Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2025-01-25 00:07:47 +01:00
Code Issues Projects Releases Wiki Activity

chore(deps): update dependency vite to v4.3.9 [security] (#3905)

Browse Source 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://togithub.com/vitejs/vite/tree/main/#readme)
([source](https://togithub.com/vitejs/vite)) | [`4.3.8` ->
`4.3.9`](https://renovatebot.com/diffs/npm/vite/4.3.8/4.3.9) |
[![age](https://badges.renovateapi.com/packages/npm/vite/4.3.9/age-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://badges.renovateapi.com/packages/npm/vite/4.3.9/adoption-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://badges.renovateapi.com/packages/npm/vite/4.3.9/compatibility-slim/4.3.8)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://badges.renovateapi.com/packages/npm/vite/4.3.9/confidence-slim/4.3.8)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2023-34092](https://togithub.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67)

### Summary
Vite Server Options (`server.fs.deny`) can be bypassed using double
forward-slash (//) allows any unauthenticated user to read file from the
Vite root-path of the application including the default [`fs.deny`
settings](https://vitejs.dev/config/server-options.html#server-fs-deny)
(`['.env', '.env.*', '*.{crt,pem}']`)

### Impact
Only users explicitly exposing the Vite dev server to the network (using
`--host` or [`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host)) are
affected, and only files in the immediate Vite project root folder could
be exposed.

### Patches
Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5
And in the latest minors of the previous two majors: vite@3.2.7,
vite@2.9.16

### Details
Vite serve the application with under the root-path of the project while
running on the dev mode. By default, vite using server options fs.deny
to protected the sensitive information of the file. But, with simply
double forward-slash, we can bypass this fs restriction.

### PoC
1. Create a new latest project of vite using any package manager. (here
I'm using react and vue templates for tested and pnpm)
2. Serve the application on dev mode using pnpm run dev.
3. Directly access the file from url using double forward-slash (`//`)
(e.g: `//.env`, `//.env.local`)
4. Server Options `fs.deny` restrict successfully bypassed.

Proof Images:

![proof-1](https://user-images.githubusercontent.com/30733517/241105344-6ecbc7f6-57b7-45c7-856a-6421a577dda1.png)

![proof-2](https://user-images.githubusercontent.com/30733517/241105349-ab9561e7-8aff-4f29-97f9-b784e673c122.png)

---

### Release Notes

<details>
<summary>vitejs/vite</summary>

###
[`v4.3.9`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small439-2023-05-26-small)

[Compare
Source](https://togithub.com/vitejs/vite/compare/v4.3.8...v4.3.9)

- fix: fs.deny with leading double slash
([#&#8203;13348](https://togithub.com/vitejs/vite/issues/13348))
([813ddd6](https://togithub.com/vitejs/vite/commit/813ddd6)), closes
[#&#8203;13348](https://togithub.com/vitejs/vite/issues/13348)
- fix: optimizeDeps during build and external ids
([#&#8203;13274](https://togithub.com/vitejs/vite/issues/13274))
([e3db771](https://togithub.com/vitejs/vite/commit/e3db771)), closes
[#&#8203;13274](https://togithub.com/vitejs/vite/issues/13274)
- fix(css): return deps if have no postcss plugins
([#&#8203;13344](https://togithub.com/vitejs/vite/issues/13344))
([28923fb](https://togithub.com/vitejs/vite/commit/28923fb)), closes
[#&#8203;13344](https://togithub.com/vitejs/vite/issues/13344)
- fix(legacy): style insert order
([#&#8203;13266](https://togithub.com/vitejs/vite/issues/13266))
([e444375](https://togithub.com/vitejs/vite/commit/e444375)), closes
[#&#8203;13266](https://togithub.com/vitejs/vite/issues/13266)
- chore: revert prev release commit
([2a30a07](https://togithub.com/vitejs/vite/commit/2a30a07))
- release: v4.3.9
([5c9abf7](https://togithub.com/vitejs/vite/commit/5c9abf7))
- docs: optimizeDeps.needsInterop
([#&#8203;13323](https://togithub.com/vitejs/vite/issues/13323))
([b34e79c](https://togithub.com/vitejs/vite/commit/b34e79c)), closes
[#&#8203;13323](https://togithub.com/vitejs/vite/issues/13323)
- test: respect commonjs options in playgrounds
([#&#8203;13273](https://togithub.com/vitejs/vite/issues/13273))
([19e8c68](https://togithub.com/vitejs/vite/commit/19e8c68)), closes
[#&#8203;13273](https://togithub.com/vitejs/vite/issues/13273)
- refactor: simplify SSR options' if statement
([#&#8203;13254](https://togithub.com/vitejs/vite/issues/13254))
([8013a66](https://togithub.com/vitejs/vite/commit/8013a66)), closes
[#&#8203;13254](https://togithub.com/vitejs/vite/issues/13254)
- perf(ssr): calculate stacktrace offset lazily
([#&#8203;13256](https://togithub.com/vitejs/vite/issues/13256))
([906c4c1](https://togithub.com/vitejs/vite/commit/906c4c1)), closes
[#&#8203;13256](https://togithub.com/vitejs/vite/issues/13256)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/Unleash/unleash).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xMTAuMCIsInVwZGF0ZWRJblZlciI6IjM1LjExMC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This commit is contained in:
renovate[bot] 2023-06-06 16:08:48 +00:00 committed by GitHub
parent 44f752e714
commit bf99f6fa6e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
frontend/package.json
View File

@ -108,7 +108,7 @@
"swr": "2.1.5",
"tss-react": "4.8.4",
"typescript": "4.8.4",
"vite": "4.3.8",
"vite": "4.3.9",
"vite-plugin-env-compatible": "1.1.1",
"vite-plugin-svgr": "2.4.0",
"vite-tsconfig-paths": "4.2.0",

8
frontend/yarn.lock
View File

@ -9377,10 +9377,10 @@ vite-tsconfig-paths@4.2.0:
globrex "^0.1.2"
tsconfck "^2.1.0"
vite@4.3.8:
version "4.3.8"
resolved "https://registry.yarnpkg.com/vite/-/vite-4.3.8.tgz#70cd6a294ab52d7fb8f37f5bc63d117dd19e9918"
integrity sha512-uYB8PwN7hbMrf4j1xzGDk/lqjsZvCDbt/JC5dyfxc19Pg8kRm14LinK/uq+HSLNswZEoKmweGdtpbnxRtrAXiQ==
vite@4.3.9:
version "4.3.9"
resolved "https://registry.yarnpkg.com/vite/-/vite-4.3.9.tgz#db896200c0b1aa13b37cdc35c9e99ee2fdd5f96d"
integrity sha512-qsTNZjO9NoJNW7KnOrgYwczm0WctJ8m/yqYAMAK9Lxt4SoySUfS5S8ia9K7JHpa3KEeMfyF8LoJ3c5NeBJy6pg==
dependencies:
esbuild "^0.17.5"
postcss "^8.4.23"