mirror of https://github.com/Unleash/unleash.git synced 2025-01-31 00:16:47 +01:00

History

renovate[bot] 55e8073e3c chore(deps): update dependency vite to v4.5.1 [security] (#5554 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Change \| Age \| Adoption \| Passing \| Confidence \| \|---\|---\|---\|---\|---\|---\| \| [vite](https://vitejs.dev) ([source](https://togithub.com/vitejs/vite/tree/HEAD/packages/vite)) \| [`4.5.0` -> `4.5.1`](https://renovatebot.com/diffs/npm/vite/4.5.0/4.5.1) \| [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/4.5.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/4.5.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/4.5.0/4.5.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/4.5.0/4.5.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| ### GitHub Vulnerability Alerts #### [CVE-2023-49293](https://togithub.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97) ### Summary When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. ### Impact Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. ### Patches Fixed in vite@5.0.5, vite@4.5.1, vite@4.4.12 ### Details Suppose `index.html` contains an inline module script: ```html <script type="module"> // Inline script </script> ``` This script is transformed into a proxy script like ```html <script type="module" src="/index.html?html-proxy&index=0.js"></script> ``` due to Vite's HTML plugin: `7fd7c6cebf/packages/vite/src/node/plugins/html.ts (L429-L465)` When `appType: 'spa' \| 'mpa'`, Vite serves HTML itself, and `htmlFallbackMiddleware` rewrites `req.url` to the canonical path of `index.html`, `73ef074b80/packages/vite/src/node/server/middlewares/htmlFallback.ts (L44-L47)` so the `url` passed to `server.transformIndexHtml` is `/index.html`. However, if `appType: 'custom'`, HTML is served manually, and if `server.transformIndexHtml` is called with the unmodified request URL (as the SSR docs suggest), then the path of the transformed `html-proxy` script varies with the request URL. For example, a request with path `/` produces ```html <script type="module" src="/@id/__x00__/index.html?html-proxy&index=0.js"></script> ``` It is possible to abuse this behavior by crafting a request URL to contain a malicious payload like ``` "></script><script>alert('boom')</script> ``` so a request to http://localhost:5173/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E produces HTML output like ```html <script type="module" src="/@id/__x00__/?"></script><script>alert("boom")</script>?html-proxy&index=0.js"></script> ``` which demonstrates XSS. ### PoC - Example 1. Serving HTML from `vite dev` middleware with `appType: 'custom'` - Go to https://stackblitz.com/edit/vitejs-vite-9xhma4?file=main.js&terminal=dev-html - "Open in New Tab" - Edit URL to set query string to `?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E` and navigate - Witness XSS: - ![image](https://user-images.githubusercontent.com/2456381/287434281-13757894-7a63-4a73-b1e9-d2b024c19d14.png) - Example 2. Serving HTML from SSR-style Express server (Vite dev server runs in middleware mode): - Go to https://stackblitz.com/edit/vitejs-vite-9xhma4?file=main.js&terminal=server - (Same steps as above) - Example 3. Plain `vite dev` (this shows that vanilla `vite dev` is _not_ vulnerable, provided `htmlFallbackMiddleware` is used) - Go to https://stackblitz.com/edit/vitejs-vite-9xhma4?file=main.js&terminal=dev - (Same steps as above) - You should _not_ see the alert box in this case ### Detailed Impact This will probably predominantly affect [development-mode SSR](https://vitejs.dev/guide/ssr#setting-up-the-dev-server), where `vite.transformHtml` is called using the original `req.url`, per the docs: `7fd7c6cebf/docs/guide/ssr.md (L114-L126)` However, since this vulnerability affects `server.transformIndexHtml`, the scope of impact may be higher to also include other ad-hoc calls to `server.transformIndexHtml` from outside of Vite's own codebase. My best guess at bisecting which versions are vulnerable involves the following test script ```js import fs from 'node:fs/promises'; import * as vite from 'vite'; const html = ` <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8" /> </head> <body> <script type="module"> // Inline script </script> </body> </html> `; const server = await vite.createServer({ appType: 'custom' }); const transformed = await server.transformIndexHtml('/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E', html); console.log(transformed); await server.close(); ``` and using it I was able to narrow down to #13581. If this is correct, then vulnerable Vite versions are 4.4.0-beta.2 and higher (which includes 4.4.0). --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v4.5.1`](https://togithub.com/vitejs/vite/releases/tag/v4.5.1) [Compare Source](https://togithub.com/vitejs/vite/compare/v4.5.0...v4.5.1) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v4.5.1/packages/vite/CHANGELOG.md) for details. </details> --- ### Configuration 📅 Schedule: Branch creation - "" in timezone Europe/Madrid, Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/Unleash/unleash). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44MS4zIiwidXBkYXRlZEluVmVyIjoiMzcuODEuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>		2023-12-06 00:30:39 +00:00
..
cypress	chore: test migration backward compatibility (#5492 )	2023-11-30 18:20:13 +01:00
public
scripts
src	feat: filter persisted in url (#5549 )	2023-12-05 17:31:23 +01:00
.editorconfig	add editorconfig	2016-12-05 23:08:32 +01:00
.gitignore
.nvmrc
cypress.config.ts
cypress.d.ts
index.html
index.js
orval.config.js	feat: features list pagination (#5496 )	2023-12-01 14:53:05 +00:00
package.json	chore(deps): update dependency vite to v4.5.1 [security] (#5554 )	2023-12-06 00:30:39 +00:00
README.md
tsconfig.json
tsconfig.node.json
vercel.json
vite.config.ts
yarn.lock	chore(deps): update dependency vite to v4.5.1 [security] (#5554 )	2023-12-06 00:30:39 +00:00

README.md

frontend

This directory contains the Unleash Admin UI frontend app.

Run with a local instance of the unleash-api

Refer to the Contributing to Unleash guide for instructions. The frontend dev server runs (in port 3000) simultaneously with the backend dev server (in port 4242):

yarn install
yarn dev

Run with a sandbox instance of the Unleash API

Alternatively, instead of running unleash-api on localhost, you can use a remote instance:

cd ./frontend
yarn install
yarn run start:sandbox

Running end-to-end tests

We have a set of Cypress tests that run on the build before a PR can be merged so it's important that you check these yourself before submitting a PR. On the server the tests will run against the deployed Heroku app so this is what you probably want to test against:

yarn run start:sandbox

In a different shell, you can run the tests themselves:

yarn run e2e:heroku

If you need to test against patches against a local server instance, you'll need to run that, and then run the end to end tests using:

yarn run e2e

You may also need to test that a feature works against the enterprise version of unleash. Assuming the Heroku instance is still running, this can be done by:

yarn run start:enterprise
yarn run e2e

Generating the OpenAPI client

The frontend uses an OpenAPI client generated from the backend's OpenAPI spec. Whenever there are changes to the backend API, the client should be regenerated:

For now we only use generated types (src/openapi/models). We will use methods (src/openapi/apis) for new features soon.

yarn gen:api
rm -rf src/openapi/apis

clean up src/openapi/index.ts imports, only keep first line export * from './models';

This script assumes that you have a running instance of the enterprise backend at http://localhost:4242. The new OpenAPI client will be generated from the runtime schema of this instance. The target URL can be changed by setting the UNLEASH_OPENAPI_URL env var.

Analyzing bundle size

npx vite-bundle-visualizer in the root of the frontend directory