Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2025-02-28 00:17:12 +01:00
Code Issues Projects Releases Wiki Activity
Unleash is the open source feature toggle service.
13,005 Commits 491 Branches 875 Tags 315 MiB
TypeScript 92.4%
MDX 4%
JavaScript 2.5%
Mustache 0.7%
CSS 0.2%
89cb9dc59a
Go to file
renovate[bot] 89cb9dc59a
chore(deps): update dependency vite to v5.4.12 [security] (#9131) 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`5.4.11` ->
`5.4.12`](https://renovatebot.com/diffs/npm/vite/5.4.11/5.4.12) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.4.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.4.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.4.11/5.4.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.4.11/5.4.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-24010](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6)

### Summary
Vite allowed any websites to send any requests to the development server
and read the response due to default CORS settings and lack of
validation on the Origin header for WebSocket connections.

### Upgrade Path
Users that does not match either of the following conditions should be
able to upgrade to a newer version of Vite that fixes the vulnerability
without any additional configuration.

- Using the backend integration feature
- Using a reverse proxy in front of Vite
- Accessing the development server via a domain other than `localhost`
or `*.localhost`
- Using a plugin / framework that connects to the WebSocket server on
their own from the browser

#### Using the backend integration feature
If you are using the backend integration feature and not setting
[`server.origin`](https://vite.dev/config/server-options.html#server-origin),
you need to add the origin of the backend server to the
[`server.cors.origin`](https://redirect.github.com/expressjs/cors#configuration-options)
option. Make sure to set a specific origin rather than `*`, otherwise
any origin can access your development server.

#### Using a reverse proxy in front of Vite
If you are using a reverse proxy in front of Vite and sending requests
to Vite with a hostname other than `localhost` or `*.localhost`, you
need to add the hostname to the new
[`server.allowedHosts`](https://vite.dev/config/server-options.html#server-allowedhosts)
option. For example, if the reverse proxy is sending requests to
`http://vite:5173`, you need to add `vite` to the `server.allowedHosts`
option.

#### Accessing the development server via a domain other than
`localhost` or `*.localhost`
You need to add the hostname to the new
[`server.allowedHosts`](https://vite.dev/config/server-options.html#server-allowedhosts)
option. For example, if you are accessing the development server via
`http://foo.example.com:8080`, you need to add `foo.example.com` to the
`server.allowedHosts` option.

#### Using a plugin / framework that connects to the WebSocket server on
their own from the browser
If you are using a plugin / framework, try upgrading to a newer version
of Vite that fixes the vulnerability. If the WebSocket connection
appears not to be working, the plugin / framework may have a code that
connects to the WebSocket server on their own from the browser.

In that case, you can either:

- fix the plugin / framework code to the make it compatible with the new
version of Vite
- set `legacy.skipWebSocketTokenCheck: true` to opt-out the fix for [2]
while the plugin / framework is incompatible with the new version of
Vite
- When enabling this option, **make sure that you are aware of the
security implications** described in the impact section of [2] above.

### Mitigation without upgrading Vite

#### [1]: Permissive default CORS settings
Set `server.cors` to `false` or limit `server.cors.origin` to trusted
origins.

#### [2]: Lack of validation on the Origin header for WebSocket
connections
There aren't any mitigations for this.

#### [3]: Lack of validation on the Host header for HTTP requests
Use Chrome 94+ or use HTTPS for the development server.

### Details

There are three causes that allowed malicious websites to send any
requests to the development server:

#### [1]: Permissive default CORS settings

Vite sets the
[`Access-Control-Allow-Origin`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
header depending on
[`server.cors`](https://vite.dev/config/server-options.html#server-cors)
option. The default value was `true` which sets
`Access-Control-Allow-Origin: *`. This allows websites on any origin to
`fetch` contents served on the development server.

Attack scenario:

1. The attacker serves a malicious web page
(`http://malicious.example.com`).
2. The user accesses the malicious web page.
3. The attacker sends a `fetch('http://127.0.0.1:5173/main.js')` request
by JS in that malicious web page. This request is normally blocked by
same-origin policy, but that's not the case for the reasons above.
4. The attacker gets the content of `http://127.0.0.1:5173/main.js`.

#### [2]: Lack of validation on the Origin header for WebSocket
connections

Vite starts a WebSocket server to handle HMR and other functionalities.
This WebSocket server [did not perform validation on the Origin
header](https://redirect.github.com/vitejs/vite/blob/v6.0.7/packages/vite/src/node/server/ws.ts#L145-L157)
and was vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks.
With that attack, an attacker can read and write messages on the
WebSocket connection. Vite only sends some information over the
WebSocket connection ([list of the file paths that changed, the file
content where the errored happened,
etc.](https://redirect.github.com/vitejs/vite/blob/v6.0.7/packages/vite/types/hmrPayload.d.ts#L12-L72)),
but plugins can send arbitrary messages and may include more sensitive
information.

Attack scenario:

1. The attacker serves a malicious web page
(`http://malicious.example.com`).
2. The user accesses the malicious web page.
3. The attacker runs `new WebSocket('http://127.0.0.1:5173',
'vite-hmr')` by JS in that malicious web page.
4. The user edits some files.
5. Vite sends some HMR messages over WebSocket.
6. The attacker gets the content of the HMR messages.

#### [3]: Lack of validation on the Host header for HTTP requests

Unless
[`server.https`](https://vite.dev/config/server-options.html#server-https)
is set, Vite starts the development server on HTTP. Non-HTTPS servers
are vulnerable to DNS rebinding attacks without validation on the Host
header. But Vite did not perform validation on the Host header. By
exploiting this vulnerability, an attacker can send arbitrary requests
to the development server bypassing the same-origin policy.

1. The attacker serves a malicious web page that is served on **HTTP**
(`http://malicious.example.com:5173`) (HTTPS won't work).
2. The user accesses the malicious web page.
3. The attacker changes the DNS to point to 127.0.0.1 (or other private
addresses).
4. The attacker sends a `fetch('/main.js')` request by JS in that
malicious web page.
5. The attacker gets the content of `http://127.0.0.1:5173/main.js`
bypassing the same origin policy.

### Impact

#### [1]: Permissive default CORS settings
Users with the default `server.cors` option may:

- get the source code stolen by malicious websites
- give the attacker access to functionalities that are not supposed to
be exposed externally
- Vite core does not have any functionality that causes changes
somewhere else when receiving a request, but plugins may implement those
functionalities and servers behind `server.proxy` may have those
functionalities.

#### [2]: Lack of validation on the Origin header for WebSocket
connections
All users may get the file paths of the files that changed and the file
content where the error happened be stolen by malicious websites.

For users that is using a plugin that sends messages over WebSocket,
that content may be stolen by malicious websites.

For users that is using a plugin that has a functionality that is
triggered by messages over WebSocket, that functionality may be
exploited by malicious websites.

#### [3]: Lack of validation on the Host header for HTTP requests
Users using HTTP for the development server and using a browser that is
not Chrome 94+ may:

- get the source code stolen by malicious websites
- give the attacker access to functionalities that are not supposed to
be exposed externally
- Vite core does not have any functionality that causes changes
somewhere else when receiving a request, but plugins may implement those
functionalities and servers behind `server.proxy` may have those
functionalities.

Chrome 94+ users are not affected for [3], because [sending a request to
a private network page from public non-HTTPS page is
forbidden](https://developer.chrome.com/blog/private-network-access-update#chrome_94)
since Chrome 94.

### Related Information
Safari has [a bug that blocks requests to loopback addresses from HTTPS
origins](https://bugs.webkit.org/show_bug.cgi?id=171934). This means
when the user is using Safari and Vite is listening on lookback
addresses, there's another condition of "the malicious web page is
served on HTTP" to make [1] and [2] to work.

### PoC

#### [2]: Lack of validation on the Origin header for WebSocket
connections
1. I used the `react` template which utilizes HMR functionality.

```
npm create vite@latest my-vue-app-react -- --template react
```

2. Then on a malicious server, serve the following POC html:
```html
<!doctype html>
<html lang="en">
    <head>
        <meta charset="utf-8" />
        <title>vite CSWSH</title>
    </head>
    <body>
        <div id="logs"></div>
        <script>
            const div = document.querySelectorAll('#logs')[0];
            const ws = new WebSocket('ws://localhost:5173','vite-hmr');
            ws.onmessage = event => {
                const logLine = document.createElement('p');
                logLine.innerHTML = event.data;
                div.append(logLine);
            };
        </script>
    </body>
</html>
```

3. Kick off Vite 

```
npm run dev
```

4. Load the development server (open `http://localhost:5173/`) as well
as the malicious page in the browser.
5. Edit `src/App.jsx` file and intentionally place a syntax error
6. Notice how the malicious page can view the websocket messages and a
snippet of the source code is exposed

Here's a video demonstrating the POC:


https://github.com/user-attachments/assets/a4ad05cd-0b34-461c-9ff6-d7c8663d6961

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

###
[`v5.4.12`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.12)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v5.4.11...v5.4.12)

Please refer to
[CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.12/packages/vite/CHANGELOG.md)
for details.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/Unleash/unleash).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-21 22:19:51 +00:00
.do fix: DigitalOcean template (#4287) 2023-07-20 12:13:44 +00:00
.floe docs: spelling and grammar (#6007) 2024-01-23 19:52:10 +01:00
.github chore: switch notify enterprise to main (#9119) 2025-01-20 10:36:21 +00:00
.husky chore: integration events API (#7639) 2024-07-23 10:09:19 +01:00
.vscode chore: adds Biome as a recommended extension for vscode (#4909) 2023-10-02 14:13:28 +01:00
.yarn/releases chore(deps): update yarn to v4.5.3 (#8911) 2024-12-04 07:39:50 +00:00
coverage feat: Instance stats for export/import (#3121) 2023-02-15 14:39:16 +02:00
docker task: Remove docker package setup. (#8959) 2024-12-11 13:50:38 +01:00
docs/api/oas
examples
frontend chore(deps): update dependency vite to v5.4.12 [security] (#9131) 2025-01-21 22:19:51 +00:00
scripts chore: remove release-checks (#8884) 2024-11-29 09:38:02 +01:00
src chore: create the releasePlanChangeRequests feature flag (#9126) 2025-01-21 14:26:22 +01:00
test-migrations task: Yarn v4 (#7457) 2024-06-27 12:52:43 +02:00
website Update docs and screenshots for lifecycle (#9120) 2025-01-21 09:33:26 +01:00
.dockerignore task: Remove docker package setup. (#8959) 2024-12-11 13:50:38 +01:00
.editorconfig Move e2e tests from frontend to backend .github (#1975) 2022-08-29 12:25:11 +00:00
.gitignore chore: Add Thomas's weird files to .gitignore (#8872) 2024-11-27 16:53:33 +01:00
.lycheeignore docs: added oidc example to lycheeignore 2024-07-23 09:36:20 +02:00
.mergify.yml chore: mergify (#3631) 2023-04-26 16:07:34 +02:00
.node-version chore(deps): update node.js to v20.18.1 (#8906) 2024-12-03 01:13:36 +00:00
.npmignore task: Yarn v4 (#7457) 2024-06-27 12:52:43 +02:00
.nvmrc Node20 (#7095) 2024-05-23 14:14:09 +02:00
.yarnrc.yml chore(deps): update yarn to v4.5.3 (#8911) 2024-12-04 07:39:50 +00:00
app.json chore: Update app.json (#7078) 2024-05-20 14:18:48 +02:00
biome.json chore: upgrade to biome 1.9.4 (#8616) 2024-10-31 15:24:22 +01:00
CHANGELOG.md docs: Update CHANGELOG.md 2025-01-14 10:32:45 +00:00
cliff.toml chore(deps): added task as valid prefix for miscellaneuous task 2023-10-18 12:25:20 +02:00
CODE_OF_CONDUCT.md Proposed version 2.1 2023-05-16 15:14:03 +02:00
CODEOWNERS Made Melinda a code owner for the docs (#7783) 2024-08-06 14:21:13 +00:00
CONTRIBUTING.md docs: recommend PG v13 or later (#8276) 2024-09-26 14:38:00 +02:00
docker-compose.yml chore: update DATABASE_URL to use the database created via POSTGRES_D… (#4836) 2023-09-28 13:07:03 +02:00
Dockerfile task: Remove docker package setup. (#8959) 2024-12-11 13:50:38 +01:00
LICENSE fix: license year and company 2020-05-12 22:41:36 +02:00
package.json chore(deps): update dependency @apidevtools/swagger-parser to v10.1.1 (#9128) 2025-01-21 18:31:30 +00:00
README.md Simplify Unleash docs updates (#8925) 2024-12-17 14:36:16 +01:00
renovate.json chore(renovate): Update renovate configuration json file (#9016) 2025-01-14 09:57:50 +01:00
tsconfig.json fix(import): making all imports relative and removing baseUrl (#5847) 2024-01-17 15:33:03 +02:00
USERS.md chore: customer requested to CS to be removed from this list. 2024-07-02 10:10:56 +02:00
yarn.lock chore(deps): update dependency @apidevtools/swagger-parser to v10.1.1 (#9128) 2025-01-21 18:31:30 +00:00

README.md

What is Unleash?

Unleash is a powerful open-source solution for feature management. It streamlines your development workflow, accelerates software delivery, and empowers teams to control how and when they roll out new features to end users. With Unleash, you can deploy code to production in smaller, more manageable releases at your own pace.

Feature flags in Unleash let you test your code with real production data, reducing the risk of negatively impacting your users' experience. It also enables your team to work on multiple features simultaneously without the need for separate feature branches.

Unleash is the most popular open-source solution for feature flagging on GitHub. It supports 15 official client and server SDKs and over 15 community SDKs. You can even create your own SDK if you wish. Unleash is compatible with any language and framework.


Get started with Unleash

Set up Unleash

To get started with Unleash, you can either explore Unleash Enterprise with a free trial or get started locally with our open-source solution.

Unleash Enterprise

To start with Unleash Enterprise, request a free trial. This gives you access to a hosted instance with unlimited projects and environments and features such as role-based access control, change requests, single sign-on, and SCIM for automatic user provisioning.

Unleash Open Source

To set up Unleash locally, you'll need git and docker installed on your machine.

Execute the following commands:

git clone git@github.com:Unleash/unleash.git
cd unleash
docker compose up -d

Then point your browser to localhost:4242 and log in using:

  • username: admin
  • password: unleash4all

If you'd rather run the source code in this repo directly via Node.js, see the step-by-step instructions to get up and running in the contributing guide.

Connect your SDK

Find your preferred SDK in our list of official SDKs and import it into your project. Follow the setup guides for your specific SDK.

If you use the docker compose file from the previous step, here's the configuration details you'll need to get going:

  • For front-end SDKs, use:
    • URL: http://localhost:4242/api/frontend/
    • clientKey: default:development.unleash-insecure-frontend-api-token
  • For server-side SDKs, use:
    • Unleash API URL: http://localhost:4242/api/
    • API token: default:development.unleash-insecure-api-token

If you use a different setup, your configuration details will most likely also be different.

Check a feature flag

Checking the state of a feature flag in your code is easy! The syntax will vary depending on your language, but all you need is a simple function call to check whether a flag is available. Here's how it might look in Java:

if (unleash.isEnabled("AwesomeFeature")) {
  // do new, flashy thing
} else {
  // do old, boring stuff
}

Run Unleash on a service?

If you don't want to run Unleash locally, we also provide easy deployment setups for Heroku and Digital Ocean:

Deploy to Heroku Deploy to DigitalOcean

Configure and run Unleash anywhere

The above sections show you how to get up and running quickly and easily. When you're ready to start configuring and customizing Unleash for your own environment, check out the documentation for getting started with self-managed deployments, Unleash configuration options, or running Unleash locally via docker.


Online demo

Try out the Unleash online demo.

The Unleash online demo


Community and help — sharing is caring

We know that learning a new tool can be hard and time-consuming. We have a growing community that loves to help out. Please don't hesitate to reach out for help.

Join Unleash on Slack

💬 Join Unleash on Slack if you want ask open questions about Unleash, feature toggling or discuss these topics in general.

💻 Create a GitHub issue if you have found a bug or have ideas on how to improve Unleash.

📚 Visit the documentation for more in-depth descriptions, how-to guides, and more.

📖 Learn more about the principles of building and scaling feature flag solutions.


Contribute to Unleash

Unleash is the largest open-source feature flag solution on GitHub. Building Unleash is a collaborative effort, and we owe a lot of gratitude to many smart and talented individuals. Building it together with the community ensures that we build a product that solves real problems for real people. We'd love to have your help too: Please feel free to open issues or provide pull requests.

Check out the CONTRIBUTING.md file for contribution guidelines and the Unleash developer guide for tips on environment setup, running the tests, and running Unleash from source.

Contributors

The Unleash contributors


Features our users love

Flexibility and adaptability

Security and performance

  • Privacy by design (GDPR and Schrems II). End-user data never leaves your application.
  • Audit logs
  • Enforce OWASP's secure headers via the strict HTTPS-only mode
  • Flexible hosting options: host it on premise or in the cloud (any cloud)
  • Scale with Unleash Edge independently of the Unleash server to support any number of front-end clients without overloading your Unleash instance

Looking for more features?

If you're looking for one of the following features, please take a look at our Pro and Enterprise plans:


Architecture

Read more in the system overview section of the Unleash documentation.


Unleash SDKs

To connect your application to Unleash you'll need to use a client SDK for your programming language.

Official server-side SDKs:

Official front-end SDKs:

The front-end SDKs connect via Unleash Edge in order to ensure privacy, scalability and security.

Community SDKs:

If none of the official SDKs fit your need, there's also a number of community-developed SDKs where you might find an implementation for your preferred language (such as Elixir, Dart, Clojure, and more).


Users of Unleash

Unleash is trusted by thousands of companies all over the world.

Proud Open-Source users: (send us a message if you want to add your logo here)

The Unleash logo encircled by logos for Finn.no, nav (the Norwegian Labour and Welfare Administration), Budgets, Otovo, and Amedia. The encircling logos are all connected to the Unleash logo.


Migration guides

Unleash has evolved significantly over the past few years, and we know how hard it can be to keep software up to date. If you're using the current major version, upgrading shouldn't be an issue. If you're on a previous major version, check out the Unleash migration guide!


Want to know more about Unleash?

Videos and podcasts

Articles and more