Jayden/AFFiNE-Mirror
1
0
Fork 0
mirror of https://github.com/toeverything/AFFiNE.git synced 2026-02-04 08:38:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: bump up vite version to v5.0.12 [SECURITY] (#5648)

Browse Source 
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vitejs.dev) ([source](https://togithub.com/vitejs/vite/tree/HEAD/packages/vite)) | [`5.0.6` -> `5.0.12`](https://renovatebot.com/diffs/npm/vite/5.0.6/5.0.12) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.0.6/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.0.6/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

### GitHub Vulnerability Alerts

#### [CVE-2024-23331](https://togithub.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw)

### Summary
[Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.

This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.

### Patches
Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17

### Details
Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.

See `picomatch`  usage, where `nocase` is defaulted to `false`: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632

By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files.

### PoC
**Setup**
1. Created vanilla Vite project using `npm create vite@latest` on a Standard Azure hosted Windows 10 instance.
    - `npm run dev -- --host 0.0.0.0`
    - Publicly accessible for the time being here: http://20.12.242.81:5173/
2. Created dummy secret files, e.g. `custom.secret` and `production.pem`
3. Populated `vite.config.js` with
```javascript
export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }
```

**Reproduction**
1. `curl -s http://20.12.242.81:5173/@​fs//`
    - Descriptive error page reveals absolute filesystem path to project root
2. `curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js`
    - Discoverable configuration file reveals locations of secrets
3. `curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT`
    - Secrets are directly accessible using case-augmented version of filename

**Proof**
![Screenshot 2024-01-19 022736](https://user-images.githubusercontent.com/907968/298020728-3a8d3c06-fcfd-4009-9182-e842f66a6ea5.png)

### Impact
**Who**
- Users with exposed dev servers on environments with case-insensitive filesystems

**What**
- Files protected by `server.fs.deny` are both discoverable, and accessible

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

### [`v5.0.12`](https://togithub.com/vitejs/vite/releases/tag/v5.0.12)

[Compare Source](https://togithub.com/vitejs/vite/compare/v5.0.11...v5.0.12)

Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.0.12/packages/vite/CHANGELOG.md) for details.

### [`v5.0.11`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small5011-2024-01-05-small)

[Compare Source](https://togithub.com/vitejs/vite/compare/v5.0.10...v5.0.11)

-   fix: don't pretransform classic script links ([#&#8203;15361](https://togithub.com/vitejs/vite/issues/15361)) ([19e3c9a](https://togithub.com/vitejs/vite/commit/19e3c9a)), closes [#&#8203;15361](https://togithub.com/vitejs/vite/issues/15361)
-   fix: inject `__vite__mapDeps` code before sourcemap file comment ([#&#8203;15483](https://togithub.com/vitejs/vite/issues/15483)) ([d2aa096](https://togithub.com/vitejs/vite/commit/d2aa096)), closes [#&#8203;15483](https://togithub.com/vitejs/vite/issues/15483)
-   fix(assets): avoid splitting `,` inside base64 value of `srcset` attribute ([#&#8203;15422](https://togithub.com/vitejs/vite/issues/15422)) ([8de7bd2](https://togithub.com/vitejs/vite/commit/8de7bd2)), closes [#&#8203;15422](https://togithub.com/vitejs/vite/issues/15422)
-   fix(html): handle offset magic-string slice error ([#&#8203;15435](https://togithub.com/vitejs/vite/issues/15435)) ([5ea9edb](https://togithub.com/vitejs/vite/commit/5ea9edb)), closes [#&#8203;15435](https://togithub.com/vitejs/vite/issues/15435)
-   chore(deps): update dependency strip-literal to v2 ([#&#8203;15475](https://togithub.com/vitejs/vite/issues/15475)) ([49d21fe](https://togithub.com/vitejs/vite/commit/49d21fe)), closes [#&#8203;15475](https://togithub.com/vitejs/vite/issues/15475)
-   chore(deps): update tj-actions/changed-files action to v41 ([#&#8203;15476](https://togithub.com/vitejs/vite/issues/15476)) ([2a540ee](https://togithub.com/vitejs/vite/commit/2a540ee)), closes [#&#8203;15476](https://togithub.com/vitejs/vite/issues/15476)

### [`v5.0.10`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small5010-2023-12-15-small)

[Compare Source](https://togithub.com/vitejs/vite/compare/v5.0.9...v5.0.10)

-   fix: omit protocol does not require pre-transform ([#&#8203;15355](https://togithub.com/vitejs/vite/issues/15355)) ([d9ae1b2](https://togithub.com/vitejs/vite/commit/d9ae1b2)), closes [#&#8203;15355](https://togithub.com/vitejs/vite/issues/15355)
-   fix(build): use base64 for inline SVG if it contains both single and double quotes ([#&#8203;15271](https://togithub.com/vitejs/vite/issues/15271)) ([1bbff16](https://togithub.com/vitejs/vite/commit/1bbff16)), closes [#&#8203;15271](https://togithub.com/vitejs/vite/issues/15271)

### [`v5.0.9`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small509-2023-12-14-small)

[Compare Source](https://togithub.com/vitejs/vite/compare/v5.0.8...v5.0.9)

-   fix: htmlFallbackMiddleware for favicon ([#&#8203;15301](https://togithub.com/vitejs/vite/issues/15301)) ([c902545](https://togithub.com/vitejs/vite/commit/c902545)), closes [#&#8203;15301](https://togithub.com/vitejs/vite/issues/15301)
-   fix: more stable hash calculation for depsOptimize ([#&#8203;15337](https://togithub.com/vitejs/vite/issues/15337)) ([2b39fe6](https://togithub.com/vitejs/vite/commit/2b39fe6)), closes [#&#8203;15337](https://togithub.com/vitejs/vite/issues/15337)
-   fix(scanner): catch all external files for glob imports ([#&#8203;15286](https://togithub.com/vitejs/vite/issues/15286)) ([129d0d0](https://togithub.com/vitejs/vite/commit/129d0d0)), closes [#&#8203;15286](https://togithub.com/vitejs/vite/issues/15286)
-   fix(server): avoid chokidar throttling on startup ([#&#8203;15347](https://togithub.com/vitejs/vite/issues/15347)) ([56a5740](https://togithub.com/vitejs/vite/commit/56a5740)), closes [#&#8203;15347](https://togithub.com/vitejs/vite/issues/15347)
-   fix(worker): replace `import.meta` correctly for IIFE worker ([#&#8203;15321](https://togithub.com/vitejs/vite/issues/15321)) ([08d093c](https://togithub.com/vitejs/vite/commit/08d093c)), closes [#&#8203;15321](https://togithub.com/vitejs/vite/issues/15321)
-   feat: log re-optimization reasons ([#&#8203;15339](https://togithub.com/vitejs/vite/issues/15339)) ([b1a6c84](https://togithub.com/vitejs/vite/commit/b1a6c84)), closes [#&#8203;15339](https://togithub.com/vitejs/vite/issues/15339)
-   chore: temporary typo ([#&#8203;15329](https://togithub.com/vitejs/vite/issues/15329)) ([7b71854](https://togithub.com/vitejs/vite/commit/7b71854)), closes [#&#8203;15329](https://togithub.com/vitejs/vite/issues/15329)
-   perf: avoid computing paths on each request ([#&#8203;15318](https://togithub.com/vitejs/vite/issues/15318)) ([0506812](https://togithub.com/vitejs/vite/commit/0506812)), closes [#&#8203;15318](https://togithub.com/vitejs/vite/issues/15318)
-   perf: temporary hack to avoid fs checks for /[@&#8203;react-refresh](https://togithub.com/react-refresh) ([#&#8203;15299](https://togithub.com/vitejs/vite/issues/15299)) ([b1d6211](https://togithub.com/vitejs/vite/commit/b1d6211)), closes [#&#8203;15299](https://togithub.com/vitejs/vite/issues/15299)

### [`v5.0.8`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small508-2023-12-12-small)

[Compare Source](https://togithub.com/vitejs/vite/compare/v5.0.7...v5.0.8)

-   perf: cached fs utils ([#&#8203;15279](https://togithub.com/vitejs/vite/issues/15279)) ([c9b61c4](https://togithub.com/vitejs/vite/commit/c9b61c4)), closes [#&#8203;15279](https://togithub.com/vitejs/vite/issues/15279)
-   fix: missing warmupRequest in transformIndexHtml ([#&#8203;15303](https://togithub.com/vitejs/vite/issues/15303)) ([103820f](https://togithub.com/vitejs/vite/commit/103820f)), closes [#&#8203;15303](https://togithub.com/vitejs/vite/issues/15303)
-   fix: public files map will be updated on add/unlink in windows ([#&#8203;15317](https://togithub.com/vitejs/vite/issues/15317)) ([921ca41](https://togithub.com/vitejs/vite/commit/921ca41)), closes [#&#8203;15317](https://togithub.com/vitejs/vite/issues/15317)
-   fix(build): decode urls in CSS files (fix [#&#8203;15109](https://togithub.com/vitejs/vite/issues/15109)) ([#&#8203;15246](https://togithub.com/vitejs/vite/issues/15246)) ([ea6a7a6](https://togithub.com/vitejs/vite/commit/ea6a7a6)), closes [#&#8203;15109](https://togithub.com/vitejs/vite/issues/15109) [#&#8203;15246](https://togithub.com/vitejs/vite/issues/15246)
-   fix(deps): update all non-major dependencies ([#&#8203;15304](https://togithub.com/vitejs/vite/issues/15304)) ([bb07f60](https://togithub.com/vitejs/vite/commit/bb07f60)), closes [#&#8203;15304](https://togithub.com/vitejs/vite/issues/15304)
-   fix(ssr): check esm file with normal file path ([#&#8203;15307](https://togithub.com/vitejs/vite/issues/15307)) ([1597170](https://togithub.com/vitejs/vite/commit/1597170)), closes [#&#8203;15307](https://togithub.com/vitejs/vite/issues/15307)

### [`v5.0.7`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small507-2023-12-08-small)

[Compare Source](https://togithub.com/vitejs/vite/compare/v5.0.6...v5.0.7)

-   fix: suppress terser warning if minify disabled ([#&#8203;15275](https://togithub.com/vitejs/vite/issues/15275)) ([3e42611](https://togithub.com/vitejs/vite/commit/3e42611)), closes [#&#8203;15275](https://togithub.com/vitejs/vite/issues/15275)
-   fix: symbolic links in public dir ([#&#8203;15264](https://togithub.com/vitejs/vite/issues/15264)) ([ef2a024](https://togithub.com/vitejs/vite/commit/ef2a024)), closes [#&#8203;15264](https://togithub.com/vitejs/vite/issues/15264)
-   fix(html): skip inlining icon and manifest links ([#&#8203;14958](https://togithub.com/vitejs/vite/issues/14958)) ([8ad81b4](https://togithub.com/vitejs/vite/commit/8ad81b4)), closes [#&#8203;14958](https://togithub.com/vitejs/vite/issues/14958)
-   chore: remove unneeded condition in getRealPath ([#&#8203;15267](https://togithub.com/vitejs/vite/issues/15267)) ([8e4655c](https://togithub.com/vitejs/vite/commit/8e4655c)), closes [#&#8203;15267](https://togithub.com/vitejs/vite/issues/15267)
-   perf: cache empty optimizer result ([#&#8203;15245](https://togithub.com/vitejs/vite/issues/15245)) ([8409b66](https://togithub.com/vitejs/vite/commit/8409b66)), closes [#&#8203;15245](https://togithub.com/vitejs/vite/issues/15245)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/toeverything/AFFiNE).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMzUuMCIsInVwZGF0ZWRJblZlciI6IjM3LjEzNS4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5In0=-->
This commit is contained in:
LongYinan
2024-01-20 13:36:05 +00:00
parent 353b27d796
commit fb93f59aea
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
yarn.lock
View File

@@ -34327,8 +34327,8 @@ __metadata:
linkType: hard
"vite@npm:^5.0.6":
version: 5.0.6
resolution: "vite@npm:5.0.6"
version: 5.0.12
resolution: "vite@npm:5.0.12"
dependencies:
esbuild: "npm:^0.19.3"
fsevents: "npm:~2.3.3"
@@ -34362,7 +34362,7 @@ __metadata:
optional: true
bin:
vite: bin/vite.js
checksum: c4647591c76ad5a3b818efef37fb23d793512be832b7daa6c54719f24b0dbadfe383b18cf0896e2c4eaf9d1acab031b3caeaa36570b79ce9da2be6a328d27a1e
checksum: ed0bb26a0d0c8e1dae0b70af9e36adffd7e15d80297443fe4da762596dc81570bad7f0291f590a57c1553f5e435338d8c7ffc483bd9431a95c09d9ac90665fad
languageName: node
linkType: hard