Open renovate[bot] opened 1 year ago
Totals | |
---|---|
Change from base Build 4209913040: | 0.0% |
Covered Lines: | 2 |
Relevant Lines: | 2 |
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
â™» Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below:
Scope: all 20 workspace projects
 WARN  GET https://registry.npmjs.org/@vuepress/bundler-vite/-/bundler-vite-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/bundler-webpack/-/bundler-webpack-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/cli/-/cli-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/client/-/client-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/plugin-docsearch/-/plugin-docsearch-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/plugin-google-analytics/-/plugin-google-analytics-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/plugin-register-components/-/plugin-register-components-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/utils/-/utils-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/anywhere/-/anywhere-1.6.0.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/sass-loader/-/sass-loader-13.2.0.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/vue/-/vue-3.2.45.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/vuepress/-/vuepress-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/vite error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/bundler-vite/-/bundler-vite-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/bundler-webpack/-/bundler-webpack-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/cli/-/cli-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/client/-/client-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/plugin-docsearch/-/plugin-docsearch-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/plugin-google-analytics/-/plugin-google-analytics-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/plugin-register-components/-/plugin-register-components-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/utils/-/utils-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/anywhere/-/anywhere-1.6.0.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/sass-loader/-/sass-loader-13.2.0.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/vue/-/vue-3.2.45.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/vuepress/-/vuepress-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/vite error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/core/-/core-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 ERR_INVALID_THIS  Value of "this" must be of type URLSearchParams
pnpm [ERR_INVALID_THIS]: Value of "this" must be of type URLSearchParams
at Proxy.getAll (node:internal/url:534:13)
at Proxy.<anonymous> (/opt/containerbase/tools/pnpm/7.27.0/20.12.1/node_modules/pnpm/dist/pnpm.cjs:59405:55)
at /opt/containerbase/tools/pnpm/7.27.0/20.12.1/node_modules/pnpm/dist/pnpm.cjs:59467:31
at Array.reduce (<anonymous>)
at Proxy.raw (/opt/containerbase/tools/pnpm/7.27.0/20.12.1/node_modules/pnpm/dist/pnpm.cjs:59466:33)
at new Headers (/opt/containerbase/tools/pnpm/7.27.0/20.12.1/node_modules/pnpm/dist/pnpm.cjs:59351:28)
at getNodeRequestOptions (/opt/containerbase/tools/pnpm/7.27.0/20.12.1/node_modules/pnpm/dist/pnpm.cjs:59700:23)
at /opt/containerbase/tools/pnpm/7.27.0/20.12.1/node_modules/pnpm/dist/pnpm.cjs:59757:25
at new Promise (<anonymous>)
at fetch (/opt/containerbase/tools/pnpm/7.27.0/20.12.1/node_modules/pnpm/dist/pnpm.cjs:59755:14)
 WARN  GET https://registry.npmjs.org/@element-plus/icons-vue/-/icons-vue-2.0.10.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/element-plus/-/element-plus-2.2.27.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/vue-router/-/vue-router-4.1.6.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/vuepress-plugin-sass-palette/-/vuepress-plugin-sass-palette-2.0.0-beta.134.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@vueuse/core/-/core-9.5.0.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/photoswipe/-/photoswipe-5.3.3.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@starzkg/vuepress-plugin-analytics/-/vuepress-plugin-analytics-1.1.4.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@starzkg/vuepress-plugin-giscus-comment/-/vuepress-plugin-giscus-comment-1.0.3.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@starzkg/vuepress-plugin-live2d-widget/-/vuepress-plugin-live2d-widget-1.1.2.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/shared/-/shared-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@vuepress/plugin-git/-/plugin-git-2.0.0-beta.53.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/feed/-/feed-4.2.2.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@types/hash-sum/-/hash-sum-1.0.0.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@types/katex/-/katex-0.14.0.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@types/lodash.debounce/-/lodash.debounce-4.0.7.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
This PR contains the following updates:
3.2.5
->3.2.10
GitHub Vulnerability Alerts
CVE-2023-34092
Summary
The issue involves a security vulnerability in Vite, where the server options can be bypassed using a double forward slash (
//
). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files. This document outlines the steps to address and mitigate this issue. Adding Extra References : ## Steps to Fix. Update Vite:Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n\n2. Secure the Server Configuration:In yourvite.config.js
file, review and update the server configuration options to restrict access to unauthorized requests or directories. For example:```javascript\n // vite.config.js\n export default { server: {\n fs: {\n deny: ['private-directory'] // Restrict access to specific directoriesImpact
Only users explicitly exposing the Vite dev server to the network (using
--host
orserver.host
config option) are affected, and only files in the immediate Vite project root folder could be exposed.Patches
Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5 And in the latest minors of the previous two majors: vite@3.2.7, vite@2.9.16
Details
Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.
PoC
//
) (e.g://.env
,//.env.local
)fs.deny
restrict successfully bypassed.Proof Images:
CVE-2024-23331
Summary
Vite dev server option
server.fs.deny
can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.
Patches
Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17
Details
Since
picomatch
defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.See
picomatch
usage, wherenocase
is defaulted tofalse
: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632By requesting raw filesystem paths using augmented casing, the matcher derived from
config.server.fs.deny
fails to block access to sensitive files.PoC
Setup
npm create vite@latest
on a Standard Azure hosted Windows 10 instance.npm run dev -- --host 0.0.0.0
custom.secret
andproduction.pem
vite.config.js
withReproduction
curl -s http://20.12.242.81:5173/@​fs//
curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
Proof
Impact
Who
What
server.fs.deny
are both discoverable, and accessibleCVE-2024-31207
Summary
Vite dev server option
server.fs.deny
did not deny requests for patterns with directories. An example of such a pattern is/foo/**/*
.Impact
Only apps setting a custom
server.fs.deny
that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using--host
orserver.host
config option) are affected.Patches
Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18
Details
server.fs.deny
uses picomatch with the config of{ matchBase: true }
. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set{ dot: true }
and that causes dotfiles not to be denied unless they are explicitly defined.Reproduction
Set fs.deny to
['**/.git/**']
and then curl for/.git/config
.matchBase: true
, you can get any file under.git/
(config, HEAD, etc).matchBase: false
, you cannot get any file under.git/
(config, HEAD, etc).Release Notes
vitejs/vite (vite)
### [`v3.2.10`](https://togithub.com/vitejs/vite/releases/tag/v3.2.10) [Compare Source](https://togithub.com/vitejs/vite/compare/v3.2.8...v3.2.10) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v3.2.10/packages/vite/CHANGELOG.md) for details. ### [`v3.2.8`](https://togithub.com/vitejs/vite/releases/tag/v3.2.8) [Compare Source](https://togithub.com/vitejs/vite/compare/v3.2.7...v3.2.8) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v3.2.8/packages/vite/CHANGELOG.md) for details. ### [`v3.2.7`](https://togithub.com/vitejs/vite/releases/tag/v3.2.7) [Compare Source](https://togithub.com/vitejs/vite/compare/v3.2.6...v3.2.7) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v3.2.7/packages/vite/CHANGELOG.md) for details. ### [`v3.2.6`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small326-2023-04-18-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v3.2.5...v3.2.6) - fix: escape msg in render restricted error html, backport ([#12889](https://togithub.com/vitejs/vite/issues/12889)) ([#12892](https://togithub.com/vitejs/vite/issues/12892)) ([b48ac2a](https://togithub.com/vitejs/vite/commit/b48ac2a)), closes [#12889](https://togithub.com/vitejs/vite/issues/12889) [#12892](https://togithub.com/vitejs/vite/issues/12892)Configuration
đź“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.