Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency @sveltejs/kit to v2.8.3 [security] #1583

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 25, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@sveltejs/kit (source) 2.8.1 -> 2.8.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-53262

Summary

The static error.html template for errors contains placeholders that are replaced without escaping the content first.

Details

From https://kit.svelte.dev/docs/errors:

error.html is the page that is rendered when everything else fails. It can contain the following placeholders:
%sveltekit.status% — the HTTP status
%sveltekit.error.message% — the error message

This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content that ends up being something like this inside a server handle function:

error(500, '<script>alert("boom")</script>');

Uncaught errors cannot be exploited like this, as they always render the message "Internal error".

Escaping the message string in the function that creates the html output can be done to improve safety for applications that are using custom errors on the server.

PoC

None provided

Impact

Only applications where user provided input is used in the Error message will be vulnerable, so the vast majority of applications will not be vulnerable

CVE-2024-53261

Summary

"Unsanitized input from the request URL flows into end, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)."

Details

Source of potentially tainted data is in packages/kit/src/exports/vite/dev/index.js, line 437. This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down to line 91 in packages/kit/src/exports/vite/utils.js, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate.

Another source of potentially tainted data (according to Snyk) comes from ‎packages/kit/src/exports/vite/utils.js, line 30, col 30 (i.e., the url property of req). This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down line 91 in packages/kit/src/exports/vite/utils.js, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate.

PoC

Not provided

Impact

Little to none. The Vite development is not exposed to the network by default. And even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data.


Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.8.3

Compare Source

Patch Changes
  • fix: ensure error messages are escaped (#​13050)

  • fix: escape values included in dev 404 page (#​13039)

v2.8.2

Compare Source

Patch Changes
  • fix: prevent duplicate fetch request when using Request with load function's fetch (#​13023)

  • fix: do not override default cookie decoder to allow users to override the cookie library version (#​13037)


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copy link

netlify bot commented Nov 25, 2024

Deploy Preview for mermaidjs ready!

Name Link
🔨 Latest commit 3936d51
🔍 Latest deploy log https://app.netlify.com/sites/mermaidjs/deploys/6744a3fddd235900087a3bd7
😎 Deploy Preview https://deploy-preview-1583--mermaidjs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

Copy link

cypress bot commented Nov 25, 2024

Mermaid Live Editor    Run #1693

Run Properties:  status check failed Failed #1693  •  git commit 9597797927 ℹ️: Merge 3936d516d708602ba6391b8bfc8e734dd3a8eb79 into 939ef8b56eff362a1fcd3e215414...
Project Mermaid Live Editor
Branch Review renovate/npm-sveltejs-kit-vulnerability
Run status status check failed Failed #1693
Run duration 03m 21s
Commit git commit 9597797927 ℹ️: Merge 3936d516d708602ba6391b8bfc8e734dd3a8eb79 into 939ef8b56eff362a1fcd3e215414...
Committer renovate[bot]
View all properties for this run ↗︎

Test results
Tests that failed  Failures 1
Tests that were flaky  Flaky 0
Tests that did not run due to a developer annotating a test with .skip  Pending 6
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 28
⚠️ You've recorded test results over your free plan limit.
Upgrade your plan to view test results.
View all changes introduced in this branch ↗︎

Tests for review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants