Closed renovate[bot] closed 6 months ago
Run & review this pull request in StackBlitz Codeflow.
Latest commit: 117d81c232ec127606b454f5fed4e1f63a8f4fcd
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
This PR contains the following updates:
2.14.0
->2.20.2
GitHub Vulnerability Alerts
CVE-2023-3348
Impact
The Wrangler command line tool (<=wrangler@3.1.0 or <=wrangler@2.20.1) was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim's files present outside of the directory for the development server.
Patches
Wrangler2: Upgrade to v2.20.1 or higher. Wrangler3: Upgrade to v3.1.1 or higher.
References
Workers SDK on Github Wrangler docs CVE-2023-3348
CVE-2023-7080
Impact
The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging.
wrangler dev
would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validateOrigin
/Host
headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. Ifwrangler dev --remote
was being used, an attacker could access production resources if they were bound to the worker.Patches
This issue was fixed in
wrangler@3.19.0
andwrangler@2.20.2
. Whilstwrangler dev
's inspector server listens on local interfaces by default as ofwrangler@3.16.0
, an SSRF vulnerability inminiflare
allowed access from the local network untilwrangler@3.18.0
.wrangler@3.19.0
andwrangler@2.20.2
introduced validation for theOrigin
/Host
headers.Workarounds
Unfortunately, Wrangler doesn't provide any configuration for which host that inspector server should listen on. Please upgrade to at least
wrangler@3.16.0
, and configure Wrangler to listen on local interfaces instead withwrangler dev --ip 127.0.0.1
to prevent SSRF. This removes the local network as an attack vector, but does not prevent an attack from visiting a malicious website.References
Release Notes
cloudflare/workers-sdk (wrangler)
### [`v2.20.2`](https://togithub.com/cloudflare/workers-sdk/releases/tag/wrangler%402.20.2) [Compare Source](https://togithub.com/cloudflare/workers-sdk/compare/wrangler@2.20.1...wrangler@2.20.2) ##### Patch Changes - [#4609](https://togithub.com/cloudflare/workers-sdk/pull/4609) [`c228c912`](https://togithub.com/cloudflare/workers-sdk/commit/c228c9120f42f7e0135fafe406bc71a766e7bba3) Thanks [@mrbbot](https://togithub.com/mrbbot)! - fix: pin `workerd` to `1.20230404.0` - [#4587](https://togithub.com/cloudflare/workers-sdk/pull/4587) [`49a46960`](https://togithub.com/cloudflare/workers-sdk/commit/49a469601adaa9eb9e1f2d6de197c1979d5c6c1b) Thanks [@mrbbot](https://togithub.com/mrbbot)! - Change dev registry and inspector server to listen on 127.0.0.1 instead of all interfaces - [#4587](https://togithub.com/cloudflare/workers-sdk/pull/4587) [`49a46960`](https://togithub.com/cloudflare/workers-sdk/commit/49a469601adaa9eb9e1f2d6de197c1979d5c6c1b) Thanks [@mrbbot](https://togithub.com/mrbbot)! - fix: validate `Host` and `Orgin` headers where appropriate `Host` and `Origin` headers are now checked when connecting to the inspector proxy. If these don't match what's expected, the request will fail. ### [`v2.20.1`](https://togithub.com/cloudflare/workers-sdk/releases/tag/wrangler%402.20.1) [Compare Source](https://togithub.com/cloudflare/workers-sdk/compare/wrangler@2.20.0...wrangler@2.20.1) ##### Patch Changes - [#3820](https://togithub.com/cloudflare/workers-sdk/pull/3820) [`546c2319`](https://togithub.com/cloudflare/workers-sdk/commit/546c2319268fc592f069d9c41b5dabdcf84cc94f) Thanks [@GregBrimble](https://togithub.com/GregBrimble)! - fix: Prevent `wrangler pages dev` from serving asset files outside of the build output directory ### [`v2.20.0`](https://togithub.com/cloudflare/workers-sdk/blob/HEAD/packages/wrangler/CHANGELOG.md#2200) [Compare Source](https://togithub.com/cloudflare/workers-sdk/compare/wrangler@2.19.0...wrangler@2.20.0) ##### Minor Changes - [#2966](https://togithub.com/cloudflare/workers-sdk/pull/2966) [`e351afcf`](https://togithub.com/cloudflare/workers-sdk/commit/e351afcff4f265f85ff3e4674cc3083eb5cd5027) Thanks [@GregBrimble](https://togithub.com/GregBrimble)! - feat: Add support for the undocumented `_worker.js/` directory in Pages - [#3095](https://togithub.com/cloudflare/workers-sdk/pull/3095) [`133c0423`](https://togithub.com/cloudflare/workers-sdk/commit/133c0423ccb4c2b35a1dd26157ce9a24c6a743bb) Thanks [@zebp](https://togithub.com/zebp)! - feat: add support for placement in wrangler config Allows a `placement` object in the wrangler config with a mode of `off` or `smart` to configure [Smart placement](https://developers.cloudflare.com/workers/platform/smart-placement/). Enabling Smart Placement can be done in your `wrangler.toml` like: ```toml [placement] mode = "smart" ``` - [#3140](https://togithub.com/cloudflare/workers-sdk/pull/3140) [`5fd080c8`](https://togithub.com/cloudflare/workers-sdk/commit/5fd080c88ee7991cde107f8723f06ea2fd2c651d) Thanks [@penalosa](https://togithub.com/penalosa)! - feat: Support sourcemaps in DevTools Intercept requests from DevTools in Wrangler to inject sourcemaps and enable folders in the Sources Panel of DevTools. When errors are thrown in your Worker, DevTools should now show your source file in the Sources panel, rather than Wrangler's bundled output. ##### Patch Changes - [#2912](https://togithub.com/cloudflare/workers-sdk/pull/2912) [`5079f476`](https://togithub.com/cloudflare/workers-sdk/commit/5079f4767f862cb7c42f4b2b5484b0391fbe5fae) Thanks [@petebacondarwin](https://togithub.com/petebacondarwin)! - fix: do not render "value of stdout.lastframe() is undefined" if the output is an empty string Fixes [#2907](https://togithub.com/cloudflare/workers-sdk/issues/2907) - [#3133](https://togithub.com/cloudflare/workers-sdk/pull/3133) [`d0788008`](https://togithub.com/cloudflare/workers-sdk/commit/d078800804899c3c8e083260f8cfdfc0397d6110) Thanks [@dario-piotrowicz](https://togithub.com/dario-piotrowicz)! - fix pages building not taking into account the nodejs_compat flag (and improve the related error message) - [#3146](https://togithub.com/cloudflare/workers-sdk/pull/3146) [`5b234cfd`](https://togithub.com/cloudflare/workers-sdk/commit/5b234cfd554aff08d065b96d7d49dfb36f40caa3) Thanks [@jspspike](https://togithub.com/jspspike)! - Added output for tail being in "sampling mode" ### [`v2.19.0`](https://togithub.com/cloudflare/workers-sdk/blob/HEAD/packages/wrangler/CHANGELOG.md#2190) [Compare Source](https://togithub.com/cloudflare/workers-sdk/compare/wrangler@2.18.0...wrangler@2.19.0) ##### Minor Changes - [#3091](https://togithub.com/cloudflare/workers-sdk/pull/3091) [`c32f514c`](https://togithub.com/cloudflare/workers-sdk/commit/c32f514ca40e8b13dc9e86fdc76577b9adeb70f5) Thanks [@edevil](https://togithub.com/edevil)! - Added initial commands for integrating with Constellation AI. ### [`v2.18.0`](https://togithub.com/cloudflare/workers-sdk/blob/HEAD/packages/wrangler/CHANGELOG.md#2180) [Compare Source](https://togithub.com/cloudflare/workers-sdk/compare/wrangler@2.17.0...wrangler@2.18.0) ##### Minor Changes - [#3098](https://togithub.com/cloudflare/workers-sdk/pull/3098) [`8818f551`](https://togithub.com/cloudflare/workers-sdk/commit/8818f5516ca909cc941deb953b6359030a8c0301) Thanks [@mrbbot](https://togithub.com/mrbbot)! - fix: improve Workers Sites asset upload reliability - Wrangler no longer buffers all assets into memory before uploading. This should prevent out-of-memory errors when publishing sites with many large files. - Wrangler now limits the number of in-flight asset upload requests to 5, fixing the `Too many bulk operations already in progress` error. - Wrangler now correctly logs upload progress. Previously, the reported percentage was per upload request group, not across all assets. - Wrangler no longer logs all assets to the console by default. Instead, it will just log the first 100. The rest can be shown by setting the `WRANGLER_LOG=debug` environment variable. A splash of colour has also been added. ### [`v2.17.0`](https://togithub.com/cloudflare/workers-sdk/blob/HEAD/packages/wrangler/CHANGELOG.md#2170) [Compare Source](https://togithub.com/cloudflare/workers-sdk/compare/wrangler@2.16.0...wrangler@2.17.0) ##### Minor Changes - [#3004](https://togithub.com/cloudflare/workers-sdk/pull/3004) [`6d5000a7`](https://togithub.com/cloudflare/workers-sdk/commit/6d5000a7b80b29eb57139c6334f40c564c9ad0c9) Thanks [@rozenmd](https://togithub.com/rozenmd)! - feat: teach `wrangler docs` to use algolia search index This PR lets you search Cloudflare's entire docs via `wrangler docs [search term here]`. By default, if the search fails to find what you're looking for, you'll get an error like this: ✘ [ERROR] Could not find docs for:Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.