Closed renovate[bot] closed 4 months ago
Name | Link |
---|---|
Latest commit | 90dd5b9ba01a4a195e5ae708953d6360e163c597 |
Latest deploy log | https://app.netlify.com/sites/demo-staticjscms/deploys/65aaf707556955000879a0df |
Deploy Preview | https://deploy-preview-1073.demo.staticcms.org |
Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
Name | Link |
---|---|
Latest commit | 90dd5b9ba01a4a195e5ae708953d6360e163c597 |
Latest deploy log | https://app.netlify.com/sites/staticjscms/deploys/65aaf7070559cc0008764156 |
Deploy Preview | https://deploy-preview-1073.staticcms.org |
Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
All modified and coverable lines are covered by tests :white_check_mark:
Comparison is base (
32684a0
) 55.87% compared to head (90dd5b9
) 55.87%.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
This PR contains the following updates:
5.0.10
->5.0.12
GitHub Vulnerability Alerts
CVE-2024-23331
Summary
Vite dev server option
server.fs.deny
can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.
Patches
Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17
Details
Since
picomatch
defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.See
picomatch
usage, wherenocase
is defaulted tofalse
: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632By requesting raw filesystem paths using augmented casing, the matcher derived from
config.server.fs.deny
fails to block access to sensitive files.PoC
Setup
npm create vite@latest
on a Standard Azure hosted Windows 10 instance.npm run dev -- --host 0.0.0.0
custom.secret
andproduction.pem
vite.config.js
withReproduction
curl -s http://20.12.242.81:5173/@​fs//
curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
Proof![Screenshot 2024-01-19 022736](https://user-images.githubusercontent.com/907968/298020728-3a8d3c06-fcfd-4009-9182-e842f66a6ea5.png)
Impact
Who
What
server.fs.deny
are both discoverable, and accessibleRelease Notes
vitejs/vite (vite)
### [`v5.0.12`](https://togithub.com/vitejs/vite/releases/tag/v5.0.12) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.0.11...v5.0.12) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.0.12/packages/vite/CHANGELOG.md) for details. ### [`v5.0.11`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small5011-2024-01-05-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.0.10...v5.0.11) - fix: don't pretransform classic script links ([#15361](https://togithub.com/vitejs/vite/issues/15361)) ([19e3c9a](https://togithub.com/vitejs/vite/commit/19e3c9a)), closes [#15361](https://togithub.com/vitejs/vite/issues/15361) - fix: inject `__vite__mapDeps` code before sourcemap file comment ([#15483](https://togithub.com/vitejs/vite/issues/15483)) ([d2aa096](https://togithub.com/vitejs/vite/commit/d2aa096)), closes [#15483](https://togithub.com/vitejs/vite/issues/15483) - fix(assets): avoid splitting `,` inside base64 value of `srcset` attribute ([#15422](https://togithub.com/vitejs/vite/issues/15422)) ([8de7bd2](https://togithub.com/vitejs/vite/commit/8de7bd2)), closes [#15422](https://togithub.com/vitejs/vite/issues/15422) - fix(html): handle offset magic-string slice error ([#15435](https://togithub.com/vitejs/vite/issues/15435)) ([5ea9edb](https://togithub.com/vitejs/vite/commit/5ea9edb)), closes [#15435](https://togithub.com/vitejs/vite/issues/15435) - chore(deps): update dependency strip-literal to v2 ([#15475](https://togithub.com/vitejs/vite/issues/15475)) ([49d21fe](https://togithub.com/vitejs/vite/commit/49d21fe)), closes [#15475](https://togithub.com/vitejs/vite/issues/15475) - chore(deps): update tj-actions/changed-files action to v41 ([#15476](https://togithub.com/vitejs/vite/issues/15476)) ([2a540ee](https://togithub.com/vitejs/vite/commit/2a540ee)), closes [#15476](https://togithub.com/vitejs/vite/issues/15476)Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.