8f4780c52f
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vitejs.dev) ([source](https://togithub.com/vitejs/vite/tree/HEAD/packages/vite)) | [`5.0.11` -> `5.0.12`](https://renovatebot.com/diffs/npm/vite/5.0.11/5.0.12) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.0.11/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.0.11/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-23331](https://togithub.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw) ### Summary [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. ### Patches Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17 ### Details Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. See `picomatch` usage, where `nocase` is defaulted to `false`: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632 By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. ### PoC **Setup** 1. Created vanilla Vite project using `npm create vite@latest` on a Standard Azure hosted Windows 10 instance. - `npm run dev -- --host 0.0.0.0` - Publicly accessible for the time being here: http://20.12.242.81:5173/ 2. Created dummy secret files, e.g. `custom.secret` and `production.pem` 3. Populated `vite.config.js` with ```javascript export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } } ``` **Reproduction** 1. `curl -s http://20.12.242.81:5173/@​fs//` - Descriptive error page reveals absolute filesystem path to project root 2. `curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js` - Discoverable configuration file reveals locations of secrets 3. `curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT` - Secrets are directly accessible using case-augmented version of filename **Proof** ![Screenshot 2024-01-19 022736](https://user-images.githubusercontent.com/907968/298020728-3a8d3c06-fcfd-4009-9182-e842f66a6ea5.png) ### Impact **Who** - Users with exposed dev servers on environments with case-insensitive filesystems **What** - Files protected by `server.fs.deny` are both discoverable, and accessible --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v5.0.12`](https://togithub.com/vitejs/vite/releases/tag/v5.0.12) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.0.11...v5.0.12) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.0.12/packages/vite/CHANGELOG.md) for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/Unleash/unleash). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMzUuMCIsInVwZGF0ZWRJblZlciI6IjM3LjEzNS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
---|---|---|
.. | ||
cypress | ||
public | ||
scripts | ||
src | ||
.editorconfig | ||
.gitignore | ||
.nvmrc | ||
cypress.config.ts | ||
cypress.d.ts | ||
index.html | ||
index.js | ||
orval.config.js | ||
package.json | ||
README.md | ||
tsconfig.json | ||
tsconfig.node.json | ||
vercel.json | ||
vite.config.mts | ||
yarn.lock |
frontend
This directory contains the Unleash Admin UI frontend app.
Run with a local instance of the unleash-api
Refer to the Contributing to Unleash guide for instructions. The frontend dev server runs (in port 3000) simultaneously with the backend dev server (in port 4242):
yarn install
yarn dev
Run with a sandbox instance of the Unleash API
Alternatively, instead of running unleash-api on localhost, you can use a remote instance:
cd ./frontend
yarn install
yarn run start:sandbox
Running end-to-end tests
We have a set of Cypress tests that run on the build before a PR can be merged so it's important that you check these yourself before submitting a PR. On the server the tests will run against the deployed Heroku app so this is what you probably want to test against:
yarn run start:sandbox
In a different shell, you can run the tests themselves:
yarn run e2e:heroku
If you need to test against patches against a local server instance, you'll need to run that, and then run the end to end tests using:
yarn run e2e
You may also need to test that a feature works against the enterprise version of unleash. Assuming the Heroku instance is still running, this can be done by:
yarn run start:enterprise
yarn run e2e
Generating the OpenAPI client
The frontend uses an OpenAPI client generated from the backend's OpenAPI spec. Whenever there are changes to the backend API, the client should be regenerated:
For now we only use generated types (src/openapi/models). We will use methods (src/openapi/apis) for new features soon.
yarn gen:api
rm -rf src/openapi/apis
clean up src/openapi/index.ts
imports, only keep first line export * from './models';
This script assumes that you have a running instance of the enterprise backend at http://localhost:4242
.
The new OpenAPI client will be generated from the runtime schema of this instance.
The target URL can be changed by setting the UNLEASH_OPENAPI_URL
env var.
Analyzing bundle size
npx vite-bundle-visualizer
in the root of the frontend directory