search

mrtousif / youtube-clone

NestJS, Hasura, Postgres, React, RefineJS, Kubernetes, FusionAuth
10 stars 1 forks source link

fix(deps): update dependency @fastify/secure-session to v7 [security] - autoclosed #191

Closed renovate[bot] closed 3 months ago

renovate[bot] commented 7 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@fastify/secure-session ^6.0.0 -> ^7.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-31999

Impact

At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is destroyed. When an encrypted cookie with matching session name is provided with subsequent requests, it will decrypt the ciphertext to get the data. The plugin then creates a new session with the data in the ciphertext. Thus theoretically the web instance is still accessing the data from a server-side session, but technically that session is generated solely from a user provided cookie (which is assumed to be non-craftable because it is encrypted with a secret key not known to the user).

The issue exists in the session removal process. In the delete function of the code, when the session is deleted, it is marked for deletion. However, if an attacker could gain access to the cookie, they could keep using it forever.

Patches

Fixed in 56d66642ecc633cff0606927601e81cdac361370. Update to v7.3.0.

Workarounds

Include a "last update" field in the session, and treat "old sessions" as expired. Make sure to configure your cookie as "http only".

References

Release Notes

fastify/fastify-secure-session (@​fastify/secure-session) ### [`v7.3.0`](https://togithub.com/fastify/fastify-secure-session/releases/tag/v7.3.0) [Compare Source](https://togithub.com/fastify/fastify-secure-session/compare/v7.1.0...v7.3.0) #### :warning: Security Release :warning: Fixes https://github.com/fastify/fastify-secure-session/security/advisories/GHSA-9wwp-q7wq-jx35 #### What's Changed - Update the file name of the key in README.md for consistency by [@​acro5piano](https://togithub.com/acro5piano) in [https://github.com/fastify/fastify-secure-session/pull/215](https://togithub.com/fastify/fastify-secure-session/pull/215) - build(deps-dev): bump tsd from 0.30.7 to 0.31.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/fastify/fastify-secure-session/pull/221](https://togithub.com/fastify/fastify-secure-session/pull/221) #### New Contributors - [@​acro5piano](https://togithub.com/acro5piano) made their first contribution in [https://github.com/fastify/fastify-secure-session/pull/215](https://togithub.com/fastify/fastify-secure-session/pull/215) **Full Changelog**: https://github.com/fastify/fastify-secure-session/compare/v7.2.0...v7.3.0 ### [`v7.1.0`](https://togithub.com/fastify/fastify-secure-session/releases/tag/v7.1.0) [Compare Source](https://togithub.com/fastify/fastify-secure-session/compare/v7.0.0...v7.1.0) #### What's Changed - add .touch() method by [@​Momy93](https://togithub.com/Momy93) in [https://github.com/fastify/fastify-secure-session/pull/198](https://togithub.com/fastify/fastify-secure-session/pull/198) #### New Contributors - [@​Momy93](https://togithub.com/Momy93) made their first contribution in [https://github.com/fastify/fastify-secure-session/pull/198](https://togithub.com/fastify/fastify-secure-session/pull/198) **Full Changelog**: https://github.com/fastify/fastify-secure-session/compare/v7.0.0...v7.1.0 ### [`v7.0.0`](https://togithub.com/fastify/fastify-secure-session/releases/tag/v7.0.0) [Compare Source](https://togithub.com/fastify/fastify-secure-session/compare/v6.2.0...v7.0.0) #### What's Changed - build(deps): bump [@​fastify/cookie](https://togithub.com/fastify/cookie) from 8.3.0 to 9.0.4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/fastify/fastify-secure-session/pull/194](https://togithub.com/fastify/fastify-secure-session/pull/194) - fix: broken link by [@​Zamiell](https://togithub.com/Zamiell) in [https://github.com/fastify/fastify-secure-session/pull/195](https://togithub.com/fastify/fastify-secure-session/pull/195) #### New Contributors - [@​Zamiell](https://togithub.com/Zamiell) made their first contribution in [https://github.com/fastify/fastify-secure-session/pull/195](https://togithub.com/fastify/fastify-secure-session/pull/195) **Full Changelog**: https://github.com/fastify/fastify-secure-session/compare/v6.2.0...v7.0.0 ### [`v6.2.0`](https://togithub.com/fastify/fastify-secure-session/releases/tag/v6.2.0) [Compare Source](https://togithub.com/fastify/fastify-secure-session/compare/v6.1.0...v6.2.0) #### What's Changed - ci: only trigger on pushes to main branches by [@​Fdawgs](https://togithub.com/Fdawgs) in [https://github.com/fastify/fastify-secure-session/pull/188](https://togithub.com/fastify/fastify-secure-session/pull/188) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 18.16.5 to 20.1.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/fastify/fastify-secure-session/pull/189](https://togithub.com/fastify/fastify-secure-session/pull/189) - chore: use isArray and isBuffer by [@​is2ei](https://togithub.com/is2ei) in [https://github.com/fastify/fastify-secure-session/pull/191](https://togithub.com/fastify/fastify-secure-session/pull/191) - pass the secret to fastify cookie if directly registered by [@​gurgunday](https://togithub.com/gurgunday) in [https://github.com/fastify/fastify-secure-session/pull/193](https://togithub.com/fastify/fastify-secure-session/pull/193) #### New Contributors - [@​gurgunday](https://togithub.com/gurgunday) made their first contribution in [https://github.com/fastify/fastify-secure-session/pull/193](https://togithub.com/fastify/fastify-secure-session/pull/193) **Full Changelog**: https://github.com/fastify/fastify-secure-session/compare/v6.1.0...v6.2.0 ### [`v6.1.0`](https://togithub.com/fastify/fastify-secure-session/releases/tag/v6.1.0) [Compare Source](https://togithub.com/fastify/fastify-secure-session/compare/v6.0.0...v6.1.0) #### What's Changed - fix: 134 document genkey without npx by [@​davideroffo](https://togithub.com/davideroffo) in [https://github.com/fastify/fastify-secure-session/pull/180](https://togithub.com/fastify/fastify-secure-session/pull/180) - chore(.gitignore): add bun lockfile by [@​Fdawgs](https://togithub.com/Fdawgs) in [https://github.com/fastify/fastify-secure-session/pull/181](https://togithub.com/fastify/fastify-secure-session/pull/181) - build(deps-dev): bump tsd from 0.25.0 to 0.26.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/fastify/fastify-secure-session/pull/182](https://togithub.com/fastify/fastify-secure-session/pull/182) - build(deps-dev): bump tsd from 0.26.1 to 0.27.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/fastify/fastify-secure-session/pull/183](https://togithub.com/fastify/fastify-secure-session/pull/183) - build(deps-dev): bump tsd from 0.27.0 to 0.28.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/fastify/fastify-secure-session/pull/185](https://togithub.com/fastify/fastify-secure-session/pull/185) - Fix maxAge time example by [@​michalzalobny](https://togithub.com/michalzalobny) in [https://github.com/fastify/fastify-secure-session/pull/184](https://togithub.com/fastify/fastify-secure-session/pull/184) - add support for custom session key and multiple sessions by [@​jsprw](https://togithub.com/jsprw) in [https://github.com/fastify/fastify-secure-session/pull/186](https://togithub.com/fastify/fastify-secure-session/pull/186) #### New Contributors - [@​davideroffo](https://togithub.com/davideroffo) made their first contribution in [https://github.com/fastify/fastify-secure-session/pull/180](https://togithub.com/fastify/fastify-secure-session/pull/180) - [@​michalzalobny](https://togithub.com/michalzalobny) made their first contribution in [https://github.com/fastify/fastify-secure-session/pull/184](https://togithub.com/fastify/fastify-secure-session/pull/184) - [@​jsprw](https://togithub.com/jsprw) made their first contribution in [https://github.com/fastify/fastify-secure-session/pull/186](https://togithub.com/fastify/fastify-secure-session/pull/186) **Full Changelog**: https://github.com/fastify/fastify-secure-session/compare/v6.0.0...v6.1.0

Configuration

πŸ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.

coderabbitai[bot] commented 7 months ago

[!IMPORTANT]

Auto Review Skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share - [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai) - [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai) - [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai) - [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)
Tips ### Chat There are 3 ways to chat with [CodeRabbit](https://coderabbit.ai): - Review comments: Directly reply to a review comment made by CodeRabbit. Example: - `I pushed a fix in commit .` - `Generate unit testing code for this file.` - `Open a follow-up GitHub issue for this discussion.` - Files and specific lines of code (under the "Files changed" tab): Tag `@coderabbitai` in a new review comment at the desired location with your query. Examples: - `@coderabbitai generate unit testing code for this file.` - `@coderabbitai modularize this function.` - PR comments: Tag `@coderabbitai` in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples: - `@coderabbitai generate interesting stats about this repository and render them as a table.` - `@coderabbitai show all the console.log statements in this repository.` - `@coderabbitai read src/utils.ts and generate unit testing code.` - `@coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.` Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. ### CodeRabbit Commands (invoked as PR comments) - `@coderabbitai pause` to pause the reviews on a PR. - `@coderabbitai resume` to resume the paused reviews. - `@coderabbitai review` to trigger a review. This is useful when automatic reviews are disabled for the repository. - `@coderabbitai resolve` resolve all the CodeRabbit review comments. - `@coderabbitai help` to get help. Additionally, you can add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed. ### CodeRabbit Configration File (`.coderabbit.yaml`) - You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository. - Please see the [configuration documentation](https://docs.coderabbit.ai/guides/configure-coderabbit) for more information. - If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json` ### Documentation and Community - Visit our [Documentation](https://coderabbit.ai/docs) for detailed information on how to use CodeRabbit. - Join our [Discord Community](https://discord.com/invite/GsXnASn26c) to get help, request features, and share feedback. - Follow us on [X/Twitter](https://twitter.com/coderabbitai) for updates and announcements.