mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-07-05 03:25:10 +08:00
ac6d0d35af
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@opentelemetry/exporter-prometheus](https://redirect.github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-exporter-prometheus) ([source](https://redirect.github.com/open-telemetry/opentelemetry-js)) | [`^0.215.0` → `^0.217.0`](https://renovatebot.com/diffs/npm/@opentelemetry%2fexporter-prometheus/0.215.0/0.217.0) |  |  | --- ### Prometheus exporter process crash via malformed HTTP request [CVE-2026-44902](https://nvd.nist.gov/vuln/detail/CVE-2026-44902) / [GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3) <details> <summary>More information</summary> #### Details ##### Summary A single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default `0.0.0.0:9464`) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught `TypeError` that terminates the process. **You are affected by this vulnerability if either of the following apply to your application:** * you directly use `@opentelemetry/exporter-prometheus` in your code through its built-in server. * your `OTEL_METRICS_EXPORTER` environment variable includes `prometheus` **AND** * you use `@opentelemetry/sdk-node` * you use `@opentelemetry/auto-instrumentations-node` via `--require @​opentelemetry/auto-instrumentations-node/register`/`--import @​opentelemetry/auto-instrumentations-node/register` ##### Impact **Denial of service.** Any application using the OpenTelemetry Prometheus exporter’s built-in server can be crashed by a single unauthenticated network packet sent to the metrics port. No authentication, special privileges, or prior access is required. ##### Remediation ##### Update to the fixed version Update `@opentelemetry/exporter-prometheus` and `@opentelemetry/sdk-node` to version **0.217.0** or later. Update `@opentelemetry/auto-instrumentations-node` to version **0.75.0** or later. This release adds proper error handling around the URL constructor, returning an HTTP `400` response on parse failure rather than allowing the exception to propagate and crash the process. ``` npm install @​opentelemetry/exporter-prometheus@latest ``` ##### Do Not Expose the Endpoint to Untrusted Users > [!IMPORTANT] > The following mitigations reduce exposure but do not fully remediate the vulnerability. Any client that *can* reach the metrics endpoint - including your own Prometheus scraper host if compromised - could still trigger the crash. Updating to **0.217.0** is the recommended resolution. If updating is not immediately feasible, restrict access to the metrics endpoint so that it is not reachable by untrusted or unauthenticated network clients. For example: * **Bind to localhost only** by setting the `host` option to `127.0.0.1` when configuring the `PrometheusExporter`, so the port is not exposed on public or shared network interfaces * **Use a firewall or network policy** to restrict access to port `9464` (or whichever port you have configured) to only trusted Prometheus scrape hosts * **Place the endpoint behind a reverse proxy** that filters or validates incoming requests before they reach the exporter ##### Details In `PrometheusExporter.ts`, the `_requestHandler` calls `new URL(request.url, this._baseUrl)` without any error handling. Node's HTTP parser accepts absolute-form URIs (e.g. `http://`) for proxy compatibility, including malformed ones. When `request.url` is `"http://"`, the `URL` constructor throws `TypeError: Invalid URL`. Since there is no try-catch in the handler, the exception propagates as an uncaught exception and crashes the process. The Prometheus metrics endpoint is unauthenticated by design (Prometheus scrapes it) and binds to `0.0.0.0` by default, meaning it is reachable by any network client that can connect to the metrics port. ##### Proof of Concept Start any Node.js application with the Prometheus exporter running on the default port `9464`, then send a single raw TCP packet: ``` echo -ne 'GET http:// HTTP/1.1\r\nHost: localhost\r\n\r\n' | nc localhost 9464 ``` The process crashes immediately with: ``` TypeError: Invalid URL at new URL (...) at PrometheusExporter._requestHandler (...) ``` #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3) - [https://github.com/advisories/GHSA-q7rr-3cgh-j5r3](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-q7rr-3cgh-j5r3) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-js (@​opentelemetry/exporter-prometheus)</summary> ### [`v0.217.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7...74cde1b674508ccc0ed2601ac43a80ff2d35114c) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7...74cde1b674508ccc0ed2601ac43a80ff2d35114c) ### [`v0.216.0`](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/a0476eef3cb973bfcc0c2e41f868dd7b484c2ed8...2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-js/compare/a0476eef3cb973bfcc0c2e41f868dd7b484c2ed8...2400d8389a4469f7a81ccd3be2f0b2c2dd6faaf7) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
177 lines
5.7 KiB
JSON
177 lines
5.7 KiB
JSON
{
|
|
"name": "@affine/server",
|
|
"private": true,
|
|
"version": "0.26.3",
|
|
"description": "Affine Node.js server",
|
|
"type": "module",
|
|
"scripts": {
|
|
"build": "affine bundle -p @affine/server",
|
|
"dev": "nodemon ./src/index.ts",
|
|
"dev:mail": "email dev -d src/mails",
|
|
"test": "ava --concurrency 1 --serial",
|
|
"test:copilot": "ava \"src/__tests__/copilot/copilot-*.spec.ts\"",
|
|
"test:coverage": "c8 ava --concurrency 1 --serial",
|
|
"test:copilot:coverage": "c8 ava --timeout=5m \"src/__tests__/copilot/copilot-*.spec.ts\"",
|
|
"e2e": "cross-env TEST_MODE=e2e ava --serial",
|
|
"e2e:coverage": "cross-env TEST_MODE=e2e c8 ava --serial",
|
|
"data-migration": "cross-env NODE_ENV=development SERVER_FLAVOR=script r ./src/index.ts",
|
|
"init": "yarn prisma migrate dev && yarn data-migration run",
|
|
"seed": "r ./src/seed/index.ts",
|
|
"genconfig": "r ./scripts/genconfig.ts",
|
|
"cli": "cross-env SERVER_FLAVOR=script node ./dist/main.js",
|
|
"predeploy": "yarn prisma migrate deploy && yarn cli run",
|
|
"postinstall": "prisma generate"
|
|
},
|
|
"dependencies": {
|
|
"@affine/s3-compat": "workspace:*",
|
|
"@affine/server-native": "workspace:*",
|
|
"@apollo/server": "^5.5.0",
|
|
"@as-integrations/express5": "^1.1.2",
|
|
"@google-cloud/opentelemetry-cloud-trace-exporter": "^3.0.0",
|
|
"@google-cloud/opentelemetry-resource-util": "^3.0.0",
|
|
"@inquirer/prompts": "^7.10.1",
|
|
"@nestjs-cls/transactional": "^3.2.0",
|
|
"@nestjs-cls/transactional-adapter-prisma": "^1.3.4",
|
|
"@nestjs/apollo": "^13.2.4",
|
|
"@nestjs/bullmq": "^11.0.4",
|
|
"@nestjs/common": "^11.1.18",
|
|
"@nestjs/core": "^11.1.18",
|
|
"@nestjs/graphql": "^13.2.5",
|
|
"@nestjs/platform-express": "^11.1.18",
|
|
"@nestjs/platform-socket.io": "^11.1.18",
|
|
"@nestjs/schedule": "^6.1.1",
|
|
"@nestjs/throttler": "^6.5.0",
|
|
"@nestjs/websockets": "^11.1.18",
|
|
"@node-rs/argon2": "^2.0.2",
|
|
"@node-rs/crc32": "^1.10.6",
|
|
"@opentelemetry/api": "^1.9.0",
|
|
"@opentelemetry/core": "^2.2.0",
|
|
"@opentelemetry/exporter-prometheus": "^0.217.0",
|
|
"@opentelemetry/exporter-zipkin": "^2.6.0",
|
|
"@opentelemetry/host-metrics": "^0.38.3",
|
|
"@opentelemetry/instrumentation": "^0.215.0",
|
|
"@opentelemetry/instrumentation-graphql": "^0.63.0",
|
|
"@opentelemetry/instrumentation-http": "^0.215.0",
|
|
"@opentelemetry/instrumentation-ioredis": "^0.63.0",
|
|
"@opentelemetry/instrumentation-nestjs-core": "^0.61.0",
|
|
"@opentelemetry/instrumentation-socket.io": "^0.62.0",
|
|
"@opentelemetry/resources": "^2.2.0",
|
|
"@opentelemetry/sdk-metrics": "^2.2.0",
|
|
"@opentelemetry/sdk-node": "^0.215.0",
|
|
"@opentelemetry/sdk-trace-node": "^2.2.0",
|
|
"@opentelemetry/semantic-conventions": "^1.38.0",
|
|
"@prisma/client": "^6.6.0",
|
|
"@prisma/instrumentation": "^6.7.0",
|
|
"@queuedash/api": "^3.16.0",
|
|
"@react-email/components": "^0.5.7",
|
|
"@socket.io/redis-adapter": "^8.3.0",
|
|
"bullmq": "5.53.0",
|
|
"commander": "^13.1.0",
|
|
"cookie-parser": "^1.4.7",
|
|
"cross-env": "^10.1.0",
|
|
"date-fns": "^4.0.0",
|
|
"dotenv": "^16.4.7",
|
|
"eventemitter2": "^6.4.9",
|
|
"exa-js": "^2.4.0",
|
|
"express": "^5.0.1",
|
|
"fast-xml-parser": "^5.7.2",
|
|
"get-stream": "^9.0.1",
|
|
"google-auth-library": "^10.2.0",
|
|
"graphql": "^16.13.2",
|
|
"graphql-scalars": "^1.24.0",
|
|
"graphql-upload": "^17.0.0",
|
|
"html-validate": "^9.0.0",
|
|
"htmlrewriter": "^0.0.12",
|
|
"http-errors": "^2.0.0",
|
|
"ioredis": "^5.8.2",
|
|
"is-mobile": "^5.0.0",
|
|
"jose": "^6.1.3",
|
|
"jsonwebtoken": "^9.0.3",
|
|
"lodash-es": "^4.17.23",
|
|
"mustache": "^4.2.0",
|
|
"nanoid": "^5.1.6",
|
|
"nest-winston": "^1.9.7",
|
|
"nestjs-cls": "^6.0.0",
|
|
"nodemailer": "^8.0.4",
|
|
"on-headers": "^1.1.0",
|
|
"piscina": "^5.1.4",
|
|
"prisma": "^6.6.0",
|
|
"react": "^19.2.1",
|
|
"react-dom": "19.2.1",
|
|
"reflect-metadata": "^0.2.2",
|
|
"rxjs": "^7.8.2",
|
|
"semver": "^7.7.4",
|
|
"ses": "^1.15.0",
|
|
"socket.io": "^4.8.1",
|
|
"stripe": "^17.7.0",
|
|
"tldts": "^7.0.19",
|
|
"winston": "^3.17.0",
|
|
"yjs": "^13.6.27",
|
|
"zod": "^3.25.76",
|
|
"zod-to-json-schema": "^3.20.0"
|
|
},
|
|
"devDependencies": {
|
|
"@affine-tools/cli": "workspace:*",
|
|
"@affine-tools/utils": "workspace:*",
|
|
"@affine/graphql": "workspace:*",
|
|
"@affine/realtime": "workspace:*",
|
|
"@faker-js/faker": "^10.1.0",
|
|
"@nestjs/swagger": "^11.2.7",
|
|
"@nestjs/testing": "patch:@nestjs/testing@npm%3A11.1.18#~/.yarn/patches/@nestjs-testing-npm-11.1.18-32c0f6af12.patch",
|
|
"@types/cookie-parser": "^1.4.8",
|
|
"@types/express": "^5.0.1",
|
|
"@types/express-serve-static-core": "^5.0.6",
|
|
"@types/graphql-upload": "^17.0.0",
|
|
"@types/http-errors": "^2.0.4",
|
|
"@types/jsonwebtoken": "^9.0.9",
|
|
"@types/lodash-es": "^4.17.12",
|
|
"@types/mustache": "^4.2.5",
|
|
"@types/node": "^22.0.0",
|
|
"@types/nodemailer": "^7.0.0",
|
|
"@types/on-headers": "^1.0.3",
|
|
"@types/react": "^19.0.1",
|
|
"@types/semver": "^7.7.1",
|
|
"@types/sinon": "^21.0.0",
|
|
"@types/supertest": "^7.0.0",
|
|
"ava": "^7.0.0",
|
|
"c8": "^10.1.3",
|
|
"nodemon": "^3.1.14",
|
|
"react-email": "^4.3.2",
|
|
"sinon": "^21.0.1",
|
|
"socket.io-client": "^4.8.3",
|
|
"supertest": "^7.1.4",
|
|
"typescript": "^5.9.3",
|
|
"why-is-node-running": "^3.2.2"
|
|
},
|
|
"nodemonConfig": {
|
|
"exec": "node",
|
|
"ignore": [
|
|
"**/__tests__/**",
|
|
"**/dist/**",
|
|
"*.gen.*"
|
|
],
|
|
"env": {
|
|
"NODE_ENV": "development",
|
|
"AFFINE_ENV": "dev",
|
|
"AFFINE_SERVER_EXTERNAL_URL": "http://localhost:8080",
|
|
"DEBUG": "affine:*",
|
|
"FORCE_COLOR": true,
|
|
"DEBUG_COLORS": true
|
|
},
|
|
"delay": 1000
|
|
},
|
|
"c8": {
|
|
"reporter": [
|
|
"text-summary",
|
|
"lcov"
|
|
],
|
|
"report-dir": ".coverage",
|
|
"exclude": [
|
|
"scripts",
|
|
"node_modules",
|
|
"**/*.spec.ts",
|
|
"**/*.e2e.ts"
|
|
]
|
|
}
|
|
}
|