mirror of
https://github.com/Unleash/unleash.git
synced 2024-10-28 19:06:12 +01:00
8f4780c52f
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vitejs.dev) ([source](https://togithub.com/vitejs/vite/tree/HEAD/packages/vite)) | [`5.0.11` -> `5.0.12`](https://renovatebot.com/diffs/npm/vite/5.0.11/5.0.12) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.0.11/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.0.11/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-23331](https://togithub.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw) ### Summary [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. ### Patches Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17 ### Details Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. See `picomatch` usage, where `nocase` is defaulted to `false`: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632 By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. ### PoC **Setup** 1. Created vanilla Vite project using `npm create vite@latest` on a Standard Azure hosted Windows 10 instance. - `npm run dev -- --host 0.0.0.0` - Publicly accessible for the time being here: http://20.12.242.81:5173/ 2. Created dummy secret files, e.g. `custom.secret` and `production.pem` 3. Populated `vite.config.js` with ```javascript export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } } ``` **Reproduction** 1. `curl -s http://20.12.242.81:5173/@​fs//` - Descriptive error page reveals absolute filesystem path to project root 2. `curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js` - Discoverable configuration file reveals locations of secrets 3. `curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT` - Secrets are directly accessible using case-augmented version of filename **Proof** ![Screenshot 2024-01-19 022736](https://user-images.githubusercontent.com/907968/298020728-3a8d3c06-fcfd-4009-9182-e842f66a6ea5.png) ### Impact **Who** - Users with exposed dev servers on environments with case-insensitive filesystems **What** - Files protected by `server.fs.deny` are both discoverable, and accessible --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v5.0.12`](https://togithub.com/vitejs/vite/releases/tag/v5.0.12) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.0.11...v5.0.12) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.0.12/packages/vite/CHANGELOG.md) for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/Unleash/unleash). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMzUuMCIsInVwZGF0ZWRJblZlciI6IjM3LjEzNS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
158 lines
5.8 KiB
JSON
158 lines
5.8 KiB
JSON
{
|
|
"name": "unleash-frontend-local",
|
|
"version": "0.0.0",
|
|
"private": true,
|
|
"files": [
|
|
"index.js",
|
|
"build"
|
|
],
|
|
"engines": {
|
|
"node": ">=18"
|
|
},
|
|
"scripts": {
|
|
"build": "vite build",
|
|
"dev": "vite",
|
|
"start": "vite",
|
|
"start:prod": "vite build && vite preview",
|
|
"start:sandbox": "UNLEASH_API=https://sandbox.getunleash.io/ospro yarn run start",
|
|
"start:sandbox:enterprise": "UNLEASH_API=https://sandbox.getunleash.io/ VITE_TEST_REDIRECT=true UNLEASH_BASE_PATH=/enterprise/ yarn run start",
|
|
"start:demo2": "UNLEASH_API=https://sandbox.getunleash.io/ UNLEASH_BASE_PATH=/demo2/ yarn run start",
|
|
"start:enterprise": "UNLEASH_API=https://unleash.herokuapp.com VITE_TEST_REDIRECT=true yarn run start",
|
|
"start:demo": "UNLEASH_BASE_PATH=/demo/ UNLEASH_API=https://app.unleash-hosted.com/ yarn run start",
|
|
"test": "NODE_OPTIONS=\"${NODE_OPTIONS} --no-experimental-fetch\" vitest run",
|
|
"test:snapshot": "NODE_OPTIONS=\"${NODE_OPTIONS} --no-experimental-fetch\" yarn test -u",
|
|
"test:watch": "NODE_OPTIONS=\"${NODE_OPTIONS} --no-experimental-fetch\" vitest watch",
|
|
"lint": "biome lint src --apply",
|
|
"lint:check": "biome check src",
|
|
"fmt": "biome format src --write",
|
|
"fmt:check": "biome check src",
|
|
"ts:check": "tsc",
|
|
"e2e": "NODE_OPTIONS=\"${NODE_OPTIONS} --no-experimental-fetch\" yarn run cypress open --config baseUrl='http://localhost:3000' --env AUTH_USER=admin,AUTH_PASSWORD=unleash4all",
|
|
"e2e:oss": "yarn --cwd frontend run cypress run --spec \"cypress/oss/**/*.spec.ts\" --config baseUrl=\"http://localhost:${EXPOSED_PORT:-4242}\" --env AUTH_USER=admin,AUTH_PASSWORD=unleash4all",
|
|
"e2e:heroku": "NODE_OPTIONS=\"${NODE_OPTIONS} --no-experimental-fetch\" yarn run cypress open --config baseUrl='https://unleash.herokuapp.com' --env AUTH_USER=admin,AUTH_PASSWORD=unleash4all",
|
|
"gen:api": "NODE_OPTIONS=\"${NODE_OPTIONS} --no-experimental-fetch\" orval --config orval.config.js",
|
|
"gen:api:demo": "NODE_OPTIONS=\"${NODE_OPTIONS} --no-experimental-fetch\" UNLEASH_OPENAPI_URL=https://app.unleash-hosted.com/demo/docs/openapi.json yarn run gen:api",
|
|
"gen:api:sandbox": "NODE_OPTIONS=\"${NODE_OPTIONS} --no-experimental-fetch\" UNLEASH_OPENAPI_URL=https://sandbox.getunleash.io/demo2/docs/openapi.json yarn run gen:api"
|
|
},
|
|
"devDependencies": {
|
|
"@biomejs/biome": "1.5.1",
|
|
"@codemirror/lang-json": "6.0.1",
|
|
"@emotion/react": "11.11.3",
|
|
"@emotion/styled": "11.11.0",
|
|
"@mui/icons-material": "5.15.3",
|
|
"@mui/lab": "5.0.0-alpha.159",
|
|
"@mui/material": "5.15.3",
|
|
"@mui/x-date-pickers": "^6.18.3",
|
|
"@tanstack/react-table": "^8.10.7",
|
|
"@testing-library/dom": "8.20.1",
|
|
"@testing-library/jest-dom": "6.2.0",
|
|
"@testing-library/react": "12.1.5",
|
|
"@testing-library/react-hooks": "7.0.2",
|
|
"@testing-library/user-event": "14.5.2",
|
|
"@types/debounce": "1.2.4",
|
|
"@types/deep-diff": "1.0.5",
|
|
"@types/jest": "29.5.11",
|
|
"@types/lodash.clonedeep": "4.5.9",
|
|
"@types/lodash.isequal": "^4.5.8",
|
|
"@types/lodash.mapvalues": "^4.6.9",
|
|
"@types/lodash.omit": "4.5.9",
|
|
"@types/node": "18.19.6",
|
|
"@types/react": "17.0.74",
|
|
"@types/react-dom": "17.0.25",
|
|
"@types/react-linkify": "1.0.4",
|
|
"@types/react-router-dom": "5.3.3",
|
|
"@types/react-table": "7.7.19",
|
|
"@types/react-test-renderer": "17.0.9",
|
|
"@types/react-timeago": "4.1.7",
|
|
"@types/semver": "7.5.6",
|
|
"@types/uuid": "^9.0.0",
|
|
"@uiw/codemirror-theme-duotone": "4.21.21",
|
|
"@uiw/react-codemirror": "4.21.21",
|
|
"@vitejs/plugin-react": "4.2.1",
|
|
"cartesian": "^1.0.1",
|
|
"chart.js": "3.9.1",
|
|
"chartjs-adapter-date-fns": "3.0.0",
|
|
"classnames": "2.5.1",
|
|
"copy-to-clipboard": "3.3.3",
|
|
"countries-and-timezones": "^3.4.0",
|
|
"cypress": "13.6.2",
|
|
"cypress-vite": "^1.4.0",
|
|
"date-fns": "2.30.0",
|
|
"date-fns-tz": "^2.0.0",
|
|
"debounce": "2.0.0",
|
|
"deep-diff": "1.0.2",
|
|
"dequal": "2.0.3",
|
|
"fast-json-patch": "3.1.1",
|
|
"http-proxy-middleware": "2.0.6",
|
|
"immer": "9.0.21",
|
|
"jsdom": "23.1.0",
|
|
"lodash.clonedeep": "4.5.0",
|
|
"lodash.isequal": "^4.5.0",
|
|
"lodash.mapvalues": "^4.6.0",
|
|
"lodash.omit": "4.5.0",
|
|
"mermaid": "^9.3.0",
|
|
"millify": "^6.0.0",
|
|
"msw": "0.49.3",
|
|
"pkginfo": "0.4.1",
|
|
"plausible-tracker": "0.3.8",
|
|
"prop-types": "15.8.1",
|
|
"react": "17.0.2",
|
|
"react-chartjs-2": "4.3.1",
|
|
"react-confetti": "^6.1.0",
|
|
"react-dom": "17.0.2",
|
|
"react-dropzone": "14.2.3",
|
|
"react-error-boundary": "3.1.4",
|
|
"react-hooks-global-state": "2.1.0",
|
|
"react-joyride": "^2.5.3",
|
|
"react-linkify": "^1.0.0-alpha",
|
|
"react-markdown": "^8.0.4",
|
|
"react-router-dom": "6.21.2",
|
|
"react-table": "7.8.0",
|
|
"react-test-renderer": "17.0.2",
|
|
"react-timeago": "7.2.0",
|
|
"sass": "1.69.7",
|
|
"semver": "7.5.4",
|
|
"swr": "2.2.4",
|
|
"tss-react": "4.9.3",
|
|
"typescript": "4.8.4",
|
|
"use-query-params": "^2.2.1",
|
|
"vanilla-jsoneditor": "^0.21.0",
|
|
"vite": "5.0.12",
|
|
"vite-plugin-env-compatible": "2.0.1",
|
|
"vite-plugin-svgr": "3.3.0",
|
|
"vite-tsconfig-paths": "4.2.3",
|
|
"vitest": "1.1.3",
|
|
"whatwg-fetch": "3.6.20"
|
|
},
|
|
"optionalDependencies": {
|
|
"orval": "^6.17.0"
|
|
},
|
|
"resolutions": {
|
|
"@codemirror/state": "6.4.0",
|
|
"@xmldom/xmldom": "^0.8.4",
|
|
"json5": "^2.2.2",
|
|
"@types/react": "17.0.74",
|
|
"@types/react-dom": "17.0.25",
|
|
"semver": "7.5.4"
|
|
},
|
|
"jest": {
|
|
"moduleNameMapper": {
|
|
"\\.(jpg|jpeg|png|gif|eot|otf|webp|ttf|woff|woff2|mp4|webm|wav|mp3|m4a|aac|oga)$": "<rootDir>/src/__mocks__/fileMock.js",
|
|
"\\.svg": "<rootDir>/src/__mocks__/svgMock.js",
|
|
"\\.(css|scss)$": "identity-obj-proxy"
|
|
}
|
|
},
|
|
"browserslist": {
|
|
"production": [
|
|
">0.2%",
|
|
"not dead",
|
|
"not op_mini all"
|
|
],
|
|
"development": [
|
|
"last 1 chrome version",
|
|
"last 1 firefox version",
|
|
"last 1 safari version"
|
|
]
|
|
}
|
|
}
|