Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency astro to v4 [SECURITY] #199

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 14, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
astro (source) ^3.0.0 -> ^4.0.0 age adoption passing confidence
astro (source) ^3.5.5 -> ^4.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-47885

Summary

A DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has stored attacker-controlled scriptless HTML elements (i.e., iframe tags with unsanitized name attributes) on the destination pages.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Astro

We identified a DOM Clobbering gadget in Astro's client-side routing module, specifically in the <ViewTransitions /> component. When integrated, this component introduces the following vulnerable code, which is executed during page transitions (e.g., clicking an <a> link):

https://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156

However, this implementation is vulnerable to a DOM Clobbering attack. The document.scripts lookup can be shadowed by an attacker injected non-script HTML elements (e.g., <img name="scripts"><img name="scripts">) via the browser's named DOM access mechanism. This manipulation allows an attacker to replace the intended script elements with an array of attacker-controlled scriptless HTML elements.

The condition script.dataset.astroExec === '' on line 138 can be bypassed because the attacker-controlled element does not have a data-astroExec attribute. Similarly, the check on line 134 can be bypassed as the element does not require a type attribute.

Finally, the innerHTML of an attacker-injected non-script HTML elements, which is plain text content before, will be set to the .innerHTML of an script element that leads to XSS.

PoC

Consider a web application using Astro as the framework with client-side routing enabled and allowing users to embed certain scriptless HTML elements (e.g., form or iframe). This can be done through a bunch of website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

For PoC website, please refer to: https://stackblitz.com/edit/github-4xgj2d. Clicking the "about" button in the menu will trigger an alert(1) from an attacker-injected form element.

---
import Header from "../components/Header.astro";
import Footer from "../components/Footer.astro";
import { ViewTransitions } from "astro:transitions";
import "../styles/global.css";
const { pageTitle } = Astro.props;
---
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
    <meta name="viewport" content="width=device-width" />
    <meta name="generator" content={Astro.generator} />
    <title>{pageTitle}</title>
    <ViewTransitions />
  </head>
  <body>
    <!--USER INPUT-->
    <iframe name="scripts">alert(1)</iframe>
    <iframe name="scripts">alert(1)</iframe>
    <!--USER INPUT-->
    
    <Header />
    <h1>{pageTitle}</h1>
    <slot />
    <Footer />
    <script>
      import "../scripts/menu.js";
    </script>
  </body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with ViewTransitions and store the user-inserted scriptless HTML tags without properly sanitizing the name attributes on the page.

Patch

We recommend replacing document.scripts with document.getElementsByTagName('script') for referring to script elements. This will mitigate the possibility of DOM Clobbering attacks leveraging the name attribute.

Reference

Similar issues for reference:


Release Notes

withastro/astro (astro)

v4.16.1

Compare Source

Patch Changes
  • #​12177 a4ffbfa Thanks @​matthewp! - Ensure we target scripts for execution in the router

    Using document.scripts is unsafe because if the application has a name="scripts" this will shadow the built-in document.scripts. Fix is to use getElementsByTagName to ensure we're only grabbing real scripts.

  • #​12173 2d10de5 Thanks @​ematipico! - Fixes a bug where Astro Actions couldn't redirect to the correct pathname when there was a rewrite involved.

v4.16.0

Compare Source

Minor Changes
  • #​12039 710a1a1 Thanks @​ematipico! - Adds a markdown.shikiConfig.langAlias option that allows aliasing a non-supported code language to a known language. This is useful when the language of your code samples is not a built-in Shiki language, but you want your Markdown source to contain an accurate language while also displaying syntax highlighting.

    The following example configures Shiki to highlight cjs code blocks using the javascript syntax highlighter:

    import { defineConfig } from 'astro/config';
    
    export default defineConfig({
      markdown: {
        shikiConfig: {
          langAlias: {
            cjs: 'javascript',
          },
        },
      },
    });

    Then in your Markdown, you can use the alias as the language for a code block for syntax highlighting:

    ```cjs
    'use strict';
    
    function commonJs() {
      return 'I am a commonjs file';
    }
    ```
  • #​11984 3ac2263 Thanks @​chaegumi! - Adds a new build.concurreny configuration option to specify the number of pages to build in parallel

    In most cases, you should not change the default value of 1.

    Use this option only when other attempts to reduce the overall rendering time (e.g. batch or cache long running tasks like fetch calls or data access) are not possible or are insufficient.

    Use this option only if the refactors are not possible. If the number is set too high, the page rendering may slow down due to insufficient memory resources and because JS is single-threaded.

    [!WARNING]
    This feature is stable and is not considered experimental. However, this feature is only intended to address difficult performance issues, and breaking changes may occur in a minor release to keep this option as performant as possible.

    // astro.config.mjs
    import { defineConfig } from 'astro';
    
    export default defineConfig({
      build: {
        concurrency: 2,
      },
    });
Patch Changes
  • #​12160 c6fd1df Thanks @​louisescher! - Fixes a bug where astro.config.mts and astro.config.cts weren't reloading the dev server upon modifications.

  • #​12130 e96bcae Thanks @​thehansys! - Fixes a bug in the parsing of x-forwarded-\* Request headers, where multiple values assigned to those headers were not correctly parsed.

    Now, headers like x-forwarded-proto: https,http are correctly parsed.

  • #​12147 9db755a Thanks @​ascorbic! - Skips setting statusMessage header for HTTP/2 response

    HTTP/2 doesn't support status message, so setting this was logging a warning.

  • #​12151 bb6d37f Thanks @​ematipico! - Fixes an issue where Astro.currentLocale wasn't incorrectly computed when the defaultLocale belonged to a custom locale path.

  • Updated dependencies [710a1a1]:

v4.15.12

Compare Source

Patch Changes

v4.15.11

Compare Source

Patch Changes
  • #​12097 11d447f Thanks @​ascorbic! - Fixes error where references in content layer schemas sometimes incorrectly report as missing

  • #​12108 918953b Thanks @​lameuler! - Fixes a bug where data URL images were not correctly handled. The bug resulted in an ENAMETOOLONG error.

  • #​12105 42037f3 Thanks @​ascorbic! - Returns custom statusText that has been set in a Response

  • #​12109 ea22558 Thanks @​ematipico! - Fixes a regression that was introduced by an internal refactor of how the middleware is loaded by the Astro application. The regression was introduced by #​11550.

    When the edge middleware feature is opted in, Astro removes the middleware function from the SSR manifest, and this wasn't taken into account during the refactor.

  • #​12106 d3a74da Thanks @​ascorbic! - Handles case where an immutable Response object is returned from an endpoint

  • #​12090 d49a537 Thanks @​markjaquith! - Server islands: changes the server island HTML placeholder comment so that it is much less likely to get removed by HTML minifiers.

v4.15.10

Compare Source

Patch Changes

v4.15.9

Compare Source

Patch Changes
  • #​12034 5b3ddfa Thanks @​ematipico! - Fixes an issue where the middleware wasn't called when a project uses 404.astro.

  • #​12042 243ecb6 Thanks @​ematipico! - Fixes a problem in the Container API, where a polyfill wasn't correctly applied. This caused an issue in some environments where crypto isn't supported.

  • #​12038 26ea5e8 Thanks @​ascorbic! - Resolves image paths in content layer with initial slash as project-relative

    When using the image() schema helper, previously paths with an initial slash were treated as public URLs. This was to match the behavior of markdown images. However this is a change from before, where paths with an initial slash were treated as project-relative. This change restores the previous behavior, so that paths with an initial slash are treated as project-relative.

v4.15.8

Compare Source

Patch Changes

v4.15.7

Compare Source

Patch Changes

v4.15.6

Compare Source

Patch Changes

v4.15.5

Compare Source

Patch Changes
  • #​11939 7b09c62 Thanks @​bholmesdev! - Adds support for Zod discriminated unions on Action form inputs. This allows forms with different inputs to be submitted to the same action, using a given input to decide which object should be used for validation.

    This example accepts either a create or update form submission, and uses the type field to determine which object to validate against.

    import { defineAction } from 'astro:actions';
    import { z } from 'astro:schema';
    
    export const server = {
      changeUser: defineAction({
        accept: 'form',
        input: z.discriminatedUnion('type', [
          z.object({
            type: z.literal('create'),
            name: z.string(),
            email: z.string().email(),
          }),
          z.object({
            type: z.literal('update'),
            id: z.number(),
            name: z.string(),
            email: z.string().email(),
          }),
        ]),
        async handler(input) {
          if (input.type === 'create') {
            // input is { type: 'create', name: string, email: string }
          } else {
            // input is { type: 'update', id: number, name: string, email: string }
          }
        },
      }),
    };

    The corresponding create and update forms may look like this:

v4.15.4

Compare Source

Patch Changes
  • #​11879 bd1d4aa Thanks @​matthewp! - Allow passing a cryptography key via ASTRO_KEY

    For Server islands Astro creates a cryptography key in order to hash props for the islands, preventing accidental leakage of secrets.

    If you deploy to an environment with rolling updates then there could be multiple instances of your app with different keys, causing potential key mismatches.

    To fix this you can now pass the ASTRO_KEY environment variable to your build in order to reuse the same key.

    To generate a key use:

    astro create-key
    

    This will print out an environment variable to set like:

    ASTRO_KEY=PIAuyPNn2aKU/bviapEuc/nVzdzZPizKNo3OqF/5PmQ=
    
  • #​11935 c58193a Thanks @​Princesseuh! - Fixes astro add not using the proper export point when adding certain adapters

v4.15.3

Compare Source

Patch Changes

v4.15.2

Compare Source

Patch Changes

v4.15.1

Compare Source

Patch Changes

v4.15.0

Compare Source

Minor Changes
  • #​11729 1c54e63 Thanks @​ematipico! - Adds a new variant sync for the astro:config:setup hook's command property. This value is set when calling the command astro sync.

    If your integration previously relied on knowing how many variants existed for the command property, you must update your logic to account for this new option.

  • #​11743 cce0894 Thanks @​ph1p! - Adds a new, optional property timeout for the client:idle directive.

    This value allows you to specify a maximum time to wait, in milliseconds, before hydrating a UI framework component, even if the page is not yet done with its initial load. This means you can delay hydration for lower-priority UI elements with more control to ensure your element is interactive within a specified time frame.

    <ShowHideButton client:idle={{ timeout: 500 }} />
  • #​11677 cb356a5 Thanks @​ematipico! - Adds a new option fallbackType to i18n.routing configuration that allows you to control how fallback pages are handled.

    When i18n.fallback is configured, this new routing option controls whether to redirect to the fallback page, or to rewrite the fallback page's content in place.

    The "redirect" option is the default value and matches the current behavior of the existing fallback system.

    The option "rewrite" uses the new rewriting system to create fallback pages that render content on the original, requested URL without a browser refresh.

    For example, the following configuration will generate a page /fr/index.html that will contain the same HTML rendered by the page /en/index.html when src/pages/fr/index.astro does not exist.

    // astro.config.mjs
    export default defineConfig({
      i18n: {
        locals: ['en', 'fr'],
        defaultLocale: 'en',
        routing: {
          prefixDefaultLocale: true,
          fallbackType: 'rewrite',
        },
        fallback: {
          fr: 'en',
        },
      },
    });
  • #​11708 62b0d20 Thanks @​martrapp! - Adds a new object swapFunctions to expose the necessary utility functions on astro:transitions/client that allow you to build custom swap functions to be used with view transitions.

    The example below uses these functions to replace Astro's built-in default swap function with one that only swaps the <main> part of the page:

    <script>
      import { swapFunctions } from 'astro:transitions/client';
    
      document.addEventListener('astro:before-swap', (e) => { e.swap = () => swapMainOnly(e.newDocument) });
    
      function swapMainOnly(doc: Document) {
        swapFunctions.deselectScripts(doc);
        swapFunctions.swapRootAttributes(doc);
        swapFunctions.swapHeadElements(doc);
        const restoreFocusFunction = swapFunctions.saveFocus();
        const newMain = doc.querySelector('main');
        const oldMain = document.querySelector('main');
        if (newMain && oldMain) {
          swapFunctions.swapBodyElement(newMain, oldMain);
        } else {
          swapFunctions.swapBodyElement(doc.body, document.body);
        }
        restoreFocusFunction();
      };
    </script>

    See the view transitions guide for more information about hooking into the astro:before-swap lifecycle event and adding a custom swap implementation.

  • #​11843 5b4070e Thanks @​bholmesdev! - Exposes z from the new astro:schema module. This is the new recommended import source for all Zod utilities when using Astro Actions.

v4.14.6

Compare Source

Patch Changes

v4.14.5

Compare Source

Patch Changes

v4.14.4

Compare Source

Patch Changes
  • #​11794 3691a62 Thanks @​bholmesdev! - Fixes unexpected warning log when using Actions on "hybrid" rendered projects.

  • #​11801 9f943c1 Thanks @​delucis! - Fixes a bug where the filePath property was not available on content collection entries when using the content layer file() loader with a JSON file that contained an object instead of an array. This was breaking use of the image() schema utility among other things.

v4.14.3

Compare Source

Patch Changes

v4.14.2

Compare Source

Patch Changes

v4.14.1

Compare Source

Patch Changes
  • #​11725 6c1560f Thanks @​ascorbic! - Prevents content layer importing node builtins in runtime

  • #​11692 35af73a Thanks @​matthewp! - Prevent errant HTML from crashing server islands

    When an HTML minifier strips away the server island comment, the script can't correctly know where the end of the fallback content is. This makes it so that it simply doesn't remove any DOM in that scenario. This means the fallback isn't removed, but it also doesn't crash the browser.

  • #​11727 3c2f93b Thanks @​florian-lefebvre! - Fixes a type issue when using the Content Layer in dev

v4.14.0

Compare Source

Minor Changes
  • #​11657 a23c69d Thanks @​bluwy! - Deprecates the option for route-generating files to export a dynamic value for prerender. Only static values are now supported (e.g. export const prerender = true or = false). This allows for better treeshaking and bundling configuration in the future.

    Adds a new "astro:route:setup" hook to the Integrations API to allow you to dynamically set options for a route at build or request time through an integration, such as enabling on-demand server rendering.

    To migrate from a dynamic export to the new hook, update or remove any dynamic prerender exports from individual routing files:

    // src/pages/blog/[slug].astro
    - export const prerender = import.meta.env.PRERENDER

    Instead, create an integration with the "astro:route:setup" hook and update the route's prerender option:

    // astro.config.mjs
    import { defineConfig } from 'astro/config';
    import { loadEnv } from 'vite';
    
    export default defineConfig({
      integrations: [setPrerender()],
    });
    
    function setPrerender() {
      const { PRERENDER } = loadEnv(process.env.NODE_ENV, process.cwd(), '');
    
      return {
        name: 'set-prerender',
        hooks: {
          'astro:route:setup': ({ route }) => {
            if (route.component.endsWith('/blog/[slug].astro')) {
              route.prerender = PRERENDER;
            }
          },
        },
      };
    }
  • #​11360 a79a8b0 Thanks @​ascorbic! - Adds a new injectTypes() utility to the Integration API and refactors how type generation works

    Use injectTypes() in the astro:config:done hook to inject types into your user's project by adding a new a *.d.ts file.

    The filename property will be used to generate a file at /.astro/integrations/<normalized_integration_name>/<normalized_filename>.d.ts and must end with ".d.ts".

    The content property will create the body of the file, and must be valid TypeScript.

    Additionally, injectTypes() returns a URL to the normalized path so you can overwrite its content later on, or manipulate it in any way you want.

    // my-integration/index.js
    export default {
      name: 'my-integration',
      'astro:config:done': ({ injectTypes }) => {
        injectTypes({
          filename: 'types.d.ts',
          content: "declare module 'virtual:my-integration' {}",
        });
      },
    };

    Codegen has been refactored. Although src/env.d.ts will continue to work as is, we recommend you update it:

    - /// <reference types="astro/client" />
    + /// <reference path="../.astro/types.d.ts" />
    - /// <reference path="../.astro/env.d.ts" />
    - /// <reference path="../.astro/actions.d.ts" />
  • #​11605 d3d99fb Thanks @​jcayzac! - Adds a new property meta to Astro's built-in <Code /> component.

    This allows you to provide a value for Shiki's meta attribute to pass options to transformers.

    The following example passes an option to highlight lines 1 and 3 to Shiki's tranformerMetaHighlight:

v4.13.4

Compare Source

Patch Changes

v4.13.3

Compare Source

Patch Changes
  • #​11653 32be549 Thanks @​florian-lefebvre! - Updates astro:env docs to reflect current developments and usage guidance

  • #​11658 13b912a Thanks @​bholmesdev! - Fixes orThrow() type when calling an Action without an input validator.

  • #​11603 f31d466 Thanks @​bholmesdev! - Improves user experience when render an Action result from a form POST request:

    • Removes "Confirm post resubmission?" dialog when refreshing a result.
    • Removes the ?_astroAction=NAME flag when a result is rendered.

    Also improves the DX of directing to a new route on success. Actions will now redirect to the route specified in your action string on success, and redirect back to the previous page on error. This follows the routing convention of established backend frameworks like Laravel.

    For example, say you want to redirect to a /success route when actions.signup succeeds. You can add /success to your action string like so:

    <form method="POST" action={'/success' + actions.signup}></form>
    • On success, Astro will redirect to /success.
    • On error, Astro will redirect back to the current page.

    You can retrieve the action result from either page using the Astro.getActionResult() function.

Note on security

This uses a temporary cookie to forward the action result to the next page. The cookie will be deleted when that page is rendered.

The action result is not encrypted. In general, we recommend returning minimal data from an action handler to a) avoid leaking sensitive information, and b) avoid unexpected render issues once the temporary cookie is deleted. For example, a login function may return a user's session id to retrieve from your Astro frontmatter, rather than the entire user object.

v4.13.2

Compare Source

Patch Changes

v4.13.1

Compare Source

Patch Changes
  • #​11584 a65ffe3 Thanks @​bholmesdev! - Removes async local storage dependency from Astro Actions. This allows Actions to run in Cloudflare and Stackblitz without opt-in flags or other configuration.

    This also introduces a new convention for calling actions from server code. Instead of calling actions directly, you must wrap function calls with the new Astro.callAction() utility.

    callAction() is meant to trigger an action from server code. getActionResult() usage with form submissions remains unchanged.

v4.13.0

Compare Source

Minor Changes
  • #​11507 a62345f Thanks @​ematipico! - Adds color-coding to the console output during the build to highlight slow pages.

    Pages that take more than 500 milliseconds to render will have their build time logged in red. This change can help you discover pages of your site that are not performant and may need attention.

  • #​11379 e5e2d3e Thanks [@​alexanderniebuhr](https://redirect.githu


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copy link
Contributor Author

renovate bot commented Oct 14, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @astrojs/[email protected]
npm WARN Found: [email protected]
npm WARN node_modules/astro
npm WARN   dev astro@"^4.0.0" from the root project
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer astro@"^3.0.0" from @astrojs/[email protected]
npm WARN node_modules/@astrojs/markdown-remark
npm WARN 
npm WARN Conflicting peer dependency: [email protected]
npm WARN node_modules/astro
npm WARN   peer astro@"^3.0.0" from @astrojs/[email protected]
npm WARN   node_modules/@astrojs/markdown-remark
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: [email protected]
npm ERR! Found: [email protected]
npm ERR! node_modules/stylelint
npm ERR!   dev stylelint@"^15.10.2" from the root project
npm ERR!   peer stylelint@">=14.0.0" from [email protected]
npm ERR!   node_modules/stylelint-config-html
npm ERR!     dev stylelint-config-html@"^1.1.0" from the root project
npm ERR!   7 more (stylelint-config-recommended, ...)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer stylelint@">= 11.x < 15" from [email protected]
npm ERR! node_modules/stylelint-config-prettier
npm ERR!   dev stylelint-config-prettier@"^9.0.5" from the root project
npm ERR!   stylelint-config-prettier@"^9.0.3" from @tinkoff/[email protected]
npm ERR!   node_modules/@tinkoff/stylelint-config
npm ERR!     @tinkoff/stylelint-config@"^1.52.1" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: [email protected]
npm ERR! node_modules/stylelint
npm ERR!   peer stylelint@">= 11.x < 15" from [email protected]
npm ERR!   node_modules/stylelint-config-prettier
npm ERR!     dev stylelint-config-prettier@"^9.0.5" from the root project
npm ERR!     stylelint-config-prettier@"^9.0.3" from @tinkoff/[email protected]
npm ERR!     node_modules/@tinkoff/stylelint-config
npm ERR!       @tinkoff/stylelint-config@"^1.52.1" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/renovate/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate/cache/others/npm/_logs/2024-10-14T20_54_11_704Z-debug-0.log

Copy link

stackblitz bot commented Oct 14, 2024

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/[email protected] Transitive: environment, eval, filesystem, network, shell +331 67.5 MB fredkschott

🚮 Removed packages: npm/[email protected]

View full report↗︎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants