search

StaticJsCMS / static-cms

A Git-based CMS for Static Site Generators
https://staticcms.org
MIT License
579 stars 52 forks source link

chore(deps): update dependency vite to v5.0.12 [security] - autoclosed #1073

Closed renovate[bot] closed 4 months ago

renovate[bot] commented 5 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 5.0.10 -> 5.0.12 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-23331

Summary

Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.

This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.

Patches

Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17

Details

Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.

See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632

By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.

PoC

Setup

  1. Created vanilla Vite project using npm create vite@latest on a Standard Azure hosted Windows 10 instance.
  2. Created dummy secret files, e.g. custom.secret and production.pem
  3. Populated vite.config.js with 
    export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }

Reproduction

  1. curl -s http://20.12.242.81:5173/@​fs//
    • Descriptive error page reveals absolute filesystem path to project root
  2. curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
    • Discoverable configuration file reveals locations of secrets
  3. curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
    • Secrets are directly accessible using case-augmented version of filename

Proof Screenshot 2024-01-19 022736

Impact

Who

What

Release Notes

vitejs/vite (vite) ### [`v5.0.12`](https://togithub.com/vitejs/vite/releases/tag/v5.0.12) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.0.11...v5.0.12) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.0.12/packages/vite/CHANGELOG.md) for details. ### [`v5.0.11`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small5011-2024-01-05-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.0.10...v5.0.11) - fix: don't pretransform classic script links ([#​15361](https://togithub.com/vitejs/vite/issues/15361)) ([19e3c9a](https://togithub.com/vitejs/vite/commit/19e3c9a)), closes [#​15361](https://togithub.com/vitejs/vite/issues/15361) - fix: inject `__vite__mapDeps` code before sourcemap file comment ([#​15483](https://togithub.com/vitejs/vite/issues/15483)) ([d2aa096](https://togithub.com/vitejs/vite/commit/d2aa096)), closes [#​15483](https://togithub.com/vitejs/vite/issues/15483) - fix(assets): avoid splitting `,` inside base64 value of `srcset` attribute ([#​15422](https://togithub.com/vitejs/vite/issues/15422)) ([8de7bd2](https://togithub.com/vitejs/vite/commit/8de7bd2)), closes [#​15422](https://togithub.com/vitejs/vite/issues/15422) - fix(html): handle offset magic-string slice error ([#​15435](https://togithub.com/vitejs/vite/issues/15435)) ([5ea9edb](https://togithub.com/vitejs/vite/commit/5ea9edb)), closes [#​15435](https://togithub.com/vitejs/vite/issues/15435) - chore(deps): update dependency strip-literal to v2 ([#​15475](https://togithub.com/vitejs/vite/issues/15475)) ([49d21fe](https://togithub.com/vitejs/vite/commit/49d21fe)), closes [#​15475](https://togithub.com/vitejs/vite/issues/15475) - chore(deps): update tj-actions/changed-files action to v41 ([#​15476](https://togithub.com/vitejs/vite/issues/15476)) ([2a540ee](https://togithub.com/vitejs/vite/commit/2a540ee)), closes [#​15476](https://togithub.com/vitejs/vite/issues/15476)

Configuration

πŸ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

netlify[bot] commented 5 months ago

Deploy Preview for demo-staticjscms ready!

Name Link
Latest commit 90dd5b9ba01a4a195e5ae708953d6360e163c597
Latest deploy log https://app.netlify.com/sites/demo-staticjscms/deploys/65aaf707556955000879a0df
Deploy Preview https://deploy-preview-1073.demo.staticcms.org
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

netlify[bot] commented 5 months ago

Deploy Preview for staticjscms ready!

Name Link
Latest commit 90dd5b9ba01a4a195e5ae708953d6360e163c597
Latest deploy log https://app.netlify.com/sites/staticjscms/deploys/65aaf7070559cc0008764156
Deploy Preview https://deploy-preview-1073.staticcms.org
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

codecov[bot] commented 5 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Comparison is base (32684a0) 55.87% compared to head (90dd5b9) 55.87%.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #1073 +/- ## ======================================= Coverage 55.87% 55.87% ======================================= Files 259 259 Lines 12314 12314 Branches 3089 3089 ======================================= Hits 6880 6880 Misses 5027 5027 Partials 407 407 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.