bug: Vulnerable outdated javascript libraries in consul/ui/javascripts/libs/

[sechawk]

ember-1-10.js , ember-template-compiler.js -> CVE-2015-7565

jquery-1.10.2.min.js
"jquery/jquery#2432",
"http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/",
"http://research.insecurelabs.org/jquery/test/

handlebars-1.3.0.min.js
handlebars-lang/handlebars.js#1083"

Note - I haven't done any in-depth assessment if these are actually exploitable in the way they are consumed in consul, however it's never great practice to use old outdated libraries with publicly known vulnerabilities.

[slackpad]

Hi @sechawk we are in the process of doing a full rewrite of the Consul UI based on up-to-date versions of all the libraries (which we will track for security updates), and the current libraries are old and difficult to quickly patch / update.

As a stop-gap I audited the code for these issues and it looks like Consul is OK with respect to these (after one patch):

ember-1-10.js

1. CVE-2015-7565

   Audited the Handlebars templates and all are primitive values. Experimented with some JS-like objects with string properties as a cross-check and they were properly escaped.

jquery-1.10.2.min.js

1. jQuery issue 2432 - 3rd party $.get() auto executes if content type is text/javascript

   Consul doesn't pull any 3rd party resources, nor pull resources based on user data.

2. jQuery issue 11974 - parseHTML executes inline scripts like event handlers

   Verified that the parseHTML call isn't used in Consul's UI code.

handlebars-1.3.0.min.js

1. Adding a few more badcharacters handlebars-lang/handlebars.js#1083"

   Manually patched the = escape fix under Patches handlebars JS to escape = to prevent XSS. #3763.