fix(deps): update dependency astro to v4.16.1 [security]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
astro (source)	4.15.11 -> 4.16.1

GitHub Vulnerability Alerts

CVE-2024-47885

Summary

A DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has stored attacker-controlled scriptless HTML elements (i.e., iframe tags with unsanitized name attributes) on the destination pages.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Astro

We identified a DOM Clobbering gadget in Astro's client-side routing module, specifically in the <ViewTransitions /> component. When integrated, this component introduces the following vulnerable code, which is executed during page transitions (e.g., clicking an <a> link):

https://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156

However, this implementation is vulnerable to a DOM Clobbering attack. The document.scripts lookup can be shadowed by an attacker injected non-script HTML elements (e.g., <img name="scripts"><img name="scripts">) via the browser's named DOM access mechanism. This manipulation allows an attacker to replace the intended script elements with an array of attacker-controlled scriptless HTML elements.

The condition script.dataset.astroExec === '' on line 138 can be bypassed because the attacker-controlled element does not have a data-astroExec attribute. Similarly, the check on line 134 can be bypassed as the element does not require a type attribute.

Finally, the innerHTML of an attacker-injected non-script HTML elements, which is plain text content before, will be set to the .innerHTML of an script element that leads to XSS.

PoC

Consider a web application using Astro as the framework with client-side routing enabled and allowing users to embed certain scriptless HTML elements (e.g., form or iframe). This can be done through a bunch of website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

For PoC website, please refer to: https://stackblitz.com/edit/github-4xgj2d. Clicking the "about" button in the menu will trigger an alert(1) from an attacker-injected form element.

---
import Header from "../components/Header.astro";
import Footer from "../components/Footer.astro";
import { ViewTransitions } from "astro:transitions";
import "../styles/global.css";
const { pageTitle } = Astro.props;
---
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
    <meta name="viewport" content="width=device-width" />
    <meta name="generator" content={Astro.generator} />
    <title>{pageTitle}</title>
    <ViewTransitions />
  </head>
  <body>
    <!--USER INPUT-->
    <iframe name="scripts">alert(1)</iframe>
    <iframe name="scripts">alert(1)</iframe>
    <!--USER INPUT-->

    <Header />
    <h1>{pageTitle}</h1>
    <slot />
    <Footer />
    <script>
      import "../scripts/menu.js";
    </script>
  </body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with ViewTransitions and store the user-inserted scriptless HTML tags without properly sanitizing the name attributes on the page.

Patch

We recommend replacing document.scripts with document.getElementsByTagName('script') for referring to script elements. This will mitigate the possibility of DOM Clobbering attacks leveraging the name attribute.

Reference

Similar issues for reference:

• Webpack (CVE-2024-43788)
• Vite (CVE-2024-45812)
• layui (CVE-2024-47075)

---

Release Notes

withastro/astro (astro)

### [`v4.16.1`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4161) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.16.0...astro@4.16.1) ##### Patch Changes - [#​12177](https://redirect.github.com/withastro/astro/pull/12177) [`a4ffbfa`](https://redirect.github.com/withastro/astro/commit/a4ffbfaa5cb460c12bd486fd75e36147f51d3e5e) Thanks [@​matthewp](https://redirect.github.com/matthewp)! - Ensure we target scripts for execution in the router Using `document.scripts` is unsafe because if the application has a `name="scripts"` this will shadow the built-in `document.scripts`. Fix is to use `getElementsByTagName` to ensure we're only grabbing real scripts. - [#​12173](https://redirect.github.com/withastro/astro/pull/12173) [`2d10de5`](https://redirect.github.com/withastro/astro/commit/2d10de5f212323e6e19c7ea379826dcc18fe739c) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Fixes a bug where Astro Actions couldn't redirect to the correct pathname when there was a rewrite involved. ### [`v4.16.0`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#4160) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.12...astro@4.16.0) ##### Minor Changes - [#​12039](https://redirect.github.com/withastro/astro/pull/12039) [`710a1a1`](https://redirect.github.com/withastro/astro/commit/710a1a11f488ff6ed3da6d3e0723b2322ccfe27b) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Adds a `markdown.shikiConfig.langAlias` option that allows [aliasing a non-supported code language to a known language](https://shiki.style/guide/load-lang#custom-language-aliases). This is useful when the language of your code samples is not [a built-in Shiki language](https://shiki.style/languages), but you want your Markdown source to contain an accurate language while also displaying syntax highlighting. The following example configures Shiki to highlight `cjs` code blocks using the `javascript` syntax highlighter: ```js import { defineConfig } from 'astro/config'; export default defineConfig({ markdown: { shikiConfig: { langAlias: { cjs: 'javascript', }, }, }, }); ``` Then in your Markdown, you can use the alias as the language for a code block for syntax highlighting: ````md ```cjs 'use strict'; function commonJs() { return 'I am a commonjs file'; } ``` ```` - [#​11984](https://redirect.github.com/withastro/astro/pull/11984) [`3ac2263`](https://redirect.github.com/withastro/astro/commit/3ac2263ff6070136bec9cffb863c38bcc31ccdfe) Thanks [@​chaegumi](https://redirect.github.com/chaegumi)! - Adds a new `build.concurreny` configuration option to specify the number of pages to build in parallel **In most cases, you should not change the default value of `1`.** Use this option only when other attempts to reduce the overall rendering time (e.g. batch or cache long running tasks like fetch calls or data access) are not possible or are insufficient. Use this option only if the refactors are not possible. If the number is set too high, the page rendering may slow down due to insufficient memory resources and because JS is single-threaded. > \[!WARNING] > This feature is stable and is not considered experimental. However, this feature is only intended to address difficult performance issues, and breaking changes may occur in a [minor release](https://docs.astro.build/en/upgrade-astro/#semantic-versioning) to keep this option as performant as possible. ```js // astro.config.mjs import { defineConfig } from 'astro'; export default defineConfig({ build: { concurrency: 2, }, }); ``` ##### Patch Changes - [#​12160](https://redirect.github.com/withastro/astro/pull/12160) [`c6fd1df`](https://redirect.github.com/withastro/astro/commit/c6fd1df695d0f2a24bb49e6954064f92664ccf67) Thanks [@​louisescher](https://redirect.github.com/louisescher)! - Fixes a bug where `astro.config.mts` and `astro.config.cts` weren't reloading the dev server upon modifications. - [#​12130](https://redirect.github.com/withastro/astro/pull/12130) [`e96bcae`](https://redirect.github.com/withastro/astro/commit/e96bcae535ef2f0661f539c1d49690c531df2d4e) Thanks [@​thehansys](https://redirect.github.com/thehansys)! - Fixes a bug in the parsing of `x-forwarded-\*` `Request` headers, where multiple values assigned to those headers were not correctly parsed. Now, headers like `x-forwarded-proto: https,http` are correctly parsed. - [#​12147](https://redirect.github.com/withastro/astro/pull/12147) [`9db755a`](https://redirect.github.com/withastro/astro/commit/9db755ab7cfe658ec426387e297bdcd32c4bc8de) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Skips setting statusMessage header for HTTP/2 response HTTP/2 doesn't support status message, so setting this was logging a warning. - [#​12151](https://redirect.github.com/withastro/astro/pull/12151) [`bb6d37f`](https://redirect.github.com/withastro/astro/commit/bb6d37f94a283433994f9243189cb4386df0e11a) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Fixes an issue where `Astro.currentLocale` wasn't incorrectly computed when the `defaultLocale` belonged to a custom locale path. - Updated dependencies \[[`710a1a1`](https://redirect.github.com/withastro/astro/commit/710a1a11f488ff6ed3da6d3e0723b2322ccfe27b)]: - [@​astrojs/markdown-remark](https://redirect.github.com/astrojs/markdown-remark)[@​5](https://redirect.github.com/5).3.0 ### [`v4.15.12`](https://redirect.github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#41512) [Compare Source](https://redirect.github.com/withastro/astro/compare/astro@4.15.11...astro@4.15.12) ##### Patch Changes - [#​12121](https://redirect.github.com/withastro/astro/pull/12121) [`2490ceb`](https://redirect.github.com/withastro/astro/commit/2490cebdb93f13ee552cffa72b2e274d64e6b4a7) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Support passing the values `Infinity` and `-Infinity` as island props. - [#​12118](https://redirect.github.com/withastro/astro/pull/12118) [`f47b347`](https://redirect.github.com/withastro/astro/commit/f47b347da899c6e1dcd0b2e7887f7fce6ec8e270) Thanks [@​Namchee](https://redirect.github.com/Namchee)! - Removes the `strip-ansi` dependency in favor of the native Node API - [#​12126](https://redirect.github.com/withastro/astro/pull/12126) [`6e1dfeb`](https://redirect.github.com/withastro/astro/commit/6e1dfeb76bec09d24928bab798c6ad3280f42e84) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Clear content layer cache when astro version changes - [#​12117](https://redirect.github.com/withastro/astro/pull/12117) [`a46839a`](https://redirect.github.com/withastro/astro/commit/a46839a5c818b7de63c36d0c7e27f1a8f3b773dc) Thanks [@​ArmandPhilippot](https://redirect.github.com/ArmandPhilippot)! - Updates Vite links to use their new domain - [#​12124](https://redirect.github.com/withastro/astro/pull/12124) [`499fbc9`](https://redirect.github.com/withastro/astro/commit/499fbc91a6bdad8c86ff13a8caf1fa09433796b9) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Allows special characters in Action names - [#​12123](https://redirect.github.com/withastro/astro/pull/12123) [`b8673df`](https://redirect.github.com/withastro/astro/commit/b8673df51c6cc4ce6a288f8eb609b7a438a07d82) Thanks [@​Princesseuh](https://redirect.github.com/Princesseuh)! - Fixes missing `body` property on CollectionEntry types for content layer entries - [#​12132](https://redirect.github.com/withastro/astro/pull/12132) [`de35daa`](https://redirect.github.com/withastro/astro/commit/de35daa8517555c1b9c72bc7fe9cc955c4997a83) Thanks [@​jcayzac](https://redirect.github.com/jcayzac)! - Updates the [`cookie`](https://npmjs.com/package/cookie) dependency to avoid the [CVE 2024-47764](https://nvd.nist.gov/vuln/detail/CVE-2024-47764) vulnerability. - [#​12113](https://redirect.github.com/withastro/astro/pull/12113) [`a54e520`](https://redirect.github.com/withastro/astro/commit/a54e520d3c139fa123e7029c5933951b5c7f5a39) Thanks [@​ascorbic](https://redirect.github.com/ascorbic)! - Adds a helpful error when attempting to render an undefined collection entry

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel[bot]]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
nits-tips	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Oct 17, 2024 4:16pm