-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency webpack-dev-middleware to v5 [security] #5373
base: master
Are you sure you want to change the base?
Conversation
⚠ Artifact update problemRenovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below: File name: yarn.lock
|
398a6a5
to
1c3d0fb
Compare
1c3d0fb
to
9d0c985
Compare
9d0c985
to
e2060f3
Compare
430c158
to
e8de645
Compare
eb4093c
to
1198166
Compare
1198166
to
ca1f55a
Compare
ca1f55a
to
4435207
Compare
|
4435207
to
62748b6
Compare
62748b6
to
40378cd
Compare
af90a40
to
6918d8d
Compare
2a6bf5a
to
c5cc8bd
Compare
c5cc8bd
to
332cf85
Compare
332cf85
to
83b453f
Compare
7b32b29
to
a30ff17
Compare
e394de7
to
516a00e
Compare
516a00e
to
dd908d4
Compare
This PR contains the following updates:
^1.9.0
->^5.0.0
GitHub Vulnerability Alerts
CVE-2024-29180
Summary
The webpack-dev-middleware middleware does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine.
Details
The middleware can either work with the physical filesystem when reading the files or it can use a virtualized in-memory memfs filesystem.
If writeToDisk configuration option is set to true, the physical filesystem is used:
https://github.com/webpack/webpack-dev-middleware/blob/7ed24e0b9f53ad1562343f9f517f0f0ad2a70377/src/utils/setupOutputFileSystem.js#L21
The getFilenameFromUrl method is used to parse URL and build the local file path.
The public path prefix is stripped from the URL, and the unsecaped path suffix is appended to the outputPath:
https://github.com/webpack/webpack-dev-middleware/blob/7ed24e0b9f53ad1562343f9f517f0f0ad2a70377/src/utils/getFilenameFromUrl.js#L82
As the URL is not unescaped and normalized automatically before calling the midlleware, it is possible to use %2e and %2f sequences to perform path traversal attack.
PoC
A blank project can be created containing the following configuration file webpack.config.js:
module.exports = { devServer: { devMiddleware: { writeToDisk: true } } };
When started, it is possible to access any local file, e.g. /etc/passwd:
$ curl localhost:8080/public/..%2f..%2f..%2f..%2f../etc/passwd
Impact
The developers using webpack-dev-server or webpack-dev-middleware are affected by the issue. When the project is started, an attacker might access any file on the developer's machine and exfiltrate the content (e.g. password, configuration files, private source code, ...).
If the development server is listening on a public IP address (or 0.0.0.0), an attacker on the local network can access the local files without any interaction from the victim (direct connection to the port).
If the server allows access from third-party domains (CORS, Allow-Access-Origin: * ), an attacker can send a malicious link to the victim. When visited, the client side script can connect to the local server and exfiltrate the local files.
Recommendation
The URL should be unescaped and normalized before any further processing.
Release Notes
webpack/webpack-dev-middleware (webpack-dev-middleware)
v5.3.4
Compare Source
5.3.4 (2024-03-20)
Bug Fixes
v5.3.3
Compare Source
v5.3.2
Compare Source
v5.3.1
Compare Source
v5.3.0
Compare Source
Features
5.2.2 (2021-11-17)
Chore
schema-utils
package to4.0.0
version5.2.1 (2021-09-25)
v5.2.2
Compare Source
v5.2.1
Compare Source
v5.2.0
Compare Source
Features
headers
option (#1042) (5a6a3f0)v5.1.0
Compare Source
Features
Range
header is present (e8b21f0)Bug Fixes
mem
package (#1027) (0d55268)v5.0.0
Compare Source
⚠ BREAKING CHANGES
Node.js
version is12.13.0
(#928) (4cffeff)v4.3.0
Compare Source
Features
getFilenameFromUrl
to API (#911) (1edc726)Bug Fixes
v4.2.0
Compare Source
Features
headers
option to accept function (#897) (966afb3)v4.1.0
Compare Source
Features
stats
option (376cdba)4.0.4 (2021-01-13)
Bug Fixes
4.0.3 (2021-01-12)
Bug Fixes
stats
tostdout
insteadstderr
, how doeswebpack-cli
, if you need hidestats
from output please use{ stats: false }
or{ stats: 'none' }
(4de0f97)stats
(4de0f97)Content-type header
on unknown types (#809) (5c9eee5)4.0.2 (2020-11-10)
Bug Fixes
headers
option (#763) (7c4cac5)4.0.1 (2020-11-09)
Bug Fixes
connect
(b83a1db)v4.0.4
Compare Source
v4.0.3
Compare Source
v4.0.2
Compare Source
v4.0.1
Compare Source
v4.0.0
Compare Source
⚠ BREAKING CHANGES
Bug Fixes
auto
value of thepublicPath
option (9b4c5ec)v3.7.3
Compare Source
3.7.3 (2020-12-15)
Bug Fixes
v3.7.2
Compare Source
v3.7.1
Compare Source
v3.7.0
Compare Source
Features
HEAD
method by default (#398) (ec3d5eb)v3.6.2
Compare Source
Bug Fixes
res.getHeader
and set the correct Content-Type (#385) (56dc705)v3.6.1
Compare Source
Bug Fixes
v3.6.0
Compare Source
Features
v3.5.2
Compare Source
Bug Fixes
usdz
file type (#357) (b135b3d)v3.5.1
Compare Source
Bug Fixes
v3.5.0
Compare Source
Bug Fixes
Features
mimeTypes
(possible to useforce
option) (#349) (e56a181)v3.4.0
Compare Source
Bug Fixes
unhandledRejection
(#340) (f0a8e3e)url-join
withpath.posix.join
(#334) (d75802b)v3.3.0
Compare Source
Features
response.locals.fs
) (#337) (f9a138e)v3.2.0
Compare Source
Bug Fixes
Features
methods
option (options.methods
) (#319) (fe6bb86)v3.1.3
Compare Source
Bugfixes
v3.1.2
Compare Source
Updates
v3.1.1
Compare Source
Bugfixes
v3.1.0
Compare Source
Bugfixes
d26c67c
)Features
v3.0.1
Compare Source
v3.0.0
Compare Source
Updates
Breaking Changes
watchOffset
option has been removed and the README has been updated with alternative means of accomplishing the same result for this module and webpack v4.middleware.webpack
now returns aPromise
that should be handled with.then
when needing to perform other actions, like adding additional middleware.v2.0.6
Compare Source
v2.0.5
Compare Source
v2.0.4
Compare Source
v2.0.3
Compare Source
v2.0.2
Compare Source
Updates
webpack-log
, removed dependencies related to the previous logging implementation.v2.0.1
Compare Source
Publish to correct
package.json
.v2.0.0
Compare Source
This major release introduces a comprehensive refactor of the codebase and move to leverage more ES6 as supported by Node 6+. It also introduced a number of breaking changes, as outlined below.
Node Version Support
webpack-dev-middleware version 2 and higher will only support Node 6.x and higher. Active
LTS for Node 4.x ended October 31st, 2017 and entered maintenance on that date.
Likewise, the version 1.x branch of webpack-dev-middleware will enter maintenance on
that date.
Informative Changes
log-level
and follows the same patterns aswebpack-dev-server
.Breaking Changes
watchDelay
option was previous deprecated and has now been removed.reportTime
option renamed tologTime
noInfo
option removed in favor of setting alogLevel
higher than'info'
quiet
option removed in favor oflogLevel: 'silent'
reporter
signature changed toreporter(middlewareOptions, reporterOptions)
Configuration
📅 Schedule: Branch creation - "" in timezone US/Eastern, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.