Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency @hono/node-server to v1.4.1 [security] - autoclosed #9236

Closed
wants to merge 1 commit into from
Closed

fix(deps): update dependency @hono/node-server to v1.4.1 [security] - autoclosed #9236

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 25, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@hono/node-server 1.3.3 -> 1.4.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-23340

Impact

Since v1.3.0, we use our own Request object. This is great, but the url behavior is unexpected.

In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request will be in the resolved path.

const req = new Request('http://localhost/static/../foo.txt') // Web-standards
console.log(req.url) // http://localhost/foo.txt

However, the url in our Request does not resolve double dots, so http://localhost/static/.. /foo.txt is returned.

const req = new Request('http://localhost/static/../foo.txt')
console.log(req.url) // http://localhost/static/../foo.txt

It will pass unresolved paths to the web application. This causes vulnerabilities like #​123 when using serveStatic.

Note: Modern web browsers and a latest curl command resolve double dots on the client side, so it does not affect you if the user uses them. However, problems may occur if accessed by a client that does not resolve them.

Patches

"v1.4.1" includes the change to fix this issue.

Workarounds

Don't use serveStatic.

Release Notes

honojs/node-server (@​hono/node-server)

v1.4.1

Compare Source

What's Changed

Full Changelog: honojs/node-server@v1.4.0...v1.4.1

v1.4.0

Compare Source

What's Changed

Full Changelog: honojs/node-server@v1.3.5...v1.4.0

v1.3.5

Compare Source

What's Changed

Full Changelog: honojs/node-server@v1.3.4...v1.3.5

v1.3.4

Compare Source

What's Changed

Full Changelog: honojs/node-server@v1.3.3...v1.3.4

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the 🏷️ security This PR addresses a disclosed security vulnerability with an assigned SVE label Feb 25, 2024
@renovate renovate bot force-pushed the renovate/npm-@hono/node-server-vulnerability branch 5 times, most recently from f147d48 to 383d285 Compare March 2, 2024 03:08
@renovate renovate bot force-pushed the renovate/npm-@hono/node-server-vulnerability branch 8 times, most recently from 7290a01 to d098734 Compare March 12, 2024 05:32
@renovate renovate bot force-pushed the renovate/npm-@hono/node-server-vulnerability branch 2 times, most recently from 194a8e5 to 0309c21 Compare March 15, 2024 20:22
@renovate renovate bot force-pushed the renovate/npm-@hono/node-server-vulnerability branch from 0309c21 to 856d8d2 Compare March 19, 2024 20:19
@renovate renovate bot changed the title fix(deps): update dependency @hono/node-server to v1.4.1 [security] fix(deps): update dependency @hono/node-server to v1.4.1 [security] - autoclosed Mar 22, 2024
@renovate renovate bot closed this Mar 22, 2024
@renovate renovate bot deleted the renovate/npm-@hono/node-server-vulnerability branch March 22, 2024 08:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@runspired runspired

Labels
🏷️ security This PR addresses a disclosed security vulnerability with an assigned SVE
Projects
EmberData
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@runspired