar button that will toggle skeleton page selection
As an Authoring Kit user I want to have ability to easily access docs, promo and "how to" materials
Vulnerable Library - ansi-regex-5.0.0.tgzRegular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Path to dependency file: etoolbox-authoring-kit/ui.apps/package.json
Path to vulnerable library: etoolbox-authoring-kit/ui.apps/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Found in HEAD commit: 478f75be46c1fae01d40880809732e6921f49cad
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution: ansi-regex - 5.0.1,6.0.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - path-parse-1.0.6.tgzNode.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: etoolbox-authoring-kit/ui.apps/package.json
Path to vulnerable library: etoolbox-authoring-kit/ui.apps/node_modules/path-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 98532a22c05cbca8986144db8e2b3c2f6aa1e75b
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: jbgutierrez/path-parse#8
Release Date: 2021-05-04
Fix Resolution: path-parse - 1.0.7
Step up your Open Source Security Game with WhiteSource here
Environment: AEM 6.5, any servicepack.
Steps to reproduce:
The origin of the bug is seemingly lying outside the ToolKit's logic, in AEM itself. We need to investigate and test the way to address the issue with use of ToolKit (probably by overlaying a built-in clientlib or else creating a "patch")
Vulnerable Library - npm-7.24.2.tgza package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-7.24.2.tgz
Path to dependency file: /docs/website/package.json
Path to vulnerable library: /docs/website/node_modules/npm/package.json
Dependency Hierarchy:
Found in HEAD commit: cfa4858397bb1da99abdf946eafb3a9847b7b494
Vulnerability Details
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.
Publish Date: 2021-11-13
URL: CVE-2021-43616
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43616
Release Date: 2021-11-13
Fix Resolution: npm - 8.1.4
Step up your Open Source Security Game with WhiteSource here
Steps to reproduce:
@Multiple annotation with one of the fields that have nested subnodes: RTE, RadioGroup/Select with a datasource or option provider, AutocompleteActual result:
The subnodes are not moved under the 'field' subnode and do not have an effect on the widget
Expected Result:
The subnodes are moved under the 'field' subnode
Note: if a RadioGroup/Select has configured items, the 'items' subnode is present inside and next to 'field' subnode. not sure that this is the correct behavior.
See examples below:
@DialogField(label = "MultiRTE")
@Multiple
@RichTextEditor(
features = {
RteFeatures.UNDO_UNDO,
RteFeatures.UNDO_REDO,
RteFeatures.SEPARATOR,
RteFeatures.Popovers.EDIT_ALL,
RteFeatures.SEPARATOR,
RteFeatures.Popovers.FORMAT_ALL,
RteFeatures.Popovers.STYLES,
RteFeatures.Popovers.JUSTIFY_ALL,
RteFeatures.SEPARATOR,
RteFeatures.MISCTOOLS_SPECIALCHARS,
RteFeatures.SEPARATOR,
RteFeatures.Popovers.PARAFORMAT
},
htmlPasteRules = @HtmlPasteRules(
allowImages = false,
allowLists = AllowElement.DISALLOW,
allowTables = AllowElement.DISALLOW
),
externalStyleSheets = {PathConstants.EXTERNAL_STYLE_PATH},
styles = {
@Style(cssName = "rte-style", text = "Aggressive style"),
},
icons = {
@IconMapping(command = "#styles", icon = "textColor"),
@IconMapping(command = "#edit", icon = "textEdit")
},
htmlLinkRules = @HtmlLinkRules(
targetInternal = LinkTarget.MANUAL,
targetExternal = LinkTarget.BLANK,
protocols = {"http://", "https://"},
defaultProtocol = "https://"
),
specialCharacters = {
@Characters(name = "Copyright", entity = "©"),
@Characters(name = "Euro sign", entity = "€"),
@Characters(name = "Trademark", entity = "™"),
@Characters(rangeStart = 48, rangeEnd = 70),
},
formats = {
@ParagraphFormat(tag = "h1", description = "My custom header"),
@ParagraphFormat(tag = "h2", description = "My custom subheader")
}
)
private String multiRTE;
@DialogField(label = "Multi Radio")
@Multiple
@RadioGroup(datasource = @DataSource(path = "a/b", resourceType = "c/d"))
private String multiRadio;
@DialogField(label = "Multi select")
@Multiple
@Select(optionProvider = @OptionProvider(value = @OptionSource(value = "aaa")))
private String multiSelect;
@DialogField(label = "Multi autocomplete")
@Multiple
@Autocomplete(datasource = @AutocompleteDatasource(namespaces = "a, b"),
options = @AutocompleteList(src = "aaa"))
private String multiAutoComplete;
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /docs/website/package.json
Path to vulnerable library: /docs/website/node_modules/minimist/package.json,/ui.apps/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: cfa4858397bb1da99abdf946eafb3a9847b7b494
Found in base branch: master
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/issues/164
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (eslint-plugin-import): 2.25.4
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - engine.io-3.5.0.tgzThe realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.5.0.tgz
Path to dependency file: /docs/website/package.json
Path to vulnerable library: /docs/website/node_modules/engine.io/package.json
Dependency Hierarchy:
Found in HEAD commit: cfa4858397bb1da99abdf946eafb3a9847b7b494
Found in base branch: master
Vulnerability Details
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution (engine.io): 4.0.0-alpha.0
Direct dependency fix Resolution (browser-sync): 2.27.8
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - json-schema-0.2.3.tgzJSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /docs/website/package.json
Path to vulnerable library: /docs/website/node_modules/npm/node_modules/json-schema/package.json
Dependency Hierarchy:
Found in HEAD commit: cfa4858397bb1da99abdf946eafb3a9847b7b494
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution: json-schema - 0.4.0
Step up your Open Source Security Game with WhiteSource here
Steps to reproduce:
@DialogLield(label = "Sample field")
@Autocomplete // might as well use @RichTextEditor, @Select, or any other annotation that produces a widget having subnodes
@Multiple
private List<String> sample;
field subnode of the created multifield; b) next to the field subnodeExplanation:
The handler that processes the @Multiple annotation internally calls the CasualAmnnotationsHandler after converting the data structure into multifield. This one in some circumstances calls for another round of widget-bound handlers that in their own turn create excess markup.
Solution: make sure that the widget-bound handlers are not called twice for the same annotation
Vulnerable Library - marked-2.1.3.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-2.1.3.tgz
Path to dependency file: /docs/website/package.json
Path to vulnerable library: /docs/website/node_modules/marked/package.json
Dependency Hierarchy:
Found in HEAD commit: cfa4858397bb1da99abdf946eafb3a9847b7b494
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21681
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-5v2h-r2cx-5xgj
Release Date: 2022-01-14
Fix Resolution: marked - 4.0.10
Step up your Open Source Security Game with WhiteSource here
Currently, the @TextField and @TextArea annotations have fewer properties than defined in Adobe's specification. Notably, the autocomplete, autofocus, and maxLength (textField only) properties are missing. One needs to add support for these properties and provide the test coverage
Vulnerable Library - guava-24.1.1-jre.jarGuava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Library home page: https://github.com/google/guava
Path to dependency file: aem-authoring-toolkit/aem-authoring-toolkit-plugin/pom.xml
Path to vulnerable library: canner/.m2/repository/com/google/guava/guava/24.1.1-jre/guava-24.1.1-jre.jar
Dependency Hierarchy:
Found in HEAD commit: 857d212327e7775d3c2fda994aca3acff2c8da38
Vulnerability Details
A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.
Publish Date: 2020-12-10
URL: CVE-2020-8908
CVSS 3 Score Details (3.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908
Release Date: 2020-12-10
Fix Resolution: v30.0
Step up your Open Source Security Game with WhiteSource here
ToolKit API contains the Target interface that allows creating tree-like data structures that are subsequently rendered into XML. Currently, this is used to produce only a limited set of structures (such as dialogs) in the flow of the plugin.
We need to expose this functionality to a ToolKit user so that he/she could compose arbitrary structures renderable into XML that can be saved at arbitrary paths. This can be used to compose components' and pages' templates, etc.
See source code snippet:
@AemComponent(
path = "content/a-component",
writeMode = WriteMode.CREATE,
title = "A component",
componentGroup = "test"
)
@Dialog
public class AComponent {
@DialogField(
label = "Path"
)
@PathField
@DependsOnRef
private int path;
@DialogField(
label = "Select"
)
@Select(multiple = true)
@DependsOn(action = DependsOnActions.UPDATE_OPTIONS, query = "@path")
private int anotherField;
}
Steps to reproduce:
Actual: the selected options are not restored
Expected: the selected options are restored
Note: the issue occurs only if multiple options were selected
Root cause: selectedValue can contain multiple values, in this case, the comparison should not be performed via "===", but via ".indexOf"
Preconditions: AEMaaCS version: aem-sdk-2021.8.5788.20210830T213613Z-210800
Description: While working with EToolbox Lists in AEM as a cloud service, when trying to create a new List in the admin interface, the following exception is thrown:
Failed executing script /libs/granite/ui/components/coral/foundation/dialog/dialog.jsp: java.lang.Exception: Wrapping Throwable: java.lang.NoClassDefFoundError: com/adobe/cq/commerce/common/ValueMapDecoratorFailed executing script /libs/granite/ui/components/coral/foundation/dialog/dialog.jsp: java.lang.Exception: Wrapping Throwable: java.lang.NoClassDefFoundError: com/adobe/cq/commerce/common/ValueMapDecoratorCannot serve request to /mnt/overlay/etoolbox-authoring-kit/lists/components/content/console/createpagedialog.html/content/usait-org/us/test in com.exadel.aem.toolkit.core.lists.servlets.ItemComponentsServlet
Exception:java.lang.Exception: Wrapping Throwable: java.lang.NoClassDefFoundError: com/adobe/cq/commerce/common/ValueMapDecorator at org.apache.sling.scripting.jsp.JspScriptEngineFactory$JspScriptEngine.eval(JspScriptEngineFactory.java:601) at org.apache.sling.scripting.core.impl.bundled.PrecompiledScript.eval(PrecompiledScript.java:54)
Expected result: the dialog is shown, and the list is created without an exception
Vulnerable Library - lodash-4.17.20.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: aem-authoring-toolkit/ui.apps/package.json
Path to vulnerable library: aem-authoring-toolkit/ui.apps/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: cb23dd144d19e194007ebe60aad2501f2af00fcf
Vulnerability Details
All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: lodash/lodash@02906b8
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
The EToolbox Lists - part of the Exadel Authoring Kit - comes with the utility class core/src/main/java/com/exadel/aem/toolkit/core/lists/utils/ListHelper.java. It allows retrieving from JCR the data authored with EToolbox Lists interface in the form of a List<Resource>, or a list of Sling models, or a map.
There's a need to add utility methods for creating same structures in code. E.g. a user passes to the method the desired JCR path, and a collection of Sling model or POJO objects, or a collection of name-value pairs, and a new EToolbox List is created
Vulnerable Library - minimist-1.2.0.tgzparse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /tmp/ws-scm/aem-authoring-toolkit/aem-authoring-toolkit-samples/toolkit-samples-ui.apps/package.json
Path to vulnerable library: /tmp/ws-scm/aem-authoring-toolkit/aem-authoring-toolkit-samples/toolkit-samples-ui.apps/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: f141d27d84b41bf3b73eebdbc57fadd929ad15fd
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.2
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - lodash-4.17.20.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: aem-authoring-toolkit/ui.apps/package.json
Path to vulnerable library: aem-authoring-toolkit/ui.apps/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: cb23dd144d19e194007ebe60aad2501f2af00fcf
Vulnerability Details
All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: lodash/lodash@3469357
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
We need an injector that would allow assigning either an I18n object or a particular internationalized value to a Sling Mode's field/method. The target local should be judged from the request / request path
Per EAK-239, EToolbox Lists are being created for existing Maps, Lists of Resources, and Lists of SimpleListItem.
At the same time, we have the possibility to retrieve data from JCR as a List<Resource>, a List<SimpleListItem>, a Map, and also a List<T>.
We need the "mirroring" coinciding method for storing List<T>
(Note: the method responsible for storing the List<SimpleListItem> might need to be refactored to represent a particular case of storing List<T>)
The task includes suggesting a way to extract relevant information from an arbitrary object.
One way is to use the in-box Jackson deserializer
ObjectMapper objectMapper = new ObjectMapper();
Map map = objectMapper.convertValue(testModel, Map.class);
Assert.assertEquals("Hello World", map.get("jcr:title"));
Then the map is converted into a Resource.
In view of limiting the set of values in the map, consider using Jackson annotations (must work OOTB), and/or passing the list of desired fields alongside the list of models to the very store method.
Per Granite specification, the datasource node in dialog needs at least the sling:resourceType parameter filled, to be functional.
However, the ToolKit @DataSource annotation has both of its properties optional (defaults specified) so that a user could skip datasource property in @Select:
DataSource datasource() default @DataSource;
We need to make resourceType property required
Vulnerable Library - follow-redirects-1.14.7.tgzHTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.7.tgz
Path to dependency file: /docs/website/package.json
Path to vulnerable library: /docs/website/node_modules/follow-redirects/package.json
Dependency Hierarchy:
Found in HEAD commit: cfa4858397bb1da99abdf946eafb3a9847b7b494
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution: follow-redirects - 1.14.8
Step up your Open Source Security Game with WhiteSource here
Currently, the injectors for @Child and @Children are only adapting injected models from Sling Resource. However it is important to provide the ability to adapt them SlingHttpServletRequest* so that many functional elements could properly work
Vulnerable Library - glob-parent-5.1.2.tgzExtract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz
Path to dependency file: /ui.apps/package.json
Path to vulnerable library: /ui.apps/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: ed366c3953fa1003f77ff5dd9ae89ce9b7b2660d
Found in base branch: master
Vulnerability Details
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: gulpjs/glob-parent#49
Release Date: 2021-06-22
Fix Resolution: glob-parent - 6.0.1
Step up your Open Source Security Game with WhiteSource here
It was noticed that while preparing a package for deployment, the Plugin can in certain circumstances store the same XML file multiple times, effectively rewriting a previous rendition.
This does not affect the final result but decreases the performance
Vulnerable Library - node-fetch-2.6.6.tgzA light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.6.tgz
Path to dependency file: /samples/ui.apps/package.json
Path to vulnerable library: /samples/ui.apps/node_modules/node-fetch/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution: node-fetch - 2.6.7,3.1.1
Step up your Open Source Security Game with WhiteSource here
As a EAK consumer, I want to be able to fill the Coral Select options list based on the passed query value with an array inside.
Example:
@DependsOn(action = DependsOnActions.FILL, query = "@optionList")
@DependsOn(action = DependsOnActions.FILL, query = "@condition ? ['1', '2', '3'], ['1', '2']")
Vulnerable Library - marked-2.1.3.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-2.1.3.tgz
Path to dependency file: /docs/website/package.json
Path to vulnerable library: /docs/website/node_modules/marked/package.json
Dependency Hierarchy:
Found in HEAD commit: cfa4858397bb1da99abdf946eafb3a9847b7b494
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21680
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-rrrm-qjm4-v8hf
Release Date: 2022-01-14
Fix Resolution: marked - 4.0.10
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - gson-2.3.jarGoogle Gson library
Library home page: http://code.google.com/p/google-gson/
Path to dependency file: /plugin/pom.xml
Path to vulnerable library: /ownloadResource_NTUOMJ/20220227165010/gson-2.3.jar
Dependency Hierarchy:
Found in HEAD commit: 5d1919b3cac025d3b535ad084d5ba713ad9d33bf
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/google/gson/releases/tag/gson-parent-2.8.9
Release Date: 2021-10-11
Fix Resolution: com.google.code.gson:gson:2.8.9
Step up your Open Source Security Game with WhiteSource here
In AEM, Multifields exist in two flavors: "simple" (data is stored as an array-typed property) and "complex" (data is stored in nested JCR nodes). Most of the time, simple multifield buildup is used when there is only nested field, and complex multifield is used when there are more.
Currently, @Multifield annotation does not support choosing on the flavor, and the multifield handler automatically renders simple multifields when it sees a single nested field.
Expected result: user has the abuility to instruct the plugin to create a simple or a complex multifield, or leave it by default (falls back to the current behavior).
Suggestions on implementation: Method @interface Multifield {boolean complex() default false;} would probably do,
There's a request for supporting ButtonGroup (https://www.adobe.io/experience-manager/reference-materials/6-5/granite-ui/api/jcr_root/libs/granite/ui/components/coral/foundation/form/buttongroup/index.html) in the Exadel Authoring Kit.
One needs to:
OptionProviderEnvironment: AEM 6.5.10
Preconditions: a component has a complex multifield with a large number of items
Steps to reproduce:
Consider the following code:
@DialogField(disabled=true)
@MultiField
@DependsOn(action = DependsOnActions.DISABLED, value = "true")
private List<MyClass> myClasses;
Currently, neither disabled=true nor the DependsOn action does not appear to have any effect on the multifield. (Basically seems an Adobe/Granite issue, but anyway affects user experience).
Expected result: at minimum, the "Add" button of the multifield is disabled. Ideally, the content of every multifield item is disabled, as ordinary dialog fields appear in similar circumstances.
Probably, the expected result is more easily achieved via a DepensOn action.
Then we can discuss whether it is appropriate that @DialogField(disabled=true) will result in storing the same DepensOn action under the hood
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.