fix(deps): update dependency fastify to v4.10.2 [security] #196

renovate · 2023-11-18T00:32:54Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
fastify (source)	`4.5.3` -> `4.10.2`

GitHub Vulnerability Alerts

CVE-2022-39288

Impact

An attacker can send an invalid Content-Type header that can cause the application to crash, leading to a possible Denial of Service attack. Only the v4.x line is affected.

(This was updated: upon a close inspection, v3.x is not affected after all).

Patches

Yes, update to > v4.8.0.

Workarounds

You can reject the malicious content types before the body parser enters in action.

  const badNames = Object.getOwnPropertyNames({}.__proto__)
  fastify.addHook('onRequest', async (req, reply) => {
    for (const badName of badNames) {
      if (req.headers['content-type'].indexOf(badName) > -1) {
        reply.code(415)
        throw new Error('Content type not supported')
      }
    }
  })

References

See the HackerOne report #1715536

For more information

Fastify security policy

CVE-2022-41919

Impact

The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.

Patches

For 4.x users, please update to at least 4.10.2
For 3.x users, please update to at least 3.29.4

Workarounds

Implement Cross-Site Request Forgery protection using @fastify/csrf.

References

Check out the HackerOne report: https://hackerone.com/reports/1763832.

For more information

Fastify security policy

Release Notes

fastify/fastify (fastify)

What's Changed

types: Add missing context types by @kibertoad in https://github.com/fastify/fastify/pull/4352
Revert "fix(logger): lost setBindings type in FastifyBaseLogger" by @climba03003 in https://github.com/fastify/fastify/pull/4355

Full Changelog: fastify/fastify@v4.9.1...v4.9.2

`v4.9.1`

Compare Source

What's Changed

docs(reply): specify streams content-type by @D10f in https://github.com/fastify/fastify/pull/4337
fix(logger): lost setBindings type in FastifyBaseLogger by @BlackHole1 in https://github.com/fastify/fastify/pull/4346
docs(reference): grammar and structure fixes by @Fdawgs in https://github.com/fastify/fastify/pull/4348
docs: example how decorators dependencies works by @leandroandrade in https://github.com/fastify/fastify/pull/4343
Undefined is a valid value for if set as a single hook by @mcollina in https://github.com/fastify/fastify/pull/4351

New Contributors

@D10f made their first contribution in https://github.com/fastify/fastify/pull/4337

Full Changelog: fastify/fastify@v4.9.0...v4.9.1

`v4.9.0`

Compare Source

What's Changed

fix: error handler content-type guessing by @climba03003 in https://github.com/fastify/fastify/pull/4329
build(deps-dev): bump fluent-json-schema from 3.1.0 to 4.0.0 by @dependabot in https://github.com/fastify/fastify/pull/4331
feat: Supporting different content-type responses by @iifawzi in https://github.com/fastify/fastify/pull/4264
fix: should now call default schema compilers by @Eomm in https://github.com/fastify/fastify/pull/4340
docs(ecosystem): replace heply -> beliven due to rebranding by @zuck in https://github.com/fastify/fastify/pull/4334
docs(ecosystem): add @fastify-userland plugins and tools by @BlackHole1 in https://github.com/fastify/fastify/pull/4345
Validate and throws a custom error when attempting to register invalid hook functions by @jhhom in https://github.com/fastify/fastify/pull/4332

New Contributors

@jhhom made their first contribution in https://github.com/fastify/fastify/pull/4332

Full Changelog: fastify/fastify@v4.8.1...v4.9.0

`v4.8.1`

Compare Source

⚠️ Security Release ⚠️

This release fixes GHSA-455w-c45v-86rg for the v4.x line.
This is a HIGH vulnerability that can lead to a crash, resulting in a total loss of availability.
The CVE for this vulnerability is CVE-2022-39288.

Full Changelog: fastify/fastify@v4.8.0...v4.8.1