search

JacobLinCool / LeetCode-Stats-Card

Show your dynamically generated LeetCode stats on your GitHub profile or your website!
https://leetcard.jacoblin.cool
MIT License
640 stars 79 forks source link

chore(deps): update dependency wrangler to v2.20.2 [security] - autoclosed #99

Closed renovate[bot] closed 6 months ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
wrangler (source) 2.14.0 -> 2.20.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-3348

Impact

The Wrangler command line tool (<=wrangler@3.1.0 or <=wrangler@2.20.1) was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim's files present outside of the directory for the development server.

Patches

Wrangler2: Upgrade to v2.20.1 or higher. Wrangler3: Upgrade to v3.1.1 or higher.

References

Workers SDK on Github Wrangler docs CVE-2023-3348

CVE-2023-7080

Impact

The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker.

Patches

This issue was fixed in wrangler@3.19.0 and wrangler@2.20.2. Whilst wrangler dev's inspector server listens on local interfaces by default as of wrangler@3.16.0, an SSRF vulnerability in miniflare allowed access from the local network until wrangler@3.18.0. wrangler@3.19.0 and wrangler@2.20.2 introduced validation for the Origin/Host headers.

Workarounds

Unfortunately, Wrangler doesn't provide any configuration for which host that inspector server should listen on. Please upgrade to at least wrangler@3.16.0, and configure Wrangler to listen on local interfaces instead with wrangler dev --ip 127.0.0.1 to prevent SSRF. This removes the local network as an attack vector, but does not prevent an attack from visiting a malicious website.

References

Release Notes

cloudflare/workers-sdk (wrangler) ### [`v2.20.2`](https://togithub.com/cloudflare/workers-sdk/releases/tag/wrangler%402.20.2) [Compare Source](https://togithub.com/cloudflare/workers-sdk/compare/wrangler@2.20.1...wrangler@2.20.2) ##### Patch Changes - [#​4609](https://togithub.com/cloudflare/workers-sdk/pull/4609) [`c228c912`](https://togithub.com/cloudflare/workers-sdk/commit/c228c9120f42f7e0135fafe406bc71a766e7bba3) Thanks [@​mrbbot](https://togithub.com/mrbbot)! - fix: pin `workerd` to `1.20230404.0` - [#​4587](https://togithub.com/cloudflare/workers-sdk/pull/4587) [`49a46960`](https://togithub.com/cloudflare/workers-sdk/commit/49a469601adaa9eb9e1f2d6de197c1979d5c6c1b) Thanks [@​mrbbot](https://togithub.com/mrbbot)! - Change dev registry and inspector server to listen on 127.0.0.1 instead of all interfaces - [#​4587](https://togithub.com/cloudflare/workers-sdk/pull/4587) [`49a46960`](https://togithub.com/cloudflare/workers-sdk/commit/49a469601adaa9eb9e1f2d6de197c1979d5c6c1b) Thanks [@​mrbbot](https://togithub.com/mrbbot)! - fix: validate `Host` and `Orgin` headers where appropriate `Host` and `Origin` headers are now checked when connecting to the inspector proxy. If these don't match what's expected, the request will fail. ### [`v2.20.1`](https://togithub.com/cloudflare/workers-sdk/releases/tag/wrangler%402.20.1) [Compare Source](https://togithub.com/cloudflare/workers-sdk/compare/wrangler@2.20.0...wrangler@2.20.1) ##### Patch Changes - [#​3820](https://togithub.com/cloudflare/workers-sdk/pull/3820) [`546c2319`](https://togithub.com/cloudflare/workers-sdk/commit/546c2319268fc592f069d9c41b5dabdcf84cc94f) Thanks [@​GregBrimble](https://togithub.com/GregBrimble)! - fix: Prevent `wrangler pages dev` from serving asset files outside of the build output directory ### [`v2.20.0`](https://togithub.com/cloudflare/workers-sdk/blob/HEAD/packages/wrangler/CHANGELOG.md#2200) [Compare Source](https://togithub.com/cloudflare/workers-sdk/compare/wrangler@2.19.0...wrangler@2.20.0) ##### Minor Changes - [#​2966](https://togithub.com/cloudflare/workers-sdk/pull/2966) [`e351afcf`](https://togithub.com/cloudflare/workers-sdk/commit/e351afcff4f265f85ff3e4674cc3083eb5cd5027) Thanks [@​GregBrimble](https://togithub.com/GregBrimble)! - feat: Add support for the undocumented `_worker.js/` directory in Pages - [#​3095](https://togithub.com/cloudflare/workers-sdk/pull/3095) [`133c0423`](https://togithub.com/cloudflare/workers-sdk/commit/133c0423ccb4c2b35a1dd26157ce9a24c6a743bb) Thanks [@​zebp](https://togithub.com/zebp)! - feat: add support for placement in wrangler config Allows a `placement` object in the wrangler config with a mode of `off` or `smart` to configure [Smart placement](https://developers.cloudflare.com/workers/platform/smart-placement/). Enabling Smart Placement can be done in your `wrangler.toml` like: ```toml [placement] mode = "smart" ``` - [#​3140](https://togithub.com/cloudflare/workers-sdk/pull/3140) [`5fd080c8`](https://togithub.com/cloudflare/workers-sdk/commit/5fd080c88ee7991cde107f8723f06ea2fd2c651d) Thanks [@​penalosa](https://togithub.com/penalosa)! - feat: Support sourcemaps in DevTools Intercept requests from DevTools in Wrangler to inject sourcemaps and enable folders in the Sources Panel of DevTools. When errors are thrown in your Worker, DevTools should now show your source file in the Sources panel, rather than Wrangler's bundled output. ##### Patch Changes - [#​2912](https://togithub.com/cloudflare/workers-sdk/pull/2912) [`5079f476`](https://togithub.com/cloudflare/workers-sdk/commit/5079f4767f862cb7c42f4b2b5484b0391fbe5fae) Thanks [@​petebacondarwin](https://togithub.com/petebacondarwin)! - fix: do not render "value of stdout.lastframe() is undefined" if the output is an empty string Fixes [#​2907](https://togithub.com/cloudflare/workers-sdk/issues/2907) - [#​3133](https://togithub.com/cloudflare/workers-sdk/pull/3133) [`d0788008`](https://togithub.com/cloudflare/workers-sdk/commit/d078800804899c3c8e083260f8cfdfc0397d6110) Thanks [@​dario-piotrowicz](https://togithub.com/dario-piotrowicz)! - fix pages building not taking into account the nodejs_compat flag (and improve the related error message) - [#​3146](https://togithub.com/cloudflare/workers-sdk/pull/3146) [`5b234cfd`](https://togithub.com/cloudflare/workers-sdk/commit/5b234cfd554aff08d065b96d7d49dfb36f40caa3) Thanks [@​jspspike](https://togithub.com/jspspike)! - Added output for tail being in "sampling mode" ### [`v2.19.0`](https://togithub.com/cloudflare/workers-sdk/blob/HEAD/packages/wrangler/CHANGELOG.md#2190) [Compare Source](https://togithub.com/cloudflare/workers-sdk/compare/wrangler@2.18.0...wrangler@2.19.0) ##### Minor Changes - [#​3091](https://togithub.com/cloudflare/workers-sdk/pull/3091) [`c32f514c`](https://togithub.com/cloudflare/workers-sdk/commit/c32f514ca40e8b13dc9e86fdc76577b9adeb70f5) Thanks [@​edevil](https://togithub.com/edevil)! - Added initial commands for integrating with Constellation AI. ### [`v2.18.0`](https://togithub.com/cloudflare/workers-sdk/blob/HEAD/packages/wrangler/CHANGELOG.md#2180) [Compare Source](https://togithub.com/cloudflare/workers-sdk/compare/wrangler@2.17.0...wrangler@2.18.0) ##### Minor Changes - [#​3098](https://togithub.com/cloudflare/workers-sdk/pull/3098) [`8818f551`](https://togithub.com/cloudflare/workers-sdk/commit/8818f5516ca909cc941deb953b6359030a8c0301) Thanks [@​mrbbot](https://togithub.com/mrbbot)! - fix: improve Workers Sites asset upload reliability - Wrangler no longer buffers all assets into memory before uploading. This should prevent out-of-memory errors when publishing sites with many large files. - Wrangler now limits the number of in-flight asset upload requests to 5, fixing the `Too many bulk operations already in progress` error. - Wrangler now correctly logs upload progress. Previously, the reported percentage was per upload request group, not across all assets. - Wrangler no longer logs all assets to the console by default. Instead, it will just log the first 100. The rest can be shown by setting the `WRANGLER_LOG=debug` environment variable. A splash of colour has also been added. ### [`v2.17.0`](https://togithub.com/cloudflare/workers-sdk/blob/HEAD/packages/wrangler/CHANGELOG.md#2170) [Compare Source](https://togithub.com/cloudflare/workers-sdk/compare/wrangler@2.16.0...wrangler@2.17.0) ##### Minor Changes - [#​3004](https://togithub.com/cloudflare/workers-sdk/pull/3004) [`6d5000a7`](https://togithub.com/cloudflare/workers-sdk/commit/6d5000a7b80b29eb57139c6334f40c564c9ad0c9) Thanks [@​rozenmd](https://togithub.com/rozenmd)! - feat: teach `wrangler docs` to use algolia search index This PR lets you search Cloudflare's entire docs via `wrangler docs [search term here]`. By default, if the search fails to find what you're looking for, you'll get an error like this: ✘ [ERROR] Could not find docs for: . Please try again with another search term. If you provide the `--yes` or `-y` flag, wrangler will open the docs to https://developers.cloudflare.com/workers/wrangler/commands/, even if the search fails. ### [`v2.16.0`](https://togithub.com/cloudflare/workers-sdk/blob/HEAD/packages/wrangler/CHANGELOG.md#2160) [Compare Source](https://togithub.com/cloudflare/workers-sdk/compare/wrangler@2.15.1...wrangler@2.16.0) ##### Minor Changes - [#​3058](https://togithub.com/cloudflare/workers-sdk/pull/3058) [`1bd50f56`](https://togithub.com/cloudflare/workers-sdk/commit/1bd50f56a7215bb9a9480a8e8560862acef9e326) Thanks [@​mrbbot](https://togithub.com/mrbbot)! - chore: upgrade `miniflare@3` to [`3.0.0-next.13`](https://togithub.com/cloudflare/miniflare/releases/tag/v3.0.0-next.13) Notably, this adds native support for Windows to `wrangler dev --experimental-local`, logging for incoming requests, and support for a bunch of newer R2 features. ##### Patch Changes - [#​3058](https://togithub.com/cloudflare/workers-sdk/pull/3058) [`1bd50f56`](https://togithub.com/cloudflare/workers-sdk/commit/1bd50f56a7215bb9a9480a8e8560862acef9e326) Thanks [@​mrbbot](https://togithub.com/mrbbot)! - fix: disable persistence without `--persist` in `--experimental-local` This ensures `--experimental-local` doesn't persist data on the file-system, unless the `--persist` flag is set. Data is still always persisted between reloads. - [#​3055](https://togithub.com/cloudflare/workers-sdk/pull/3055) [`5f48c405`](https://togithub.com/cloudflare/workers-sdk/commit/5f48c405c663de0c6b2bfc27005246f1fdec6987) Thanks [@​rozenmd](https://togithub.com/rozenmd)! - fix: Teach D1 commands to read auth configuration from wrangler.toml This PR fixes a bug in how D1 handles a user's accounts. We've updated the D1 commands to read from config (typically via wrangler.toml) before trying to run commands. This means if an `account_id` is defined in config, we'll use that instead of erroring out when there are multiple accounts to pick from. Fixes [#​3046](https://togithub.com/cloudflare/workers-sdk/issues/3046) - [#​3058](https://togithub.com/cloudflare/workers-sdk/pull/3058) [`1bd50f56`](https://togithub.com/cloudflare/workers-sdk/commit/1bd50f56a7215bb9a9480a8e8560862acef9e326) Thanks [@​mrbbot](https://togithub.com/mrbbot)! - fix: disable route validation when using `--experimental-local` This ensures `wrangler dev --experimental-local` doesn't require a login or an internet connection if a `route` is configured. ### [`v2.15.1`](https://togithub.com/cloudflare/workers-sdk/blob/HEAD/packages/wrangler/CHANGELOG.md#2151) [Compare Source](https://togithub.com/cloudflare/workers-sdk/compare/wrangler@2.15.0...wrangler@2.15.1) ##### Patch Changes - [#​2783](https://togithub.com/cloudflare/workers-sdk/pull/2783) [`4c55baf9`](https://togithub.com/cloudflare/workers-sdk/commit/4c55baf9cd0e3d8915272471476017e0d379a988) Thanks [@​GregBrimble](https://togithub.com/GregBrimble)! - feat: Add `**/*.wasm?module` as default module rule (alias of `**/*.wasm`) - [#​2989](https://togithub.com/cloudflare/workers-sdk/pull/2989) [`86e942bb`](https://togithub.com/cloudflare/workers-sdk/commit/86e942bbb943750ee57e209a214e08926fb32ac5) Thanks [@​GregBrimble](https://togithub.com/GregBrimble)! - fix: Durable Object proxying websockets over local dev registry ### [`v2.15.0`](https://togithub.com/cloudflare/workers-sdk/blob/HEAD/packages/wrangler/CHANGELOG.md#2150) [Compare Source](https://togithub.com/cloudflare/workers-sdk/compare/wrangler@2.14.0...wrangler@2.15.0) ##### Minor Changes - [#​2769](https://togithub.com/cloudflare/workers-sdk/pull/2769) [`0a779904`](https://togithub.com/cloudflare/workers-sdk/commit/0a77990457652af36c60c52bf9c38c3a69945de4) Thanks [@​penalosa](https://togithub.com/penalosa)! - feature: Support modules with `--no-bundle` When the `--no-bundle` flag is set, Wrangler now has support for uploading additional modules alongside the entrypoint. This will allow modules to be imported at runtime on Cloudflare's Edge. This respects Wrangler's [module rules](https://developers.cloudflare.com/workers/wrangler/configuration/#bundling) configuration, which means that only imports of non-JS modules will trigger an upload by default. For instance, the following code will now work with `--no-bundle` (assuming the `example.wasm` file exists at the correct path): ```js // index.js import wasm from './example.wasm' export default { async fetch() { await WebAssembly.instantiate(wasm, ...) ... } } ``` For JS modules, it's necessary to specify an additional [module rule](https://developers.cloudflare.com/workers/wrangler/configuration/#bundling) (or rules) in your `wrangler.toml` to configure your modules as ES modules or Common JS modules. For instance, to upload additional JavaScript files as ES modules, add the following module rule to your `wrangler.toml`, which tells Wrangler that all `**/*.js` files are ES modules. ```toml rules = [ { type = "ESModule", globs = ["**/*.js"]}, ] ``` If you have Common JS modules, you'd configure Wrangler with a CommonJS rule (the following rule tells Wrangler that all `.cjs` files are Common JS modules): ```toml rules = [ { type = "CommonJS", globs = ["**/*.cjs"]}, ] ``` In most projects, adding a single rule will be sufficient. However, for advanced usecases where you're mixing ES modules and Common JS modules, you'll need to use multiple rule definitions. For instance, the following set of rules will match all `.mjs` files as ES modules, all `.cjs` files as Common JS modules, and the `nested/say-hello.js` file as Common JS. ```toml rules = [ { type = "CommonJS", globs = ["nested/say-hello.js", "**/*.cjs"]}, { type = "ESModule", globs = ["**/*.mjs"]} ] ``` If multiple rules overlap, Wrangler will log a warning about the duplicate rules, and will discard additional rules that matches a module. For example, the following rule configuration classifies `dep.js` as both a Common JS module and an ES module: ```toml rules = [ { type = "CommonJS", globs = ["dep.js"]}, { type = "ESModule", globs = ["dep.js"]} ] ``` Wrangler will treat `dep.js` as a Common JS module, since that was the first rule that matched, and will log the following warning: ▲ [WARNING] Ignoring duplicate module: dep.js (esm) This also adds a new configuration option to `wrangler.toml`: `base_dir`. Defaulting to the directory of your Worker's main entrypoint, this tells Wrangler where your additional modules are located, and determines the module paths against which your module rule globs are matched. For instance, given the following directory structure: - wrangler.toml - src/ - index.html - vendor/ - dependency.js - js/ - index.js If your `wrangler.toml` had `main = "src/js/index.js"`, you would need to set `base_dir = "src"` in order to be able to import `src/vendor/dependency.js` and `src/index.html` from `src/js/index.js`. ##### Patch Changes - [#​2957](https://togithub.com/cloudflare/workers-sdk/pull/2957) [`084b2c58`](https://togithub.com/cloudflare/workers-sdk/commit/084b2c58ba051811afe4adf1518cab033ba62872) Thanks [@​esimons](https://togithub.com/esimons)! - fix: Respect querystring params when calling `.fetch` on a worker instantiated with `unstable_dev` Previously, querystring params would be stripped, causing issues for test cases that depended on them. For example, given the following worker script: ```js export default { fetch(req) { const url = new URL(req.url); const name = url.searchParams.get("name"); return new Response("Hello, " + name); } }; ``` would fail the following test case: ```js const worker = await unstable_dev("script.js"); const res = await worker.fetch("http://worker?name=Walshy"); const text = await res.text(); // Following fails, as returned text is 'Hello, null' expect(text).toBe("Hello, Walshy"); ``` - [#​2840](https://togithub.com/cloudflare/workers-sdk/pull/2840) [`e311bbbf`](https://togithub.com/cloudflare/workers-sdk/commit/e311bbbf64343badd4bba7eb017b796a89eaf9fe) Thanks [@​mrbbot](https://togithub.com/mrbbot)! - fix: make `WRANGLER_LOG` case-insensitive, warn on unexpected values, and fallback to `log` if invalid Previously, levels set via the `WRANGLER_LOG` environment-variable were case-sensitive. If an unexpected level was set, Wrangler would fallback to `none`, hiding all logs. The fallback has now been switched to `log`, and lenient case-insensitive matching is used when setting the level. - [#​2044](https://togithub.com/cloudflare/workers-sdk/pull/2044) [`eebad0d9`](https://togithub.com/cloudflare/workers-sdk/commit/eebad0d9e593237b4db61047c94e2ec5b47a7b3c) Thanks [@​kuba-orlik](https://togithub.com/kuba-orlik)! - fix: allow programmatic dev workers to be stopped and started in a single session - [#​2735](https://togithub.com/cloudflare/workers-sdk/pull/2735) [`3f7a75cc`](https://togithub.com/cloudflare/workers-sdk/commit/3f7a75ccc252567be3e9062ff0c6fd7e00201d0e) Thanks [@​JacobMGEvans](https://togithub.com/JacobMGEvans)! - Fix: Generate Remote URL Previous URL was pointing to the old cloudflare/templates repo, updated the URL to point to templates in the workers-sdk monorepo.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

stackblitz[bot] commented 1 year ago

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

changeset-bot[bot] commented 1 year ago

⚠️ No Changeset found

Latest commit: 117d81c232ec127606b454f5fed4e1f63a8f4fcd

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR