fliegdoc
fliegdoc copied to clipboard
deps(prod): update dependency eta to v2 [security]
This PR contains the following updates:
Package | Change | Age | Adoption | Passing | Confidence |
---|---|---|---|---|---|
eta (source) | ^1.12.1 -> ^2.0.0 |
GitHub Vulnerability Alerts
CVE-2023-23630
Impact
XSS attack - anyone using the Express API is impacted
Patches
The problem has been resolved. Users should upgrade to version 2.0.0.
Workarounds
Don't pass user supplied data directly to res.renderFile
.
References
Are there any links users can visit to find out more? See https://github.com/eta-dev/eta/releases/tag/v2.0.0
CVE-2022-25967
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. Note: This is exploitable only for users who are rendering templates with user-defined data.
Release Notes
eta-dev/eta (eta)
v2.0.0
: Version 2.0.0
TL;DR
This commit includes fixes for several security vulnerabilities. Specifically, in version 1, Eta merged the data
parameter of renderFile()
into config
-- meaning that malicious untrusted user data, passed through in a very specific way, could potentially modify the values of varName
, include
, includeFile
, and useWith
, and thus insert arbitrary code into user template functions.
With this release, such behavior is removed. Configuration cannot be passed through the data
parameter to eta.renderFile()
.
Most users will be able to update from version 1 to version 2 without changing any code. All users are encouraged to update as soon as possible.
Practical Implications
- Configuration must be passed to
renderFile
explicitly, rather than merged with thedata
parameter - Using Express.js
app.set()
to modifyviews
andview cache
will no longer change Eta's configuration ofviews
andcache
.- However, since Express still uses its own
views
andview cache
options under the hood, users should configure both Eta and Express with desired values (example below)
- However, since Express still uses its own
- Eta no longer recognizes the legacy Express.js
settings["view options"]
property
Example Code Changes
// Change THIS:
renderFile(filePath, { cache: true }) // This worked in v1 but does not work in v2
// To THIS:
renderFile(filePath, {}, { cache: true }) // This works in v1 and v2
// Change THIS:
var eta = require("eta")
app.set("view engine", "eta")
app.set("views", "./views")
app.set("view cache", true)
// To THIS:
var eta = require("eta")
app.engine("eta", eta.renderFile)
eta.configure({ views: "./views", cache: true }) // configure eta
app.set("views", "./views") // configure Express
app.set("view cache", true) // configure Express
app.set("view engine", "eta")
Commits
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.