New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency vite to v4.5.2 [security] - autoclosed #3849

Closed

renovate wants to merge 1 commit into master from renovate/npm-vite-vulnerability

Contributor

renovate bot commented Jan 20, 2024

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	`4.3.9` -> `4.5.2`

GitHub Vulnerability Alerts

CVE-2024-23331

Summary

Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.

This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.

Patches

Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17

Details

Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.

See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632

By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.

PoC

Setup

Created vanilla Vite project using npm create vite@latest on a Standard Azure hosted Windows 10 instance.
- npm run dev -- --host 0.0.0.0
- Publicly accessible for the time being here: http://20.12.242.81:5173/
Created dummy secret files, e.g. custom.secret and production.pem
Populated vite.config.js with

export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }

Reproduction

curl -s http://20.12.242.81:5173/@fs//
- Descriptive error page reveals absolute filesystem path to project root
curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
- Discoverable configuration file reveals locations of secrets
curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
- Secrets are directly accessible using case-augmented version of filename

Proof

Impact

Who

Users with exposed dev servers on environments with case-insensitive filesystems

What

Files protected by server.fs.deny are both discoverable, and accessible

Release Notes

vitejs/vite (vite)

`v4.5.2`

Please refer to CHANGELOG.md for details.

`v4.5.1`

Please refer to CHANGELOG.md for details.

`v4.5.0`

Please refer to CHANGELOG.md for details.

`v4.4.12`

Please refer to CHANGELOG.md for details.

`v4.4.11`

Please refer to CHANGELOG.md for details.

`v4.4.10`

Please refer to CHANGELOG.md for details.

`v4.4.9`

chore: fix eslint warnings (#14031) (4021a0e), closes #14031
chore(deps): update all non-major dependencies (#13938) (a1b519e), closes #13938
fix: dynamic import vars ignored warning (#14006) (4479431), closes #14006
fix(build): silence warn dynamic import module when inlineDynamicImports true (#13970) (7a77aaf), closes #13970
perf: improve build times and memory utilization (#14016) (9d7d45e), closes #14016
perf: replace startsWith with === (#14005) (f5c1224), closes #14005

`v4.4.8`

fix: modulePreload false (#13973) (488085d), closes #13973
fix: multiple entries with shared css and no JS (#13962) (89a3db0), closes #13962
fix: use file extensions on type imports so they work with moduleResolution: 'node16' (#13947) (aeef670), closes #13947
fix(css): enhance error message for missing preprocessor dependency (#11485) (65e5c22), closes #11485
fix(esbuild): fix static properties transpile when useDefineForClassFields false (#13992) (4ca7c13), closes #13992
fix(importAnalysis): strip url base before passing as safeModulePaths (#13712) (1ab06a8), closes #13712
fix(importMetaGlob): avoid unnecessary hmr of negative glob (#13646) (844451c), closes #13646
fix(optimizer): avoid double-commit of optimized deps when discovery is disabled (#13865) (df77991), closes #13865
fix(optimizer): enable experimentalDecorators by default (#13981) (f8a5ffc), closes #13981
perf: replace startsWith with === (#13989) (3aab14e), closes #13989
perf: single slash does not need to be replaced (#13980) (66f522c), closes #13980
perf: use Intl.DateTimeFormatter instead of toLocaleTimeString (#13951) (af53a1d), closes #13951
perf: use Intl.NumberFormat instead of toLocaleString (#13949) (a48bf88), closes #13949
perf: use magic-string hires boundary for sourcemaps (#13971) (b9a8d65), closes #13971
chore(reporter): remove unnecessary map (#13972) (dd9d4c1), closes #13972
refactor: add new overload to the type of defineConfig (#13958) (24c12fe), closes #13958

`v4.4.7`

fix: optimizeDeps.include not working with paths inside packages (#13922) (06e4f57), closes #13922
fix: lightningcss fails with html-proxy (#13776) (6b56094), closes #13776
fix: prepend config.base to vite/env path (#13941) (8e6cee8), closes #13941
fix(html): support import.meta.env define replacement without quotes (#13425) (883089c), closes #13425
fix(proxy): handle error when proxy itself errors (#13929) (4848e41), closes #13929
chore(eslint): allow type annotations (#13920) (d1264fd), closes #13920

`v4.4.6`

fix: constrain inject helpers for iife (#13909) (c89f677), closes #13909
fix: display manualChunks warning only when a function is not used (#13797) (#13798) (51c271f), closes #13797 #13798
fix: do not append browserHash on optimized deps during build (#13906) (0fb2340), closes #13906
fix: use Bun's implementation of ws instead of the bundled one (#13901) (049404c), closes #13901
feat(client): add guide to press Esc for closing the overlay (#13896) (da389cc), closes #13896

`v4.4.5`

fix: "EISDIR: illegal operation on a directory, realpath" error on RA… (#13655) (6bd5434), closes #13655
fix: transform error message add file info (#13687) (6dca41c), closes #13687
fix: warn when publicDir and outDir are nested (#13742) (4eb3154), closes #13742
fix(build): remove warning about ineffective dynamic import from node_modules (#13884) (33002dd), closes #13884
fix(build): style insert order for UMD builds (fix #13668) (#13669) (49a1b99), closes #13668 #13669
fix(deps): update all non-major dependencies (#13872) (975a631), closes #13872
fix(types): narrow down the return type of defineConfig (#13792) (c971f26), closes #13792
chore: fix typos (#13862) (f54e8da), closes #13862
chore: replace any with string (#13850) (4606fd8), closes #13850
chore(deps): update dependency prettier to v3 (#13759) (5a56941), closes #13759
docs: fix build.cssMinify link (#13840) (8a2a3e1), closes #13840

`v4.4.4`

chore: warning about ssr cjs format removal (#13827) (4646e9f), closes #13827
fix(esbuild): enable experimentalDecorators by default (#13805) (e8880f0), closes #13805
fix(scan): skip tsconfigRaw fallback if tsconfig is set (#13823) (b6155a1), closes #13823
feat(client): close vite-error-overlay with Escape key (#13795) (85bdcda), closes #13795

`v4.4.3`

fix: avoid early error when server is closed in ssr (#13787) (89d01eb), closes #13787
fix(deps): update all non-major dependencies (#13758) (8ead116), closes #13758
fix(server): remove restart guard on restart (#13789) (2a38ef7), closes #13789

`v4.4.2`

fix(css): use single postcss instance (#13738) (c02fac4), closes #13738

`v4.4.1`

fix: revert #13073, use consistent virtual module ID in module graph (#13734) (f589ac0), closes #13073 #13734
fix: revert import config module as data (#13731) (b0bfa01), closes #13731
chore: changelog notes and clean for 4.4 (#13728) (3f4e36e), closes #13728

`v4.4.0`

Experimental support for Lightning CSS

Starting from Vite 4.4, there is experimental support for Lightning CSS. You can opt into it by adding css.transformer: 'lightningcss' to your config file and install the optional lightningcss dev dependency. If enabled, CSS files will be processed by Lightning CSS instead of PostCSS.

Lightning CSS can also be used as the CSS minifier with build.cssMinify: 'lightningcss'.

See beta docs at the Lighting CSS guide.

esbuild 0.18 update

esbuild 0.18 contains backwards-incompatible changes to esbuild's handling of tsconfig.json files. We think they shouldn't affect Vite users, you can review #13525 for more information.

Templates for Solid and Qwik in create-vite

New starter templates have been added to create-vite for Solid and Qwik. Try them online at vite.new/solid-ts and vite.new/qwik-ts.

Korean Translation

Vite's docs are now translated to Korean, available at ko.vitejs.dev.

Features

feat: preview mode add keyboard shortcuts (#12968) (126e93e), closes #12968
feat: asset type add apng (#13294) (a11b6f6), closes #13294
feat: emit event to handle chunk load errors (#12084) (2eca54e), closes #12084
feat: import public non-asset URL (#13422) (3a98558), closes #13422
feat: support files for fs.allow (#12863) (4a06e66), closes #12863
feat(build): warn dynamic import module with a static import alongside (#12850) (127c334), closes #12850
feat(client): add debounce on page reload (#13545) (d080b51), closes #13545
feat(client): add WebSocket connections events (#13334) (eb75103), closes #13334
feat(config): friendly ESM file require error (#13283) (b9a6ba0), closes #13283
feat(css): add support for Lightning CSS (#12807) (c6c5d49), closes #12807
feat(css): support at import preprocessed styles (#8400) (2bd6077), closes #8400
feat(html): support image set in inline style (#13473) (2c0faba), closes #13473
feat(importMetaGlob): support sub imports pattern (#12467) (e355c9c), closes #12467
feat(optimizer): support glob includes (#12414) (7792515), closes #12414
feat!: update esbuild to 0.18.2 (#13525) (ab967c0), closes #13525

Bug Fixes

fix: check document before detect script rel (#13559) (be4b0c0), closes #13559
fix(define): stringify object parse error in build mode (#13600) (71516db), closes #13600
fix(deps): update all non-major dependencies (#13701) (02c6bc3), closes #13701
fix(esbuild): use useDefineForClassFields: false when no compilerOptions.target is declared (#13 (7ef2472), closes #13708
fix(pluginContainer): drop previous sourcesContent (#13722) (9310b3a), closes #13722
fix: lightningCSS should load external URL in CSS file (#13692) (8517645), closes #13692
fix: shortcut open browser when set host (#13677) (6f1c55e), closes #13677
fix(cli): convert the sourcemap option to boolean (fix #13638) (#13663) (d444bfe), closes #13638 #13663
fix(css): use esbuild legalComments config when minifying CSS (#13661) (2d9008e), closes #13661
fix(sourcemap): preserve original sourcesContent (#13662) (f6362b6), closes #13662
fix(ssr): transform superclass identifier (#13635) (c5b2c8f), closes #13635
fix: show error position (#13623) (90271a6), closes #13623
fix(hmr): only invalidate lastHMRTimestamp of importers if the invalidated module is not a HMR bou (1143e0b), closes #13024
fix(indexHtml): decode html URI (#13581) (f8868af), closes #13581
fix: avoid binding ClassExpression (#13572) (1a0c806), closes #13572
fix: the shortcut fails to open browser when set the host (#13579) (e0a48c5), closes #13579
fix(proxy): forward SSE close event (#13578) (4afbccb), closes #13578
fix: allow using vite as a proxy for another vite server (#13218) (711dd80), closes #13218
fix: await requests to before server restart (#13262) (0464398), closes #13262
fix: esm detection with export const { A, B } pattern (#13483) (ea1bcc9), closes #13483
fix: keep track of ssr version of imported modules separately (#11973) (8fe6952), closes #11973
fix: make optimize error available to meta-framework (#13495) (b70e783), closes #13495
fix: only show the listened IP when host is specified (#13412) (20b0cae), closes #13412
fix: race condition creation module in graph in transformRequest (#13085) (43cbbcf), closes #13085
fix: remove deprecated config.server.base (#13482) (dc597bd), closes #13482
fix: remove extra path shorten when resolving from a dir (#13381) (5503198), closes #13381
fix: show network URLs when --host 0.0.0.0 (#13438) (00ee8c1), closes #13438
fix: timestamp config dynamicImport (#13502) (6a87c65), closes #13502
fix: unexpected config temporary file (#13269) (ff3ce31), closes #13269
fix: use consistent virtual module ID in module graph (#13073) (aa1776f), closes #13073
fix(build): make output warning message clearer (#12924) (54ab3c8), closes #12924
fix(debug): import performance from perf_hooks (#13464) (d458ccd), closes #13464
fix(deps): update all non-major dependencies (#13059) (123ef4c), closes #13059
fix(deps): update all non-major dependencies (#13488) (bd09248), closes #13488
fix(deps): update sirv to 2.0.3 (#13057) (d814d6c), closes #13057
fix(mergeConfig): don't accept callback config (#13135) (998512b), closes #13135
fix(optimizer): include exports for css modules (#13519) (1fd9919), closes #13519
fix(resolve): always use module condition (#13370) (367920b), closes #13370
fix(ssr): fix crash when a pnpm/Yarn workspace depends on a CJS package (#9763) (9e1086b), closes #9763

Previous Changelogs

4.4.0-beta.4 (2023-07-03)

See 4.4.0-beta.4 changelog

4.4.0-beta.3 (2023-06-25)

See 4.4.0-beta.3 changelog

4.4.0-beta.2 (2023-06-22)

See 4.4.0-beta.2 changelog

4.4.0-beta.1 (2023-06-21)

See 4.4.0-beta.1 changelog

4.4.0-beta.0 (2023-06-20)

See 4.4.0-beta.0 changelog

Configuration

📅 Schedule: Branch creation - "" in timezone America/Toronto, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          fix(deps): update dependency vite to v4.5.2 [security]

149aade

renovate bot added the dependencies label

Contributor Author

renovate bot commented Jan 20, 2024

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

 WARN  The "store" setting has been renamed to "store-dir". Please use the new name.
 ERR_PNPM_UNSUPPORTED_ENGINE  Unsupported environment (bad pnpm and/or Node.js version)

Your pnpm version is incompatible with "/tmp/renovate/repos/github/Seneca-CDOT/telescope".

Expected version: >=8
Got: 6.32.13

This is happening because the package's manifest has an engines.pnpm field specified.
To fix this issue, install the required pnpm version globally.

To install the latest version of pnpm, run "pnpm i -g pnpm".
To check your pnpm version, run "pnpm -v".

vercel bot deployed to Preview

January 20, 2024 01:47

View deployment

renovate bot changed the title ~~fix(deps): update dependency vite to v4.5.2 [security]~~ fix(deps): update dependency vite to v4.5.2 [security] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-vite-vulnerability branch

September 17, 2024 23:25

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels