Wednesday 15 February 2017

Release 0.1 - Fixing my first bug for Thimble

My first attempt at solving a real-world bug involved issue:

https://github.com/mozilla/thimble.mozilla.org/issues/1715

-------------------------------------------------------------

While running npm install I notice:
npm WARN deprecated nunjucks@2.3.0: potential XSS vulnerability in autoescape mode, and with escape filter was fixed in v2.4.3
We should update to 2.4.3 in both code bases.

---------------------------------------------------------------

The issue itself was a serious problem because it allowed the possibility of hacking into the system through code injections. The current version that Thimble and Brackets used a version of Nunjucks that was vulnerable, but an updated version claimed to have solved that problem.

The fix for the code would have been to inform Thimble and Brackets to use the updated version of Nunjucks when they installed their plugins.

I had to search for a bit to understand how that worked. I discovered the nunjucks 2.3.0 as a dependency inside the package.json file. So for the fix, I simply upgraded the version inside the package.json file. So this taught me that package.json has metadata that is relevant to how the whole project decides what plugins to use and other key information.

For Brackets, they did not have nunjucks included, so I entered a new line in their dependencies list to add nunjucks as well.

The overall difficulty of solving the problem was relatively low, but the improvement in the security of the software could potentially be huge, so I feel somewhat accomplished and proud of the difference I believe I made. It has given me more confidence in attempting to solve bigger problems and knowing that there is always something that can be improved, no matter how small, that can make a big difference in Open Source.

https://github.com/mozilla/thimble.mozilla.org/pull/1742

For more information about the process, check out:

http://osd600osp.blogspot.ca/2017/02/lab-3-fixing-bug-in-mozilla-thimble.html

--------------------------------

[February 24 Update]

So in waiting for a response to my pull requests, I apparently learned why the Brackets source code did not have the nunjucks dependency. I had actually been making a pull request to the Brackets owned by Adobe, not by Mozilla. They quickly pointed out my error and I got rid of my repository for Adobe and switched it out for Mozilla's. Sure enough, nunjucks was there, and I made the same changes as I did for Thimble and sent the pull request right away.


No comments:

Post a Comment