New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency vite to v2.9.16 [security] #321

Open

renovate wants to merge 1 commit into main from renovate/npm-vite-vulnerability

Contributor

renovate bot commented Sep 25, 2022 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	`2.1.5` -> `2.9.16`

GitHub Vulnerability Alerts

CVE-2022-35204

Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim's service.

CVE-2023-34092

Summary

The issue involves a security vulnerability in Vite, where the server options can be bypassed using a double forward slash (//). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files. This document outlines the steps to address and mitigate this issue. Adding Extra References : ## Steps to Fix. Update Vite:Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n\n2. Secure the Server Configuration:In your vite.config.js file, review and update the server configuration options to restrict access to unauthorized requests or directories. For example:```javascript\n // vite.config.js\n export default { server: {\n fs: {\n deny: ['private-directory'] // Restrict access to specific directories

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected, and only files in the immediate Vite project root folder could be exposed.

Patches

Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5
And in the latest minors of the previous two majors: vite@3.2.7, vite@2.9.16

Details

Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.

PoC

Create a new latest project of vite using any package manager. (here I'm using react and vue templates for tested and pnpm)
Serve the application on dev mode using pnpm run dev.
Directly access the file from url using double forward-slash (//) (e.g: //.env, //.env.local)
Server Options fs.deny restrict successfully bypassed.

Proof Images:

Release Notes

vitejs/vite (vite)

`v2.9.16`

Please refer to CHANGELOG.md for details.

`v2.9.15`

Please refer to CHANGELOG.md for details.

`v2.9.14`

Please refer to CHANGELOG.md for details.

`v2.9.13`

Please refer to CHANGELOG.md for details.

`v2.9.12`

Please refer to CHANGELOG.md for details.

`v2.9.11`

Please refer to CHANGELOG.md for details.

`v2.9.10`

Please refer to CHANGELOG.md for details.

`v2.9.9`

Please refer to CHANGELOG.md for details.

`v2.9.8`

Please refer to CHANGELOG.md for details.

`v2.9.7`

Please refer to CHANGELOG.md for details.

`v2.9.6`

Please refer to CHANGELOG.md for details.

`v2.9.5`

Please refer to CHANGELOG.md for details.

`v2.9.4`

Please refer to CHANGELOG.md for details.

`v2.9.3`

Please refer to CHANGELOG.md for details.

`v2.9.2`

Please refer to CHANGELOG.md for details.

`v2.9.1`

Please refer to CHANGELOG.md for details.

`v2.9.0`

Please refer to CHANGELOG.md for details.

`v2.8.6`

Please refer to CHANGELOG.md for details.

`v2.8.5`

Please refer to CHANGELOG.md for details.

`v2.8.4`

Please refer to CHANGELOG.md for details.

`v2.8.3`

Please refer to CHANGELOG.md for details.

`v2.8.2`

Please refer to CHANGELOG.md for details.

`v2.8.1`

Please refer to CHANGELOG.md for details.

`v2.8.0`

Please refer to CHANGELOG.md for details.

`v2.7.13`

Please refer to CHANGELOG.md for details.

`v2.7.12`

Please refer to CHANGELOG.md for details.

`v2.7.11`

Please refer to CHANGELOG.md for details.

`v2.7.10`

Please refer to CHANGELOG.md for details.

`v2.7.9`

Please refer to CHANGELOG.md for details.

`v2.7.8`

Please refer to CHANGELOG.md for details.

`v2.7.7`

Please refer to CHANGELOG.md for details.

`v2.7.6`

Please refer to CHANGELOG.md for details.

`v2.7.5`

Please refer to CHANGELOG.md for details.

`v2.7.4`

Please refer to CHANGELOG.md for details.

`v2.7.3`

Please refer to CHANGELOG.md for details.

`v2.7.2`

Please refer to CHANGELOG.md for details.

`v2.7.1`

Please refer to CHANGELOG.md for details.

`v2.7.0`

Please refer to CHANGELOG.md for details.

`v2.6.14`

`v2.6.13`

`v2.6.12`

`v2.6.11`

`v2.6.10`

`v2.6.9`

`v2.6.8`

`v2.5.10`

`v2.5.9`

`v2.5.8`

`v2.5.7`

`v2.5.6`

`v2.4.4`

`v2.4.3`

`v2.4.2`

`v2.4.1`

`v2.4.0`

`v2.3.8`

`v2.3.7`

`v2.3.6`

`v2.3.5`

`v2.3.4`

`v2.3.3`

`v2.3.2`

`v2.3.1`

`v2.3.0`

`v2.2.4`

`v2.2.3`

`v2.2.2`

`v2.2.1`

`v2.2.0`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 057420b to ed69b8b Compare

June 6, 2023 03:43

renovate bot changed the title ~~chore(deps): update dependency vite to v2.9.13 [security]~~ chore(deps): update dependency vite to v2.9.16 [security]

renovate bot changed the title ~~chore(deps): update dependency vite to v2.9.16 [security]~~ chore(deps): update dependency vite to v2.9.16 [security] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-vite-vulnerability branch

February 24, 2024 07:59

renovate bot changed the title ~~chore(deps): update dependency vite to v2.9.16 [security] - autoclosed~~ chore(deps): update dependency vite to v2.9.16 [security]

renovate bot reopened this

renovate bot restored the renovate/npm-vite-vulnerability branch

February 24, 2024 09:20

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from ed69b8b to e41df2f Compare

February 24, 2024 09:20


          chore(deps): update dependency vite to v2.9.16 [security]

ee173e0

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from e41df2f to ee173e0 Compare

May 17, 2024 12:41

coderabbitai bot commented May 17, 2024

Important

Auto Review Skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>.
- Generate unit testing code for this file.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai generate unit testing code for this file.
- @coderabbitai modularize this function.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai generate interesting stats about this repository and render them as a table.
- @coderabbitai show all the console.log statements in this repository.
- @coderabbitai read src/utils.ts and generate unit testing code.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment