chore(deps): update dependency fastify-static to 4.4.1 [security]

[renovate]

This PR contains the following updates:

Package	Change
fastify-static	4.2.4 -> 4.4.1

GitHub Vulnerability Alerts

CVE-2021-22964

Impact

A redirect vulnerability in the fastify-static module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e.

A DOS vulnerability is possible if the URL contains invalid characters curl --path-as-is "http://localhost:3000//^/.."

The issue shows up on all the fastify-static applications that set redirect: true option. By default, it is false.

Patches

The issue has been patched in fastify-static@4.4.1

Workarounds

If updating is not an option, you can sanitize the input URLs using the rewriteUrl server option.

References

• Bug founder: drstrnegth
• hackerone Report

For more information

If you have any questions or comments about this advisory:

• Open an issue in fastify-static
• Contact the security team

---

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

[github-actions]

🎉 This PR is included in version 1.1.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀