Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency eta to v2 [security] #562

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency eta to v2 [security] #562

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 1, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
eta (source) 1.12.3 -> 2.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-23630

Impact

XSS attack - anyone using the Express API is impacted

Patches

The problem has been resolved. Users should upgrade to version 2.0.0.

Workarounds

Don't pass user supplied data directly to res.renderFile.

References

Are there any links users can visit to find out more?
See https://github.com/eta-dev/eta/releases/tag/v2.0.0

CVE-2022-25967

Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. Note: This is exploitable only for users who are rendering templates with user-defined data.

Release Notes

eta-dev/eta (eta)

v2.0.0: Version 2.0.0

Compare Source

TL;DR

This commit includes fixes for several security vulnerabilities. Specifically, in version 1, Eta merged the data parameter of renderFile() into config -- meaning that malicious untrusted user data, passed through in a very specific way, could potentially modify the values of varName, include, includeFile, and useWith, and thus insert arbitrary code into user template functions.

With this release, such behavior is removed. Configuration cannot be passed through the data parameter to eta.renderFile().

Most users will be able to update from version 1 to version 2 without changing any code. All users are encouraged to update as soon as possible.

Practical Implications

  • Configuration must be passed to renderFile explicitly, rather than merged with the data parameter
  • Using Express.js app.set() to modify views and view cache will no longer change Eta's configuration of views and cache.
    • However, since Express still uses its own views and view cache options under the hood, users should configure both Eta and Express with desired values (example below)
  • Eta no longer recognizes the legacy Express.js settings["view options"] property

Example Code Changes

// Change THIS:
renderFile(filePath, { cache: true }) // This worked in v1 but does not work in v2
// To THIS:
renderFile(filePath, {}, { cache: true }) // This works in v1 and v2

// Change THIS:
var eta = require("eta")
app.set("view engine", "eta")
app.set("views", "./views")
app.set("view cache", true)
// To THIS:
var eta = require("eta")
app.engine("eta", eta.renderFile)
eta.configure({  views: "./views", cache: true }) // configure eta
app.set("views", "./views") // configure Express
app.set("view cache", true) // configure Express
app.set("view engine", "eta")

Commits

v1.14.2: Version 1.14.2

Compare Source

TL;DR

  • Fixed "types" field in package.json

Commits

v1.14.1: Version 1.14.1

Compare Source

TL;DR

  • Fixed package.json exports and type fields

Commits

v1.14.0: Version 1.14.0

Compare Source

TL;DR

  • Refactored Eta's build process to make it more maintainable
  • Improved NodeNext support

Commits

v1.13.0: Version 1.13.0

Compare Source

TL;DR

  • Improved return types through TS function overloading
  • Fixed the "types" field in package.json

Commits

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the 📦 package label Feb 1, 2023
@vercel
Copy link

vercel bot commented Feb 1, 2023
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
chirpy ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 30, 2024 6:16am

@changeset-bot
Copy link

changeset-bot bot commented Feb 1, 2023
edited
Loading

⚠️ No Changeset found

Latest commit: 87fc7b2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@relativeci
Copy link

relativeci bot commented Feb 1, 2023
edited
Loading

Job #1411: Bundle Size — 2.36MiB (0%).

285daff(current) vs e32b68c main#1410(baseline)

⚠️ Bundle contains 3 duplicate packages

Metrics (1 change)
                 Current
Job #1411		      Baseline
Job #1410
Initial JS 1.9MiB 1.9MiB
Initial CSS 85.7KiB 85.7KiB
Cache Invalidation 0% 59.72%
Chunks 56 56
Assets 75 75
Modules 1821 1821
Duplicate Modules 237 237
Duplicate Code 5.53% 5.53%
Packages 148 148
Duplicate Packages 3 3
Total size by type (no changes)
                 Current
Job #1411		      Baseline
Job #1410
CSS 85.7KiB 85.7KiB
Fonts 177.08KiB 177.08KiB
HTML 0B 0B
IMG 1.26KiB 1.26KiB
JS 2.09MiB 2.09MiB
Media 0B 0B
Other 15.16KiB 15.16KiB

View job #1411 reportView refs/pull/562/merge branch activity

@cypress
Copy link

cypress bot commented Feb 1, 2023
edited
Loading

2 failed tests on run #1941 ↗︎

2 4 0 1 Flakiness 0

Details:

fix(deps): update dependency eta to v2 [security]
Project: chirpy Commit: 8211e748ee
Status: Failed Duration: 02:40 💡
Started: Jul 8, 2023 1:55 AM Ended: Jul 8, 2023 1:58 AM
Failed  home/header.spec.ts • 1 failed test • Cypress Actions

View Output Video

Test Artifacts
Header > should show user menu Output Screenshots Video
Failed  dashboard/project.spec.ts • 1 failed test • Cypress Actions

View Output Video

Test Artifacts
Project > should show integration doc Output Screenshots Video

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings.

@renovate renovate bot force-pushed the renovate/npm-eta-vulnerability branch from e9b5b2f to f85eade Compare February 9, 2023 12:21
@renovate renovate bot force-pushed the renovate/npm-eta-vulnerability branch from f85eade to c484706 Compare February 26, 2023 08:59
@renovate renovate bot force-pushed the renovate/npm-eta-vulnerability branch from c484706 to 9808356 Compare May 2, 2023 06:43
@github-actions
Copy link
Contributor

github-actions bot commented May 2, 2023
edited
Loading

Coverage report for ./apps/main

❌ An unexpected error occurred. For more details, check console

Error: The process '/opt/hostedtoolcache/node/16.20.1/x64/bin/npx' failed with exit code 1

Branches coverage not met for global: expected >=1%, but got 0%

St.
 Category Percentage Covered / Total
🔴 Statements 1.14% 6/525
🔴 Branches 0% 0/101
🔴 Functions 1.25% 1/80
🔴 Lines 1.28% 6/468

Test suite run failed

Failed tests: 0/1. Failed suites: 1/2. 
  ● Test suite failed to run

    Jest encountered an unexpected token

    Jest failed to parse a file. This happens e.g. when your code or its dependencies use non-standard JavaScript syntax, or when Jest is not configured to support such syntax.

    Out of the box Jest supports Babel, which will be used to transform your files into valid JS based on your Babel configuration.

    By default "node_modules" folder is ignored by transformers.

    Here's what you can do:
     • If you are trying to use ECMAScript Modules, see https://jestjs.io/docs/ecmascript-modules for how to enable it.
     • If you are trying to use TypeScript, see https://jestjs.io/docs/getting-started#using-typescript
     • To have some of your "node_modules" files transformed, you can specify a custom "transformIgnorePatterns" in your config.
     • If you need a custom transformation specify a "transform" option in your config.
     • If you simply want to mock your non-JS modules (e.g. binary assets) you can stub them out with the "moduleNameMapper" config option.

    You'll find more details and examples of these config options in the docs:
    https://jestjs.io/docs/configuration
    For information about custom transformations, see:
    https://jestjs.io/docs/code-transformation

    Details:

    /home/runner/work/chirpy/chirpy/node_modules/.pnpm/[email protected]/node_modules/github-slugger/index.js:1
    ({"Object.<anonymous>":function(module,exports,require,__dirname,__filename,jest){import { regex } from './regex.js'
                                                                                      ^^^^^^

    SyntaxError: Cannot use import statement outside a module



      at Runtime.createScriptFromCode (../../node_modules/.pnpm/[email protected]/node_modules/jest-runtime/build/index.js:1496:14)
      at Object.<anonymous> (src/server/common/constants.ts:371:66)
      at Object.<anonymous> (src/server/mdx/files.ts:1127:27)
      at Object.<anonymous> (src/server/mdx/__tests__/files.test.ts:23:16)

Report generated by 🧪jest coverage report action from 8211e74

@renovate renovate bot force-pushed the renovate/npm-eta-vulnerability branch from 9808356 to 9c1902e Compare June 23, 2023 12:50
@renovate renovate bot force-pushed the renovate/npm-eta-vulnerability branch from 9c1902e to 0cdc598 Compare July 1, 2023 10:04
@renovate renovate bot force-pushed the renovate/npm-eta-vulnerability branch from 0cdc598 to 8211e74 Compare July 8, 2023 01:48
@renovate renovate bot force-pushed the renovate/npm-eta-vulnerability branch from 8211e74 to b541e01 Compare November 15, 2023 03:13
@renovate renovate bot force-pushed the renovate/npm-eta-vulnerability branch from b541e01 to eb95fa9 Compare December 2, 2023 10:36
@renovate renovate bot force-pushed the renovate/npm-eta-vulnerability branch from eb95fa9 to 73e7955 Compare January 26, 2024 06:30
@renovate renovate bot force-pushed the renovate/npm-eta-vulnerability branch from 73e7955 to 539c2b2 Compare March 4, 2024 06:31
@renovate renovate bot force-pushed the renovate/npm-eta-vulnerability branch from 539c2b2 to 550de82 Compare October 15, 2024 12:40
@renovate renovate bot force-pushed the renovate/npm-eta-vulnerability branch from 550de82 to 524f31b Compare October 20, 2024 04:39
@renovate renovate bot force-pushed the renovate/npm-eta-vulnerability branch from 524f31b to 87fc7b2 Compare October 30, 2024 06:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
📦 package
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants