fliegdoc icon indicating copy to clipboard operation
fliegdoc copied to clipboard

Published 20 hours ago verified publisher icon fliegwerk

deps(prod): update dependency eta to v2 [security]

Open renovate[bot] opened this issue 1 year ago • 1 comments

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
eta (source) ^1.12.1 -> ^2.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-23630

Impact

XSS attack - anyone using the Express API is impacted

Patches

The problem has been resolved. Users should upgrade to version 2.0.0.

Workarounds

Don't pass user supplied data directly to res.renderFile.

References

Are there any links users can visit to find out more? See https://github.com/eta-dev/eta/releases/tag/v2.0.0

CVE-2022-25967

Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. Note: This is exploitable only for users who are rendering templates with user-defined data.

Release Notes

eta-dev/eta (eta)

v2.0.0: Version 2.0.0

Compare Source

TL;DR

This commit includes fixes for several security vulnerabilities. Specifically, in version 1, Eta merged the data parameter of renderFile() into config -- meaning that malicious untrusted user data, passed through in a very specific way, could potentially modify the values of varName, include, includeFile, and useWith, and thus insert arbitrary code into user template functions.

With this release, such behavior is removed. Configuration cannot be passed through the data parameter to eta.renderFile().

Most users will be able to update from version 1 to version 2 without changing any code. All users are encouraged to update as soon as possible.

Practical Implications

  • Configuration must be passed to renderFile explicitly, rather than merged with the data parameter
  • Using Express.js app.set() to modify views and view cache will no longer change Eta's configuration of views and cache.
    • However, since Express still uses its own views and view cache options under the hood, users should configure both Eta and Express with desired values (example below)
  • Eta no longer recognizes the legacy Express.js settings["view options"] property

Example Code Changes

// Change THIS:
renderFile(filePath, { cache: true }) // This worked in v1 but does not work in v2
// To THIS:
renderFile(filePath, {}, { cache: true }) // This works in v1 and v2

// Change THIS:
var eta = require("eta")
app.set("view engine", "eta")
app.set("views", "./views")
app.set("view cache", true)
// To THIS:
var eta = require("eta")
app.engine("eta", eta.renderFile)
eta.configure({  views: "./views", cache: true }) // configure eta
app.set("views", "./views") // configure Express
app.set("view cache", true) // configure Express
app.set("view engine", "eta")

Commits

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate[bot] avatar Feb 01 '23 02:02 renovate[bot]