search

hikerpig / pintora

An extensible text-to-diagrams library that works in both browser and node.js
https://pintorajs.vercel.app
MIT License
1.11k stars 24 forks source link

chore(deps): update dependency vite to v5.0.12 [security] #260

Closed renovate[bot] closed 7 months ago

renovate[bot] commented 7 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 5.0.10 -> 5.0.12 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-23331

Summary

Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.

This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.

Patches

Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17

Details

Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.

See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632

By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.

PoC

Setup

  1. Created vanilla Vite project using npm create vite@latest on a Standard Azure hosted Windows 10 instance.
  2. Created dummy secret files, e.g. custom.secret and production.pem
  3. Populated vite.config.js with 
    export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }

Reproduction

  1. curl -s http://20.12.242.81:5173/@​fs//
    • Descriptive error page reveals absolute filesystem path to project root
  2. curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
    • Discoverable configuration file reveals locations of secrets
  3. curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
    • Secrets are directly accessible using case-augmented version of filename

Proof Screenshot 2024-01-19 022736

Impact

Who

What

Release Notes

vitejs/vite (vite) ### [`v5.0.12`](https://togithub.com/vitejs/vite/releases/tag/v5.0.12) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.0.11...v5.0.12) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.0.12/packages/vite/CHANGELOG.md) for details. ### [`v5.0.11`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small5011-2024-01-05-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.0.10...v5.0.11) - fix: don't pretransform classic script links ([#​15361](https://togithub.com/vitejs/vite/issues/15361)) ([19e3c9a](https://togithub.com/vitejs/vite/commit/19e3c9a)), closes [#​15361](https://togithub.com/vitejs/vite/issues/15361) - fix: inject `__vite__mapDeps` code before sourcemap file comment ([#​15483](https://togithub.com/vitejs/vite/issues/15483)) ([d2aa096](https://togithub.com/vitejs/vite/commit/d2aa096)), closes [#​15483](https://togithub.com/vitejs/vite/issues/15483) - fix(assets): avoid splitting `,` inside base64 value of `srcset` attribute ([#​15422](https://togithub.com/vitejs/vite/issues/15422)) ([8de7bd2](https://togithub.com/vitejs/vite/commit/8de7bd2)), closes [#​15422](https://togithub.com/vitejs/vite/issues/15422) - fix(html): handle offset magic-string slice error ([#​15435](https://togithub.com/vitejs/vite/issues/15435)) ([5ea9edb](https://togithub.com/vitejs/vite/commit/5ea9edb)), closes [#​15435](https://togithub.com/vitejs/vite/issues/15435) - chore(deps): update dependency strip-literal to v2 ([#​15475](https://togithub.com/vitejs/vite/issues/15475)) ([49d21fe](https://togithub.com/vitejs/vite/commit/49d21fe)), closes [#​15475](https://togithub.com/vitejs/vite/issues/15475) - chore(deps): update tj-actions/changed-files action to v41 ([#​15476](https://togithub.com/vitejs/vite/issues/15476)) ([2a540ee](https://togithub.com/vitejs/vite/commit/2a540ee)), closes [#​15476](https://togithub.com/vitejs/vite/issues/15476)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

vercel[bot] commented 7 months ago

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
pintorajs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Feb 25, 2024 10:53am
codecov[bot] commented 7 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 91.82%. Comparing base (87f80b1) to head (6a62b4d). Report is 131 commits behind head on master.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## master #260 +/- ## ========================================== + Coverage 91.06% 91.82% +0.76% ========================================== Files 69 88 +19 Lines 3994 5148 +1154 Branches 762 914 +152 ========================================== + Hits 3637 4727 +1090 - Misses 357 421 +64 ``` | [Flag](https://app.codecov.io/gh/hikerpig/pintora/pull/260/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=hikerpig) | Coverage Δ | | |---|---|---| | [unittests](https://app.codecov.io/gh/hikerpig/pintora/pull/260/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=hikerpig) | `91.82% <ø> (+0.76%)` | :arrow_up: | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=hikerpig#carryforward-flags-in-the-pull-request-comment) to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.