GNUI
GNUI copied to clipboard
nordcloud
Update dependency vite to v4.5.3 [SECURITY]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| vite (source) | 4.4.12 -> 4.5.3 |
GitHub Vulnerability Alerts
CVE-2024-23331
Summary
Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.
This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.
Patches
Fixed in [email protected], [email protected], [email protected], [email protected]
Details
Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.
See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632
By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.
PoC
Setup
- Created vanilla Vite project using
npm create vite@lateston a Standard Azure hosted Windows 10 instance.-
npm run dev -- --host 0.0.0.0 - Publicly accessible for the time being here: http://20.12.242.81:5173/
-
- Created dummy secret files, e.g.
custom.secretandproduction.pem - Populated
vite.config.jswith
export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }
Reproduction
-
curl -s http://20.12.242.81:5173/@​fs//- Descriptive error page reveals absolute filesystem path to project root
-
curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js- Discoverable configuration file reveals locations of secrets
-
curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT- Secrets are directly accessible using case-augmented version of filename
Proof
Impact
Who
- Users with exposed dev servers on environments with case-insensitive filesystems
What
- Files protected by
server.fs.denyare both discoverable, and accessible
CVE-2024-31207
Summary
Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.
Impact
Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Patches
Fixed in [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Details
server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.
Reproduction
Set fs.deny to ['**/.git/**'] and then curl for /.git/config.
- with
matchBase: true, you can get any file under.git/(config, HEAD, etc). - with
matchBase: false, you cannot get any file under.git/(config, HEAD, etc).
Release Notes
vitejs/vite (vite)
v4.5.3
v4.5.2
Please refer to CHANGELOG.md for details.
v4.5.1
Please refer to CHANGELOG.md for details.
v4.5.0
Please refer to CHANGELOG.md for details.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
Quality Gate passed
Kudos, no new issues were introduced!
0 New issues
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code
See analysis details on SonarCloud
![sonarqubecloud[bot] avatar](https://avatars.githubusercontent.com/in/12526?v=4 "Published by a pub.dev verified publisher"){kind=small}
This pull request is automatically being deployed by Amplify Hosting (learn more).
Access this pull request here: https://pr-711.du3gff836giqw.amplifyapp.com
![aws-amplify-eu-west-1[bot] avatar](https://avatars.githubusercontent.com/in/43819?v=4 "Published by a pub.dev verified publisher"){kind=small}
Quality Gate passed
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code
See analysis details on SonarCloud
Quality Gate passed
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
See analysis details on SonarCloud