ask-hadith icon indicating copy to clipboard operation
ask-hadith copied to clipboard
verified publisher icon Ananto30

🚨 [security] Update @sveltejs/kit 1.30.4 → 2.8.3 (major)

Open depfu[bot] opened this issue 1 year ago • 1 comments

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ @​sveltejs/kit (1.30.4 → 2.8.3)

Security Advisories 🚨

🚨 @sveltejs/kit has unescaped error message included on error page

Summary

The static error.html template for errors contains placeholders that are replaced without escaping the content first.

Details

From https://kit.svelte.dev/docs/errors:

error.html is the page that is rendered when everything else fails. It can contain the following placeholders:
%sveltekit.status% — the HTTP status
%sveltekit.error.message% — the error message

This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content that ends up being something like this inside a server handle function:

error(500, '<script>alert("boom")</script>');

Uncaught errors cannot be exploited like this, as they always render the message "Internal error".

Escaping the message string in the function that creates the html output can be done to improve safety for applications that are using custom errors on the server.

PoC

None provided

Impact

Only applications where user provided input is used in the Error message will be vulnerable, so the vast majority of applications will not be vulnerable

🚨 @sveltejs/kit vulnerable to XSS on dev mode 404 page

Summary

"Unsanitized input from the request URL flows into end, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)."

Details

Source of potentially tainted data is in packages/kit/src/exports/vite/dev/index.js, line 437. This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down to line 91 in packages/kit/src/exports/vite/utils.js, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate.

Another source of potentially tainted data (according to Snyk) comes from ‎packages/kit/src/exports/vite/utils.js, line 30, col 30 (i.e., the url property of req). This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down line 91 in packages/kit/src/exports/vite/utils.js, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate.

PoC

Not provided

Impact

Little to none. The Vite development is not exposed to the network by default. And even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data.

🚨 Sending a GET or HEAD request with a body crashes SvelteKit

Summary

In SvelteKit 2 sending a GET request with a body eg {} to a SvelteKit app in preview or with adapter-node throws Request with GET/HEAD method cannot have body. and crashes the app.

node:internal/deps/undici/undici:6066
          throw new TypeError("Request with GET/HEAD method cannot have body.");
                ^

TypeError: Request with GET/HEAD method cannot have body.
at new Request (node:internal/deps/undici/undici:6066:17)
at getRequest (file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/node/index.js:107:9)
at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:181:26
at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:172:6
at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:211:27
at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)


Node.js v20.11.0

TRACE requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.

PoC

First do a fresh install of SvelteKit 2 with the example app. Typescript.

  1. npm run build
  2. npm run preview
  3. Go to http://localhost:4173 (works)
  4. curl -X GET -d "{}" http://localhost:4173/bye
  5. Application crashes and http://localhost:4173 is down

Impact

Denial of Service for apps using adapter-node

Sorry, we couldn't find anything useful about this release.

↗️ cookie (indirect, 0.5.0 → 0.6.0) · Repo · Changelog

Release Notes

0.6.0 (from changelog)

  • Add partitioned option

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 33 commits:

↗️ devalue (indirect, 4.3.2 → 5.1.1) · Repo · Changelog

Release Notes

5.1.1 (from changelog)

  • Only iterate over own properties of reducers (#80)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 30 commits:

↗️ import-meta-resolve (indirect, 4.0.0 → 4.1.0) · Repo

Release Notes

4.1.0

Misc

  • d363b81 Refactor to hide deprecation warning
  • dbb53a5 Backport changes from Node
  • 66b952b Refactor tests to not assume name of project folder
    by @kapouer in #25

Full Changelog: 4.0.0...4.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

↗️ mrmime (indirect, 1.0.1 → 2.0.1) · Repo

Release Notes

2.0.1

Chores

  • Sync with latest mime-db version (#10, #11):
    Thank you @brc-dd. This adds the following extension -> MIMEs:
    • jxl -> "image/jxl"
    • m2t -> "video/mp2t"
    • m2ts -> "video/mp2t"
    • mts -> "video/mp2t"

Full Changelog: v2.0.0...v2.0.1

2.0.0

Breaking

  • Change lookup return signature from string | void to string | undefined (#5): 3218148, 743d85b
    Thank you @willstott101

  • Upgrade mime-db version, which changes some extensions' values (#8): 30fb901
    See here for visual diff

    Removed:

    • es

    Changed

    • asc :: application/pgp-signature => application/pgp-keys
    • js :: application/javascript => text/javascript
    • mjs :: application/javascript => text/javascript
    • rtf :: application/rtf => text/rtf
    • xml :: application/xml => text/xml

    Added

    • several... see diff :)

Chores

Full Changelog: v1.0.1...v2.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 12 commits:

↗️ sirv (indirect, 2.0.3 → 3.0.1) · Repo

Release Notes

3.0.1

Patches

  • (sirv): ensure "types" field points to real file (#169)
    Thank you @bluwy

  • (sirv-cli): ensure PORT is used if available (#165, #164)
    When string, always chose a random port.
    Thank you @pixeldrew

Full Changelog: v3.0.0...v3.0.1

3.0.0

Breaking

  • Now requires Node 18+ : c7d2479,
  • Added exports map for native ESM support: c7d2479

Features

Patches

  • Add separate CJS and ESM definitions: 982fcc8
    Previously CJS types were wrong/incompatible.

Chores

  • (sirv-cli) Upgrade get-port to 5.1.1 for TS definitions: e5e0826
  • Write tests in native ESM: 2f36733
  • (CI): Add Node 20 to matrix: 9ca1cbc

Full Changelog: v2.0.4...v3.0.0

2.0.4

Patches

Full Changelog: v2.0.3...v2.0.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 13 commits:

🆕 @​types/cookie (added, 0.6.0)

🗑️ @​fastify/busboy (removed)

🗑️ @​sveltejs/vite-plugin-svelte (removed)

🗑️ @​sveltejs/vite-plugin-svelte-inspector (removed)

🗑️ deepmerge (removed)

🗑️ svelte-hmr (removed)

🗑️ undici (removed)

🗑️ vitefu (removed)

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

depfu[bot] avatar Nov 25 '24 16:11 depfu[bot]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
ask-hadith ✅ Ready (Inspect) Visit Preview 💬 Add feedback Mar 27, 2025 2:56pm

vercel[bot] avatar Nov 25 '24 16:11 vercel[bot]