Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency express to v4.19.2 [SECURITY] #3920

Merged
merged 1 commit into from
Jun 19, 2024
Merged

Update dependency express to v4.19.2 [SECURITY] #3920

merged 1 commit into from
Jun 19, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 25, 2024
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
express (source) 4.18.2 -> 4.19.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-29041

Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.

The main method impacted is res.location() but this is also called from within res.redirect().

Patches

expressjs/express@0867302
expressjs/express@0b74695

An initial fix went out with [email protected], we then patched a feature regression in 4.19.1 and added improved handling for the bypass in 4.19.2.

Workarounds

The fix for this involves pre-parsing the url string with either require('node:url').parse or new URL. These are steps you can take on your own before passing the user input string to res.location or res.redirect.

References

https://github.com/expressjs/express/pull/5539
https://github.com/koajs/koa/issues/1800
https://expressjs.com/en/4x/api.html#res.location

Release Notes

expressjs/express (express)

v4.19.2

Compare Source

==========

  • Improved fix for open redirect allow list bypass

v4.19.1

Compare Source

==========

  • Allow passing non-strings to res.location with new encoding handling checks

v4.19.0

Compare Source

v4.18.3

Compare Source

==========

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@codecov Codecov
Copy link

codecov bot commented Mar 25, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 38.08%. Comparing base (6ba8645) to head (c9124ba).

Additional details and impacted files 
@@           Coverage Diff            @@
##           master    #3920    +/-   ##
========================================
  Coverage   38.08%   38.08%            
========================================
  Files         715      715            
  Lines       32806    32806            
  Branches     4668     4840   +172     
========================================
  Hits        12493    12493            
  Misses      19689    19689            
  Partials      624      624
Flag Coverage Δ
api-python 90.75% <ø> (ø)
catalog 11.50% <ø> (ø)
lambda 88.18% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 4 times, most recently from 3f6b327 to 842288c Compare April 4, 2024 12:40
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 8 times, most recently from a3f8c80 to 767c7b7 Compare April 12, 2024 10:23
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 3 times, most recently from f27746f to df3494b Compare April 17, 2024 07:55
@renovate renovate bot changed the title chore(deps): update dependency express to v4.19.2 [security] Update dependency express to v4.19.2 [SECURITY] Apr 17, 2024
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 12 times, most recently from a121f9c to 50d477a Compare April 23, 2024 06:36
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 5 times, most recently from 40647a0 to b1652a9 Compare May 27, 2024 11:13
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 3 times, most recently from ede1d32 to b2c0492 Compare June 5, 2024 07:30
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 5 times, most recently from afd0f8c to ca30f60 Compare June 13, 2024 11:57
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 10 times, most recently from 1c460a4 to 5e48f5b Compare June 19, 2024 12:18
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 5e48f5b to c9124ba Compare June 19, 2024 13:17
@nl0 nl0 added this pull request to the merge queue Jun 19, 2024
Merged via the queue into master with commit e10e0b4 Jun 19, 2024
37 of 38 checks passed
@nl0 nl0 deleted the renovate/npm-express-vulnerability branch June 19, 2024 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nl0 nl0 nl0 approved these changes

Assignees
No one assigned
Labels
js dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nl0