Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency @sveltejs/kit to v2.8.3 [security] #1216

Merged
merged 1 commit into from
Nov 26, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 25, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@sveltejs/kit (source) 2.8.0 -> 2.8.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-53262

Summary

The static error.html template for errors contains placeholders that are replaced without escaping the content first.

Details

From https://kit.svelte.dev/docs/errors:

error.html is the page that is rendered when everything else fails. It can contain the following placeholders:
%sveltekit.status% — the HTTP status
%sveltekit.error.message% — the error message

This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content that ends up being something like this inside a server handle function:

error(500, '<script>alert("boom")</script>');

Uncaught errors cannot be exploited like this, as they always render the message "Internal error".

Escaping the message string in the function that creates the html output can be done to improve safety for applications that are using custom errors on the server.

PoC

None provided

Impact

Only applications where user provided input is used in the Error message will be vulnerable, so the vast majority of applications will not be vulnerable

CVE-2024-53261

Summary

"Unsanitized input from the request URL flows into end, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)."

Details

Source of potentially tainted data is in packages/kit/src/exports/vite/dev/index.js, line 437. This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down to line 91 in packages/kit/src/exports/vite/utils.js, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate.

Another source of potentially tainted data (according to Snyk) comes from ‎packages/kit/src/exports/vite/utils.js, line 30, col 30 (i.e., the url property of req). This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down line 91 in packages/kit/src/exports/vite/utils.js, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate.

PoC

Not provided

Impact

Little to none. The Vite development is not exposed to the network by default. And even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data.


Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.8.3

Compare Source

Patch Changes
  • fix: ensure error messages are escaped (#​13050)

  • fix: escape values included in dev 404 page (#​13039)

v2.8.2

Compare Source

Patch Changes
  • fix: prevent duplicate fetch request when using Request with load function's fetch (#​13023)

  • fix: do not override default cookie decoder to allow users to override the cookie library version (#​13037)

v2.8.1

Compare Source

Patch Changes
  • fix: only add nonce to script-src-elem, style-src-attr and style-src-elem CSP directives when unsafe-inline is not present (#​11613)

  • fix: support HTTP/2 in dev and production. Revert the changes from #​12907 to downgrade HTTP/2 to TLS as now being unnecessary (#​12989)


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate using a curated preset maintained by Sanity. View repository job log here

@renovate renovate bot requested a review from a team as a code owner November 25, 2024 19:33
Copy link

socket-security bot commented Nov 25, 2024

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@sveltejs/kit@2.8.3 environment, eval Transitive: filesystem +18 1.65 MB svelte-admin

🚮 Removed packages: npm/@sveltejs/kit@2.8.0

View full report↗︎

@renovate renovate bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from d3e1440 to 6d7fa72 Compare November 26, 2024 10:33
@stipsan stipsan merged commit a3485a6 into main Nov 26, 2024
9 checks passed
@stipsan stipsan deleted the renovate/npm-sveltejs-kit-vulnerability branch November 26, 2024 10:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant