[Security] Bump auth0-lock from 10.20.0 to 11.26.0

[dependabot-preview]

Bumps auth0-lock from 10.20.0 to 11.26.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

DOM-based XSS in auth0-lock

Overview

Versions before and including 11.25.1 are using dangerouslySetInnerHTML to display an informational message when used with a Passwordless or Enterprise connection.

• For Passwordless connection, the value of the input (email or phone number) is displayed back to the user while waiting for verification code input.
• For Enterprise connection, the value of the input (IdP Domain) from the Enterprise connection setup screen (Auth0 Dashboard) is displayed back to the user when the lock widget opens.

When Passwordless or Enterprise connection is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

• You are using auth0-lock
• You are using Passwordless or Enterprise connection mode

How to fix that?

Upgrade to version 11.26.3

Will this update impact my users?

The fix provided in patch will not affect your users.

Affected versions: <= 11.25.1

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects auth0-lock

Overview

Auth0 Lock version 11.20.4 and earlier did not properly sanitize the generated HTML code. Customers using the additionalSignUpFields customization option to add a checkbox to the sign-up dialog that are passing a placeholder property obtained from an untrusted source (e.g. a query parameter) could allow cross-site scripting (XSS) on their signup pages.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

• You are using Auth0 Lock version 11.20.4 or earlier.
• You pass additionalSignUpFields as options when initializing Lock which includes a field of type checkbox whose placeholder value is obtained from an untrusted source.

An example of a vulnerable snippet is the following where the placeholder value is partially user-controlled by the name query parameter:

How to fix that?

Developers using Auth0’s signin solution Lock need to upgrade to version 11.21.0 or later. Version 11.21.0 introduces two changes:

Affected versions: < 11.21.0

Release notes

Sourced from auth0-lock's releases.

v11.26.0

Added

• [CAUTH-423] Add captcha in the sign-up flow #1902 (jfromaniello)

Changed

• [CAUTH-511] improve error handling on missing captcha #1900 (jfromaniello)

Fixed

• [SDK-1284] Fix for "growing" tabs when repeatedly clicked #1904 (stevehobbsdev)

v11.25.1

Fixed

• [SDK-1809] Connection display name is used even when no IdP domains are available #1898 (stevehobbsdev)

v11.25.0

Highlights

This release adds a new property preferConnectionDisplayName, which will cause Lock to use the "Display Name" field as defined in the Auth0 Dashboard for an Enterprise connection. If this field hasn't been specified, then Lock will fallback to the previous behaviour.

Usage

var lock = new Auth0Lock('clientId', 'domain', {
  preferConnectionDisplayName: true
});

Changelog

Added

• [SDK-1710] Allow Lock to use connection display name field from client configuration file #1896 (stevehobbsdev)

v11.24.5

Fixed

• [SDK-1738] Remove subtle transition on header element #1892 (stevehobbsdev)

v11.24.4

Changed

• [SDK-1756] Add HTML5 novalidate attribute to Lock form to remove native browser validation #1890 (stevehobbsdev)
• Bump auth0-js to 9.13.3 #1889 (stevehobbsdev)

v11.24.3

Fixed

• Allows i18n en lang override #1885 (davidpatrick)
• Show the "Can't be blank" message under the password input #1882 (adamjmcgrath)
• Reload recaptcha after wrong username or password #1888 (jfromaniello)

Security

• [Security] Bump websocket-extensions from 0.1.3 to 0.1.4 #1880 (dependabot-preview[bot])

Changelog

Sourced from auth0-lock's changelog.

v11.26.0 (2020-07-23)

Full Changelog

Added

• [CAUTH-423] Add captcha in the sign-up flow #1902 (jfromaniello)

Changed

• [CAUTH-511] improve error handling on missing captcha #1900 (jfromaniello)

Fixed

• [SDK-1284] Fix for "growing" tabs when repeatedly clicked #1904 (stevehobbsdev)

v11.25.1 (2020-07-14)

Full Changelog

Fixed

• [SDK-1809] Connection display name is used even when no IdP domains are available #1898 (stevehobbsdev)

v11.25.0 (2020-07-09)

Full Changelog

Added

• [SDK-1710] Allow Lock to use connection display name field from client configuration file #1896 (stevehobbsdev)

v11.24.5 (2020-07-03)

Full Changelog

Fixed

• [SDK-1738] Remove subtle transition on header element #1892 (stevehobbsdev)

v11.24.4 (2020-07-02)

Full Changelog

Changed

• [SDK-1756] Add HTML5 novalidate attribute to Lock form to remove native browser validation #1890 (stevehobbsdev)
• Bump auth0-js to 9.13.3 #1889 (stevehobbsdev)

v11.24.3 (2020-06-19)

Full Changelog

Commits

• a1eb4d4 v11.26.0
• 3633c8f Release v11.26.0 (#1905)
• 814c508 [SDK-1284] Fix for "growing" tabs when repeatedly clicked (#1904)
• 1be6206 Merge pull request #1902 from jfromaniello/signup_captcha
• dea3d3c remove error.signup.captcha_required which is not longer required
• 1bd5650 [CAUTH-423] Add captcha in the sign-up flow
• 82f5618 [CAUTH-511] improve error handling on missing captcha (#1900)
• fbd748d Release v11.25.1 (#1901)
• 46349a3 Connection display name is used even when no IdP domains are available (#1898)
• f668699 Merge pull request #1899 from auth0/jimmyjames-patch-1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #60.