widgetframe R htmlwidget uses
pym.js to bring this (much needed) functionality into widgets and (eventually) shiny apps.
NPR reported a critical vulnerability in this library on February 15th, 2018 with no details (said details will be coming next week).
Per NPR’s guidance, any production code using pym.js needs to be pulled or updated to use this new library.
I created an issue & pushed up a PR that incorporates the new version. NOTE that the YAML config file in the existing CRAN package and GitHub dev version incorrectly has 1.3.2 as the version (it’s really the 1.3.1 dev version).
suggest that the library was not performing URL sanitization (and now is).
Watch Out For Standalone Docs
Any R markdown docs compiled in “standalone” mode will need to be recompiled and re-published as the vulnerable
pym.js library comes along for the ride in those documents.
Regardless of “standalone mode”, if you used
widgetframe in any context, including:
- Flex Dashboard
- RMarkdown + knitr
- RMarkdown Website
- Xaringan Presentations (and other html-based R pres)
- Bookdown gitbook
anything created is vulnerable regardless of standalone compilation or not.
Once the final details are released I’ll update this post and may do a new post. Until then:
- check if you’ve used
widgetframe(directly or indirectly)
- REMOVE ALL VULNERABLE DOCS from RPubs, GitHub pages, your web site (etc) today
- regenerate all standalone documents ASAP
- regenerate your blogs, books, dashboards, etc ASAP with the patched code; DO THIS FOR INTERNAL as well as internet-facing content.
- monitor this space
*** This is a Security Bloggers Network syndicated blog from rud.is authored by hrbrmstr. Read the original post at: https://rud.is/b/2018/02/16/pym-js-library-vulnerability-in-widgetframe-package/