fix(deps): update dependency @backstage/plugin-scaffolder-backend to v1.15.0 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@backstage/plugin-scaffolder-backend (source)	1.10.1 -> 1.15.0

GitHub Vulnerability Alerts

CVE-2023-35926

The Backstage scaffolder-backend plugin uses a templating library that requires a sandbox, as it by design allows for code injection. The library used for this sandbox so far has been vm2, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library.

Impact

A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data.

Patches

This is vulnerability is fixed in version 1.15.0 of @backstage/plugin-scaffolder-backend.

Workarounds

Note that the Backstage Threat Model states that scaffolder templates are considered to be a sensitive area that with the recommendation that you control access and perform manual reviews of changes to the scaffolder templates. The exploit is of a nature where it is easily discoverable in manual review.

---

Release Notes

backstage/backstage (@​backstage/plugin-scaffolder-backend)

v1.15.0

Compare Source

Minor Changes

• 84b0e47: Add TargetBranchName variable and output for the publish:gitlab:merge-request and publish:github:pull-request s'cascaffolder actions.

• 6a694ce: Add a scaffolder action that pull-requests for bitbucket server

• 1948845: Added github:deployKey:create and github:environment:create scaffolder actions. You will need to add read/write permissions to your GITHUB_TOKEN and/or Github Backstage App for Repository Administration (for deploy key functionality) and Environments (for Environment functionality)

• df84117: Add support for Repository Variables and Secrets to the publish:github and github:repo:create scaffolder actions. You will need to add read/write permissions to your GITHUB_TOKEN and/or Github Backstage App for Repository Secrets and Variables

  Upgrade octokit introduces some breaking changes.

Patch Changes

• cc936b5: Fix handling of optional property in catalog:register scaffolder action

• b269da3: Clearer error messages for action publish:gitlab:merge-request

• 11e0f62: Fix wrong gitlabUrl format in repoUrl input description

• a2c70cd: Switch out the sandbox, from vm2 to isolated-vm.

  This is a native dependency, which means that it will need to be compiled with the same version of node on the same OS. This could cause some issues when running in Docker for instance, as you will need to make sure that the dependency is installed and compiled inside the docker container that it will run on.

  This could mean adding in some dependencies to the container like build-essential to make sure that this compiles correctly.

  If you're having issues installing this dependency, there's some install instructions over on isolated-vm's repo.

• Updated dependencies

  • @​backstage/backend-common@​0.19.0
  • @​backstage/catalog-client@​1.4.2
  • @​backstage/types@​1.1.0
  • @​backstage/plugin-catalog-backend@​1.10.0
  • @​backstage/integration@​1.5.0
  • @​backstage/catalog-model@​1.4.0
  • @​backstage/errors@​1.2.0
  • @​backstage/backend-plugin-api@​0.5.3
  • @​backstage/backend-tasks@​0.5.3
  • @​backstage/plugin-auth-node@​0.2.15
  • @​backstage/plugin-catalog-node@​1.3.7
  • @​backstage/plugin-permission-node@​0.7.9
  • @​backstage/config@​1.0.8
  • @​backstage/plugin-catalog-common@​1.0.14
  • @​backstage/plugin-permission-common@​0.7.6
  • @​backstage/plugin-scaffolder-common@​1.3.1
  • @​backstage/plugin-scaffolder-node@​0.1.4

v1.14.0

Compare Source

Minor Changes

• 67115f5: Expose both types of scaffolder permissions and rules through the metadata endpoint.

  The metadata endpoint now correctly exposes both types of scaffolder permissions and rules (for both the template and action resource types) through the metadata endpoint.

• a73b3c0: Add ability to use defaultNamespace and defaultKind for scaffolder action catalog:fetch

Patch Changes

• 1a48b84: Bump minimum required version of vm2 to be 3.9.18
• d20c879: Bump minimum required version of vm2 to be 3.9.17
• 6d954de: Update typing for RouterOptions::actions and ScaffolderActionsExtensionPoint::addActions to allow any kind of action being assigned to it.
• Updated dependencies
  • @​backstage/plugin-catalog-backend@​1.9.1
  • @​backstage/backend-common@​0.18.5
  • @​backstage/integration@​1.4.5
  • @​backstage/plugin-scaffolder-common@​1.3.0
  • @​backstage/plugin-permission-node@​0.7.8
  • @​backstage/plugin-scaffolder-node@​0.1.3
  • @​backstage/backend-tasks@​0.5.2
  • @​backstage/plugin-auth-node@​0.2.14
  • @​backstage/plugin-catalog-node@​1.3.6
  • @​backstage/backend-plugin-api@​0.5.2
  • @​backstage/catalog-client@​1.4.1
  • @​backstage/catalog-model@​1.3.0
  • @​backstage/config@​1.0.7
  • @​backstage/errors@​1.1.5
  • @​backstage/types@​1.0.2
  • @​backstage/plugin-catalog-common@​1.0.13
  • @​backstage/plugin-permission-common@​0.7.5

v1.13.1

Compare Source

This release bumps the minimum required version of vm2 to 3.9.17

v1.13.0

Compare Source

Minor Changes

• 2b15cb4: The non-PR/MR Git Actions now return the commit hash of the commit pushed as a new output called commitHash, isomorphic-git is now on version 1.23.0

• 30ffdae: Added fetch:plain:file action to fetch a single file, this action is also added to the list of built-in actions.

• 65e989f: Added the possibility to authorize parameters and steps of a template

  The scaffolder plugin is now integrated with the permission framework.
  It is possible to toggle parameters or actions within templates by marking each section with specific tags, inside a backstage:permissions property under each parameter or action. Each parameter or action can then be permissioned by using a conditional decision containing the scaffolderTemplateRules.hasTag rule.

• 3b68b09: Renamed permissionApi router option to permissions

• bcae5aa: Added the possibility to authorize actions

  It is now possible to decide who should be able to execute certain actions or who should be able to pass specific input to specified actions.

  Some of the existing utility functions for creating conditional decisions have been renamed:

  • createScaffolderConditionalDecision has been renamed to createScaffolderActionConditionalDecision
  • scaffolderConditions has been renamed to scaffolderTemplateConditions

• d7c8c22: Allow for a commit message to differ from the PR title when publishing a GitHub pull request.

• 95ea9f6: Provide some more default filters out of the box and refactoring how the filters are applied to the SecureTemplater.

  • parseEntityRef will take an string entity triplet and return a parsed object.
  • pick will allow you to reference a specific property in the piped object.

  So you can now combine things like this: ${{ parameters.entity | parseEntityRef | pick('name') }} to get the name of a specific entity, or ${{ parameters.repoUrl | parseRepoUrl | pick('owner') }} to get the owner of a repo.

Patch Changes

• e23abb3: Rename output parameter mergeRequestURL of publish:gitlab:merge-request action to mergeRequestUrl.
• e27ddc3: Added a possibility to cancel the running task (executing of a scaffolder template)
• a7eb36c: Improve type-check for scaffolder output parameters
• c9a0fdc: Fix deprecated types.
• 1e4f5e9: Bump zod and zod-to-json-schema dependencies.
• 9c26e6d: Updated the alpha scaffolderPlugin to not require options.
• f37a95a: Stripped entity types and namespace before passing to GitHub API
• Updated dependencies
  • @​backstage/backend-common@​0.18.4
  • @​backstage/plugin-catalog-backend@​1.9.0
  • @​backstage/plugin-scaffolder-common@​1.2.7
  • @​backstage/plugin-scaffolder-node@​0.1.2
  • @​backstage/catalog-client@​1.4.1
  • @​backstage/plugin-permission-node@​0.7.7
  • @​backstage/plugin-permission-common@​0.7.5
  • @​backstage/backend-tasks@​0.5.1
  • @​backstage/catalog-model@​1.3.0
  • @​backstage/integration@​1.4.4
  • @​backstage/plugin-auth-node@​0.2.13
  • @​backstage/plugin-catalog-node@​1.3.5
  • @​backstage/backend-plugin-api@​0.5.1
  • @​backstage/config@​1.0.7
  • @​backstage/errors@​1.1.5
  • @​backstage/types@​1.0.2
  • @​backstage/plugin-catalog-common@​1.0.13

v1.12.0

Compare Source

Minor Changes

• 7d724d8: Added the ability to be able to define an actions input and output schema using zod instead of hand writing types and jsonschema

Patch Changes

• 860de10: Make identity valid if subject of token is a backstage server-2-server auth token
• 6545487: Minor API report tweaks
• c6c78b4: throw error from catalog:fetch scaffolder action when entity is null and optional is false
• 9968f45: catalog write action should allow any shape of object
• 928a12a: Internal refactor of /alpha exports.
• 52b0022: Updated dependency msw to ^1.0.0.
• 7af1285: Extended scaffolder action catalog:fetch to fetch multiple catalog entities by entity references.
• Updated dependencies
  • @​backstage/plugin-catalog-backend@​1.8.0
  • @​backstage/catalog-client@​1.4.0
  • @​backstage/plugin-auth-node@​0.2.12
  • @​backstage/backend-tasks@​0.5.0
  • @​backstage/backend-common@​0.18.3
  • @​backstage/errors@​1.1.5
  • @​backstage/plugin-catalog-node@​1.3.4
  • @​backstage/backend-plugin-api@​0.5.0
  • @​backstage/catalog-model@​1.2.1
  • @​backstage/integration@​1.4.3
  • @​backstage/config@​1.0.7
  • @​backstage/types@​1.0.2
  • @​backstage/plugin-scaffolder-common@​1.2.6
  • @​backstage/plugin-scaffolder-node@​0.1.1

v1.11.0

Compare Source

Minor Changes

• 0b2952e: Added the option to overwrite files in the targetPath of the template:fetch action
• 1271549: Renamed the export scaffolderCatalogModule to catalogModuleTemplateKind in order to follow the new recommended naming patterns of backend system items. This is technically a breaking change but in an alpha export, so take care to change your imports if you have already migrated to the new backend system.

Patch Changes

• 0ff0331: Updated usage of createBackendPlugin.

• ad3edc4: Deprecations: The following are deprecated and should instead be imported from the new package @backstage/plugin-scaffolder-node:

  • ActionContext
  • createTemplateAction
  • TaskSecrets
  • TemplateAction

• 6c70919: Provide better error messaging when GitHub fails due to missing team definitions

• 66cf22f: Updated dependency esbuild to ^0.17.0.

• Updated dependencies

  • @​backstage/plugin-catalog-backend@​1.7.2
  • @​backstage/backend-plugin-api@​0.4.0
  • @​backstage/backend-common@​0.18.2
  • @​backstage/plugin-scaffolder-node@​0.1.0
  • @​backstage/catalog-model@​1.2.0
  • @​backstage/plugin-catalog-node@​1.3.3
  • @​backstage/backend-tasks@​0.4.3
  • @​backstage/catalog-client@​1.3.1
  • @​backstage/config@​1.0.6
  • @​backstage/errors@​1.1.4
  • @​backstage/integration@​1.4.2
  • @​backstage/types@​1.0.2
  • @​backstage/plugin-auth-node@​0.2.11
  • @​backstage/plugin-scaffolder-common@​1.2.5

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.