security: Stop automatically adding URLs from server-side load fetch calls to dependencies
#9945
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
🦋 Changeset detectedLatest commit: 487aa22 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
…ve-implicit-dep-tracking
Rich-Harris
reviewed
May 17, 2023
packages/kit/types/index.d.ts
Outdated
Comment on lines
347
to
351
| /** | ||
| * Automatically add server-side `fetch`ed URLs to the `dependencies` map of `load` functions. This will expose secrets | ||
| * to the client if your URL contains them. | ||
| */ | ||
| trackServerFetchesPotentiallyExposingSecrets?: boolean; |
There was a problem hiding this comment.
I think we can trim the option name down to trackServerFetches — we can explain the details in the inline documentation, and the dangerZone makes it clear that this is 'know what you're doing' territory
Suggested change
| /** | |
| * Automatically add server-side `fetch`ed URLs to the `dependencies` map of `load` functions. This will expose secrets | |
| * to the client if your URL contains them. | |
| */ | |
| trackServerFetchesPotentiallyExposingSecrets?: boolean; | |
| /** | |
| * Mark server `load` functions that call `fetch(url)` as depending on `url`, allowing you to | |
| * call `invalidate(url)` from the client. The URL, including e.g. sensitive query parameters, | |
| * will be visible to the client. This option will be removed in version 2; use `depends` instead | |
| */ | |
| trackServerFetches?: boolean; |
There was a problem hiding this comment.
I dunno, I like explicitly requiring users to acknowledge what they're doing -- there's no guarantee they understand why this is dangerous. Happy to make the change, but I personally think the annoyance of typing a gigantic and explicit config value is worth it, especially since it's not going to be around forever.
5 tasks
Rich-Harris
approved these changes
May 17, 2023
Rich-Harris
deleted the
elliott/9803-security-remove-implicit-dep-tracking
branch
Merged
leonardoadame
pushed a commit
to leonardoadame/Affiliate-tech
that referenced
this pull request
May 17, 2023
* feat: Add a speedier script tag for prerendered redirects (sveltejs#9911) * feat: Add a script redirect to prerendered pages * changeset * Update .changeset/hungry-rocks-hunt.md Co-authored-by: Simon H <5968653+dummdidumm@users.noreply.github.com> * fix test * feat: Update string escaping * Update .changeset/hungry-rocks-hunt.md Co-authored-by: Conduitry <git@chor.date> --------- Co-authored-by: Simon H <5968653+dummdidumm@users.noreply.github.com> Co-authored-by: Conduitry <git@chor.date> * fix: avoid inlining raw/url CSS imports (sveltejs#9925) * fix: use transformRequest for CSS modules * just avoid raw or url * test and changeset * use parsed query * remove only * Update packages/kit/test/apps/basics/test/cross-platform/test.js * drive by test speed up * feat: prerender & analyse in worker rather than subprocess to support Deno (sveltejs#9919) * feat(fork): use workers * Create hot-actors-hope.md * Update packages/kit/src/utils/fork.js Co-authored-by: Rich Harris <hello@rich-harris.dev> --------- Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> Co-authored-by: Rich Harris <hello@rich-harris.dev> * avoid using isMainThread, since it interacts poorly with vitest (sveltejs#9941) Co-authored-by: Rich Harris <git@rich-harris.dev> * chore: bump vite and devalue (sveltejs#9933) * bump vite and devalue * update templates * merge master * fix test --------- Co-authored-by: Rich Harris <git@rich-harris.dev> * chore: uvu -> vitest for create-svelte tests (sveltejs#9910) * chore: uvu -> vitest for create-svelte tests * format * concurrency (sveltejs#9921) * realised we werent typechecking this file, found some errors. fixed * Wait for beforeAll hook to complete * simplify * exclude create-svelte/template files from prettier, so that we can emit correctly formatted templates * remove unused file * Revert "exclude create-svelte/template files from prettier, so that we can emit correctly formatted templates" This reverts commit aa188d4. --------- Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> Co-authored-by: Rich Harris <git@rich-harris.dev> * feat: unshadow `form` and `data` in `enhance` (sveltejs#9902) * feat: Un-shadow `data` and `form` in `enhance`, warn about future deprecation in dev * changeset * snek * Update .changeset/odd-crews-own.md Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> * Update packages/kit/test/apps/dev-only/package.json Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> * am not smart * still not smart * oops * oof * add deprecation notice --------- Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> Co-authored-by: Rich Harris <git@rich-harris.dev> * fix: Set loader: { '.wasm': 'copy' } in esbuild config in `adapter-cloudflare-workers` (sveltejs#9940) * fix: Set loader: { '.wasm': 'copy' } in esbuild config in `adapter-cloudflare-workers` Copies WASM files in Cloudflare instead of trying to load them. Related to sveltejs#9909 * Create brave-peaches-buy.md * Update packages/adapter-cloudflare-workers/index.js * format --------- Co-authored-by: Rich Harris <git@rich-harris.dev> Co-authored-by: Rich Harris <hello@rich-harris.dev> * fix: Flaky test (sveltejs#9947) * fix: Flaky test * reuse locator * add semi * drive by test speed up * another classic * oh my god brain, y u so bad --------- Co-authored-by: gtmnayan <50981692+gtm-nayan@users.noreply.github.com> Co-authored-by: gtmnayan <gtmnayan@gmail.com> * remove envVarsInUse (sveltejs#9942) Co-authored-by: Rich Harris <git@rich-harris.dev> * fix: type `vitePlugin` in config (sveltejs#9946) * fix: type `vitePlugin` in config * changeset * fix: Set `loader: { '.wasm': 'copy' }` in esbuild config in `adapter-vercel` (sveltejs#9944) * fix: Enable wasm copy in adapter-vercel * Create olive-rings-eat.md --------- Co-authored-by: Rich Harris <richard.a.harris@gmail.com> * feat: crawl URLs in `<meta>` tags (sveltejs#9900) * Crawl social-image urls during prerender * Formatting & Linting * Format changeset & added exhaustive list of crawlable urls * Changed severity to minor as described in sveltejs#5228 * Added support for `property` attribute & limited valid names to just social tags * More tests * Better changeset message - I'm indecisive * Update .changeset/thirty-garlics-tan.md Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> * simplify * simplify * Removed redundant data-sanitation * DRY out --------- Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> Co-authored-by: Rich Harris <git@rich-harris.dev> * Version Packages (sveltejs#9893) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * feat: support AWS via SST in adapter-auto (sveltejs#9874) * [feat] support AWS via SST in adapter-auto * Sync * Delete 95-adapter-aws-sst.md * Update .changeset/rotten-ducks-tan.md --------- Co-authored-by: Rich Harris <hello@rich-harris.dev> * Version Packages (sveltejs#9953) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * only cache response if response has cache-control header (sveltejs#9885) * only cache response if response has cache-control header * add changeset * Version Packages (sveltejs#9955) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * fix: ensure styles are loaded in dev mode for routes containing special characters (sveltejs#9894) * Fix loading styles for routes containing special characters in dev mode. SvelteKit doesn't decode special characters in pathnames when loading CSS modules in dev mode, resulting in an error: Internal server error: Failed to load url /src/routes/(special)/hinnap%C3%A4ring/+page.svelte?svelte=&type=style&lang.css=&inline= (resolved id: /src/routes/(special)/hinnap%C3%A4ring/+page.svelte?svelte&type=style&lang.css). Does the file exist? Actual path: /src/routes/(special)/hinnapäring/ Fix by using decodeURI on the url.pathname when loading CSS modules. * Create stale-houses-yell.md * decodeURL inside if * add test --------- Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> Co-authored-by: Rich Harris <git@rich-harris.dev> * feat: Warn users when submitting forms with files but no `enctype="multipart/form-data"` (sveltejs#9888) * fix: Package name keeps me from filtering with pnpm * feat: Warn users when submitting a form containing a file without the correct enctype * changeset * Update packages/kit/src/runtime/app/forms.js Co-authored-by: gtmnayan <50981692+gtm-nayan@users.noreply.github.com> * style * moar style tweaks * better test skip * Update .changeset/tasty-llamas-relate.md Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> * DRY out * only warn once per submit * Update .changeset/tasty-llamas-relate.md Co-authored-by: Rich Harris <richard.a.harris@gmail.com> --------- Co-authored-by: gtmnayan <50981692+gtm-nayan@users.noreply.github.com> Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> Co-authored-by: Rich Harris <git@rich-harris.dev> Co-authored-by: Rich Harris <richard.a.harris@gmail.com> * Version Packages (sveltejs#9957) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * security: Stop automatically adding URLs from server-side `load` `fetch` calls to dependencies (sveltejs#9945) * feat: Add `dangerZone` config * breaking: Don't implicitly track deps in server-side fetch * changeset * bein dumb * fix: Server load invalidation * fix: Write config for server * fix: test * unsurprisingly i am dumb * docs: Clarify difference between server `fetch` and universal `fetch` * tests * rename to trackServerFetches --------- Co-authored-by: Rich Harris <git@rich-harris.dev> * Version Packages (sveltejs#9963) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Co-authored-by: S. Elliott Johnson <sejohnson@torchcloudconsulting.com> Co-authored-by: Simon H <5968653+dummdidumm@users.noreply.github.com> Co-authored-by: Conduitry <git@chor.date> Co-authored-by: gtmnayan <50981692+gtm-nayan@users.noreply.github.com> Co-authored-by: Fernando López Guevara <fernando.lguevara@gmail.com> Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> Co-authored-by: Rich Harris <hello@rich-harris.dev> Co-authored-by: Rich Harris <richard.a.harris@gmail.com> Co-authored-by: Rich Harris <git@rich-harris.dev> Co-authored-by: Conner <conner@semicognitive.com> Co-authored-by: gtmnayan <gtmnayan@gmail.com> Co-authored-by: Loris Sigrist <43482866+LorisSigrist@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Frank <frank@sst.dev> Co-authored-by: Frank Dumont <fj.dumont@gmail.com> Co-authored-by: Reio Remma <reio@mrstuudio.ee>
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #9803. This is a breaking change for security purposes.
This PR prevents server
loadfunction from implicitly depending on URLs passed tofetch. This is because dependencies from serverloadfunctions have to be sent to the client in order to be invalidated, which can leak secrets (if they're in the search params, for example).If you understand the risk and want to keep the old behavior, you can set
config.kit.dangerZone.trackServerFetchesPotentiallyExposingSecretstotrue.TODO:
Please don't delete this checklist! Before submitting the PR, please make sure you do the following:
Tests
pnpm testand lint the project withpnpm lintandpnpm checkChangesets
pnpm changesetand following the prompts. Changesets that add features should beminorand those that fix bugs should bepatch. Please prefix changeset messages withfeat:,fix:, orchore:.