tauri-solid-example

tauri-solid-example copied to clipboard

Reame
Issues

Update dependency vite to v4.5.3 [SECURITY]

Open renovate[bot] opened this issue 2 years ago • 0 comments

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	`4.3.5` -> `4.5.3`

GitHub Vulnerability Alerts

CVE-2023-34092

The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (//). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.

Steps to Fix. Update Vite: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n2. Secure the server configuration: In your `vite.config.js` file, review and update the server configuration options to restrict access to unauthorized requests or directories.

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or the server.host config option) are affected and only files in the immediate Vite project root folder could be exposed.\n\n### Patches\nFixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5 and in the latest minors of the previous two majors, vite@3.2.7 and vite@2.9.16.

Details

Vite serves the application with under the root-path of the project while running on the dev mode. By default, Vite uses the server option fs.deny to protect sensitive files. But using a simple double forward-slash, we can bypass this restriction. \n\n### PoC\n1. Create a new latest project of Vite using any package manager. (here I'm using react and vue templates and pnpm for testing)\n2. Serve the application on dev mode using pnpm run dev.\n3. Directly access the file via url using double forward-slash (//) (e.g: //.env, //.env.local)\n4. The server option fs.deny was successfully bypassed.

Proof Images: proof-1 \n proof-2

CVE-2024-23331

Summary

Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.

This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.

Patches

Fixed in [email protected], [email protected], [email protected], [email protected]

Details

Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.

See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632

By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.

PoC

Setup

Created vanilla Vite project using npm create vite@latest on a Standard Azure hosted Windows 10 instance.
- npm run dev -- --host 0.0.0.0
- Publicly accessible for the time being here: http://20.12.242.81:5173/
Created dummy secret files, e.g. custom.secret and production.pem
Populated vite.config.js with

export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }

Reproduction

curl -s http://20.12.242.81:5173/@fs//
- Descriptive error page reveals absolute filesystem path to project root
curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
- Discoverable configuration file reveals locations of secrets
curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
- Secrets are directly accessible using case-augmented version of filename

Proof Screenshot 2024-01-19 022736

Impact

Who

Users with exposed dev servers on environments with case-insensitive filesystems

What

Files protected by server.fs.deny are both discoverable, and accessible

CVE-2024-31207

Summary

Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.

Impact

Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Patches

Fixed in [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]

Details

server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.

Reproduction

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

with matchBase: true, you can get any file under .git/ (config, HEAD, etc).
with matchBase: false, you cannot get any file under .git/ (config, HEAD, etc).

Release Notes

vitejs/vite (vite)

`v4.5.3`

`v4.5.2`

Please refer to CHANGELOG.md for details.

`v4.5.1`

Please refer to CHANGELOG.md for details.

`v4.5.0`

Please refer to CHANGELOG.md for details.

`v4.4.12`

Please refer to CHANGELOG.md for details.

`v4.4.11`

Please refer to CHANGELOG.md for details.

`v4.4.10`

Please refer to CHANGELOG.md for details.

`v4.4.9`

chore: fix eslint warnings (#14031) (4021a0e), closes #14031
chore(deps): update all non-major dependencies (#13938) (a1b519e), closes #13938
fix: dynamic import vars ignored warning (#14006) (4479431), closes #14006
fix(build): silence warn dynamic import module when inlineDynamicImports true (#13970) (7a77aaf), closes #13970
perf: improve build times and memory utilization (#14016) (9d7d45e), closes #14016
perf: replace startsWith with === (#14005) (f5c1224), closes #14005

`v4.4.8`

fix: modulePreload false (#13973) (488085d), closes #13973
fix: multiple entries with shared css and no JS (#13962) (89a3db0), closes #13962
fix: use file extensions on type imports so they work with moduleResolution: 'node16' (#13947) (aeef670), closes #13947
fix(css): enhance error message for missing preprocessor dependency (#11485) (65e5c22), closes #11485
fix(esbuild): fix static properties transpile when useDefineForClassFields false (#13992) (4ca7c13), closes #13992
fix(importAnalysis): strip url base before passing as safeModulePaths (#13712) (1ab06a8), closes #13712
fix(importMetaGlob): avoid unnecessary hmr of negative glob (#13646) (844451c), closes #13646
fix(optimizer): avoid double-commit of optimized deps when discovery is disabled (#13865) (df77991), closes #13865
fix(optimizer): enable experimentalDecorators by default (#13981) (f8a5ffc), closes #13981
perf: replace startsWith with === (#13989) (3aab14e), closes #13989
perf: single slash does not need to be replaced (#13980) (66f522c), closes #13980
perf: use Intl.DateTimeFormatter instead of toLocaleTimeString (#13951) (af53a1d), closes #13951
perf: use Intl.NumberFormat instead of toLocaleString (#13949) (a48bf88), closes #13949
perf: use magic-string hires boundary for sourcemaps (#13971) (b9a8d65), closes #13971
chore(reporter): remove unnecessary map (#13972) (dd9d4c1), closes #13972
refactor: add new overload to the type of defineConfig (#13958) (24c12fe), closes #13958

`v4.4.7`

fix: optimizeDeps.include not working with paths inside packages (#13922) (06e4f57), closes #13922
fix: lightningcss fails with html-proxy (#13776) (6b56094), closes #13776
fix: prepend config.base to vite/env path (#13941) (8e6cee8), closes #13941
fix(html): support import.meta.env define replacement without quotes (#13425) (883089c), closes #13425
fix(proxy): handle error when proxy itself errors (#13929) (4848e41), closes #13929
chore(eslint): allow type annotations (#13920) (d1264fd), closes #13920

`v4.4.6`

fix: constrain inject helpers for iife (#13909) (c89f677), closes #13909
fix: display manualChunks warning only when a function is not used (#13797) (#13798) (51c271f), closes #13797 #13798
fix: do not append browserHash on optimized deps during build (#13906) (0fb2340), closes #13906
fix: use Bun's implementation of ws instead of the bundled one (#13901) (049404c), closes #13901
feat(client): add guide to press Esc for closing the overlay (#13896) (da389cc), closes #13896

`v4.4.5`

fix: "EISDIR: illegal operation on a directory, realpath" error on RA… (#13655) (6bd5434), closes #13655
fix: transform error message add file info (#13687) (6dca41c), closes #13687
fix: warn when publicDir and outDir are nested (#13742) (4eb3154), closes #13742
fix(build): remove warning about ineffective dynamic import from node_modules (#13884) (33002dd), closes #13884
fix(build): style insert order for UMD builds (fix #13668) (#13669) (49a1b99), closes #13668 #13669
fix(deps): update all non-major dependencies (#13872) (975a631), closes #13872
fix(types): narrow down the return type of defineConfig (#13792) (c971f26), closes #13792
chore: fix typos (#13862) (f54e8da), closes #13862
chore: replace any with string (#13850) (4606fd8), closes #13850
chore(deps): update dependency prettier to v3 (#13759) (5a56941), closes #13759
docs: fix build.cssMinify link (#13840) (8a2a3e1), closes #13840

`v4.4.4`

chore: warning about ssr cjs format removal (#13827) (4646e9f), closes #13827
fix(esbuild): enable experimentalDecorators by default (#13805) (e8880f0), closes #13805
fix(scan): skip tsconfigRaw fallback if tsconfig is set (#13823) (b6155a1), closes #13823
feat(client): close vite-error-overlay with Escape key (#13795) (85bdcda), closes #13795

`v4.4.3`

fix: avoid early error when server is closed in ssr (#13787) (89d01eb), closes #13787
fix(deps): update all non-major dependencies (#13758) (8ead116), closes #13758
fix(server): remove restart guard on restart (#13789) (2a38ef7), closes #13789

`v4.4.2`

fix(css): use single postcss instance (#13738) (c02fac4), closes #13738

`v4.4.1`

fix: revert #13073, use consistent virtual module ID in module graph (#13734) (f589ac0), closes #13073 #13734
fix: revert import config module as data (#13731) (b0bfa01), closes #13731
chore: changelog notes and clean for 4.4 (#13728) (3f4e36e), closes #13728

`v4.4.0`

Experimental support for Lightning CSS

Starting from Vite 4.4, there is experimental support for Lightning CSS. You can opt into it by adding css.transformer: 'lightningcss' to your config file and install the optional lightningcss dev dependency. If enabled, CSS files will be processed by Lightning CSS instead of PostCSS.

Lightning CSS can also be used as the CSS minifier with build.cssMinify: 'lightningcss'.

See beta docs at the Lighting CSS guide.

esbuild 0.18 update

esbuild 0.18 contains backwards-incompatible changes to esbuild's handling of tsconfig.json files. We think they shouldn't affect Vite users, you can review #13525 for more information.

Templates for Solid and Qwik in create-vite

New starter templates have been added to create-vite for Solid and Qwik. Try them online at vite.new/solid-ts and vite.new/qwik-ts.

Korean Translation

Vite's docs are now translated to Korean, available at ko.vitejs.dev.

Features

feat: preview mode add keyboard shortcuts (#12968) (126e93e), closes #12968
feat: asset type add apng (#13294) (a11b6f6), closes #13294
feat: emit event to handle chunk load errors (#12084) (2eca54e), closes #12084
feat: import public non-asset URL (#13422) (3a98558), closes #13422
feat: support files for fs.allow (#12863) (4a06e66), closes #12863
feat(build): warn dynamic import module with a static import alongside (#12850) (127c334), closes #12850
feat(client): add debounce on page reload (#13545) (d080b51), closes #13545
feat(client): add WebSocket connections events (#13334) (eb75103), closes #13334
feat(config): friendly ESM file require error (#13283) (b9a6ba0), closes #13283
feat(css): add support for Lightning CSS (#12807) (c6c5d49), closes #12807
feat(css): support at import preprocessed styles (#8400) (2bd6077), closes #8400
feat(html): support image set in inline style (#13473) (2c0faba), closes #13473
feat(importMetaGlob): support sub imports pattern (#12467) (e355c9c), closes #12467
feat(optimizer): support glob includes (#12414) (7792515), closes #12414
feat!: update esbuild to 0.18.2 (#13525) (ab967c0), closes #13525

Bug Fixes

fix: check document before detect script rel (#13559) (be4b0c0), closes #13559
fix(define): stringify object parse error in build mode (#13600) (71516db), closes #13600
fix(deps): update all non-major dependencies (#13701) (02c6bc3), closes #13701
fix(esbuild): use useDefineForClassFields: false when no compilerOptions.target is declared (#13 (7ef2472), closes #13708
fix(pluginContainer): drop previous sourcesContent (#13722) (9310b3a), closes #13722
fix: lightningCSS should load external URL in CSS file (#13692) (8517645), closes #13692
fix: shortcut open browser when set host (#13677) (6f1c55e), closes #13677
fix(cli): convert the sourcemap option to boolean (fix #13638) (#13663) (d444bfe), closes #13638 #13663
fix(css): use esbuild legalComments config when minifying CSS (#13661) (2d9008e), closes #13661
fix(sourcemap): preserve original sourcesContent (#13662) (f6362b6), closes #13662
fix(ssr): transform superclass identifier (#13635) (c5b2c8f), closes #13635
fix: show error position (#13623) (90271a6), closes #13623
fix(hmr): only invalidate lastHMRTimestamp of importers if the invalidated module is not a HMR bou (1143e0b), closes #13024
fix(indexHtml): decode html URI (#13581) (f8868af), closes #13581
fix: avoid binding ClassExpression (#13572) (1a0c806), closes #13572
fix: the shortcut fails to open browser when set the host (#13579) (e0a48c5), closes #13579
fix(proxy): forward SSE close event (#13578) (4afbccb), closes #13578
fix: allow using vite as a proxy for another vite server (#13218) (711dd80), closes #13218
fix: await requests to before server restart (#13262) (0464398), closes #13262
fix: esm detection with export const { A, B } pattern (#13483) (ea1bcc9), closes #13483
fix: keep track of ssr version of imported modules separately (#11973) (8fe6952), closes #11973
fix: make optimize error available to meta-framework (#13495) (b70e783), closes #13495
fix: only show the listened IP when host is specified (#13412) (20b0cae), closes #13412
fix: race condition creation module in graph in transformRequest (#13085) (43cbbcf), closes #13085
fix: remove deprecated config.server.base (#13482) (dc597bd), closes #13482
fix: remove extra path shorten when resolving from a dir (#13381) (5503198), closes #13381
fix: show network URLs when --host 0.0.0.0 (#13438) (00ee8c1), closes #13438
fix: timestamp config dynamicImport (#13502) (6a87c65), closes #13502
fix: unexpected config temporary file (#13269) (ff3ce31), closes #13269
fix: use consistent virtual module ID in module graph (#13073) (aa1776f), closes #13073
fix(build): make output warning message clearer (#12924) (54ab3c8), closes #12924
fix(debug): import performance from perf_hooks (#13464) (d458ccd), closes #13464
fix(deps): update all non-major dependencies (#13059) (123ef4c), closes #13059
fix(deps): update all non-major dependencies (#13488) (bd09248), closes #13488
fix(deps): update sirv to 2.0.3 (#13057) (d814d6c), closes #13057
fix(mergeConfig): don't accept callback config (#13135) (998512b), closes #13135
fix(optimizer): include exports for css modules (#13519) (1fd9919), closes #13519
fix(resolve): always use module condition (#13370) (367920b), closes #13370
fix(ssr): fix crash when a pnpm/Yarn workspace depends on a CJS package (#9763) (9e1086b), closes #9763

Previous Changelogs

4.4.0-beta.4 (2023-07-03)

See 4.4.0-beta.4 changelog

4.4.0-beta.3 (2023-06-25)

See 4.4.0-beta.3 changelog

4.4.0-beta.2 (2023-06-22)

See 4.4.0-beta.2 changelog

4.4.0-beta.1 (2023-06-21)

See 4.4.0-beta.1 changelog

4.4.0-beta.0 (2023-06-20)

See 4.4.0-beta.0 changelog

`v4.3.9`

fix: fs.deny with leading double slash (#13348) (813ddd6), closes #13348
fix: optimizeDeps during build and external ids (#13274) (e3db771), closes #13274
fix(css): return deps if have no postcss plugins (#13344) (28923fb), closes #13344
fix(legacy): style insert order (#13266) (e444375), closes #13266
chore: revert prev release commit (2a30a07)
release: v4.3.9 (5c9abf7)
docs: optimizeDeps.needsInterop (#13323) (b34e79c), closes #13323
test: respect commonjs options in playgrounds (#13273) (19e8c68), closes #13273
refactor: simplify SSR options' if statement (#13254) (8013a66), closes #13254
perf(ssr): calculate stacktrace offset lazily (#13256) (906c4c1), closes #13256

`v4.3.8`

fix: avoid outdated module to crash in importAnalysis after restart (#13231) (3609e79), closes #13231
fix(ssr): skip updateCjsSsrExternals if legacy flag disabled (#13230) (13fc345), closes #13230

`v4.3.7`

fix: revert only watch .env files in envDir (#12587) (#13217) (0fd4616), closes #12587 #13217
fix(assetImportMetaUrl): allow ternary operator in template literal urls (#13121) (d5d9a31), closes #13121

`v4.3.6`

fix: avoid dev-server crash when ws proxy error (#12829) (87e1f58), closes #12829
fix: call tryFsResolve for relative new URL(foo, import.meta.url) (#13142) (eeb0617), closes #13142
fix: don't inject CSS sourcemap for direct requests (#13115) (7d80a47), closes #13115
fix: handle more yarn pnp load errors (#13160) (adf61d9), closes #13160
fix(build): declare moduleSideEffects for vite:modulepreload-polyfill (#13099) (d63129b), closes #13099
fix(css): respect esbuild.charset when minify (#13190) (4fd35ed), closes #13190
fix(server): intercept ping requests (#13117) (d06cc42), closes #13117
fix(ssr): stacktrace uses abs path with or without sourcemap (#12902) (88c855e), closes #12902
perf: skip windows absolute paths for node resolve (#13162) (e640939), closes #13162
chore: remove useless dep (#13165) (9a7ec98), closes #13165
chore(reporter): reuse clearLine (#13156) (535795a), closes #13156

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Jun 06 '23 03:06 renovate[bot]