Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2024-10-18 20:09:08 +02:00
Code Issues Projects Releases Wiki Activity
8f4780c52f
unleash.unleash/frontend
History
renovate[bot] 8f4780c52f
chore(deps): update dependency vite to v5.0.12 [security] (#5977) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vitejs.dev)
([source](https://togithub.com/vitejs/vite/tree/HEAD/packages/vite)) |
[`5.0.11` ->
`5.0.12`](https://renovatebot.com/diffs/npm/vite/5.0.11/5.0.12) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.0.11/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.0.11/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-23331](https://togithub.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw)

### Summary
[Vite dev server
option](https://vitejs.dev/config/server-options.html#server-fs-deny)
`server.fs.deny` can be bypassed on case-insensitive file systems using
case-augmented versions of filenames. Notably this affects servers
hosted on Windows.

This bypass is similar to
https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area
reduced to hosts having case-insensitive filesystems.

### Patches
Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17

### Details
Since `picomatch` defaults to case-sensitive glob matching, but the file
server doesn't discriminate; a blacklist bypass is possible.

See `picomatch` usage, where `nocase` is defaulted to `false`:
https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632

By requesting raw filesystem paths using augmented casing, the matcher
derived from `config.server.fs.deny` fails to block access to sensitive
files.

### PoC
**Setup**
1. Created vanilla Vite project using `npm create vite@latest` on a
Standard Azure hosted Windows 10 instance.
    - `npm run dev -- --host 0.0.0.0`
- Publicly accessible for the time being here: http://20.12.242.81:5173/
2. Created dummy secret files, e.g. `custom.secret` and `production.pem`
3. Populated `vite.config.js` with
```javascript
export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }
```

**Reproduction**
1. `curl -s http://20.12.242.81:5173/@​fs//`
- Descriptive error page reveals absolute filesystem path to project
root
2. `curl -s
http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js`
    - Discoverable configuration file reveals locations of secrets
3. `curl -s
http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT`
- Secrets are directly accessible using case-augmented version of
filename

**Proof**
![Screenshot 2024-01-19
022736](https://user-images.githubusercontent.com/907968/298020728-3a8d3c06-fcfd-4009-9182-e842f66a6ea5.png)

### Impact
**Who**
- Users with exposed dev servers on environments with case-insensitive
filesystems

**What**
- Files protected by `server.fs.deny` are both discoverable, and
accessible

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

### [`v5.0.12`](https://togithub.com/vitejs/vite/releases/tag/v5.0.12)

[Compare
Source](https://togithub.com/vitejs/vite/compare/v5.0.11...v5.0.12)

Please refer to
[CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.0.12/packages/vite/CHANGELOG.md)
for details.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/Unleash/unleash).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMzUuMCIsInVwZGF0ZWRJblZlciI6IjM3LjEzNS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-01-20 01:38:23 +00:00
..
cypress chore: wait for post to finish instead of waiting a fixed time (#5851) 2024-01-11 11:03:01 +01:00
public
scripts
src fix: handle title diffing correctly in strategy change diffs (#5971) 2024-01-19 18:56:46 +04:00
.editorconfig
.gitignore
.nvmrc
cypress.config.ts chore: upgrading vite to newer version (#5703) 2023-12-20 14:48:18 +01:00
cypress.d.ts feat: biome lint frontend (#4903) 2023-10-02 13:25:46 +01:00
index.html
index.js
orval.config.js
package.json chore(deps): update dependency vite to v5.0.12 [security] (#5977) 2024-01-20 01:38:23 +00:00
README.md
tsconfig.json
tsconfig.node.json chore: upgrading vite to newer version (#5703) 2023-12-20 14:48:18 +01:00
vercel.json
vite.config.mts fix: fix assets not showing up (#5757) 2024-01-04 12:11:42 +02:00
yarn.lock chore(deps): update dependency vite to v5.0.12 [security] (#5977) 2024-01-20 01:38:23 +00:00

README.md

frontend

This directory contains the Unleash Admin UI frontend app.

Run with a local instance of the unleash-api

Refer to the Contributing to Unleash guide for instructions. The frontend dev server runs (in port 3000) simultaneously with the backend dev server (in port 4242):

yarn install
yarn dev

Run with a sandbox instance of the Unleash API

Alternatively, instead of running unleash-api on localhost, you can use a remote instance:

cd ./frontend
yarn install
yarn run start:sandbox

Running end-to-end tests

We have a set of Cypress tests that run on the build before a PR can be merged so it's important that you check these yourself before submitting a PR. On the server the tests will run against the deployed Heroku app so this is what you probably want to test against:

yarn run start:sandbox

In a different shell, you can run the tests themselves:

yarn run e2e:heroku

If you need to test against patches against a local server instance, you'll need to run that, and then run the end to end tests using:

yarn run e2e

You may also need to test that a feature works against the enterprise version of unleash. Assuming the Heroku instance is still running, this can be done by:

yarn run start:enterprise
yarn run e2e

Generating the OpenAPI client

The frontend uses an OpenAPI client generated from the backend's OpenAPI spec. Whenever there are changes to the backend API, the client should be regenerated:

For now we only use generated types (src/openapi/models). We will use methods (src/openapi/apis) for new features soon.

yarn gen:api
rm -rf src/openapi/apis

clean up src/openapi/index.ts imports, only keep first line export * from './models';

This script assumes that you have a running instance of the enterprise backend at http://localhost:4242. The new OpenAPI client will be generated from the runtime schema of this instance. The target URL can be changed by setting the UNLEASH_OPENAPI_URL env var.

Analyzing bundle size

npx vite-bundle-visualizer in the root of the frontend directory