From d596540b0ce45f01f6d8ed4e234156e00ffe2843 Mon Sep 17 00:00:00 2001 From: Miguel Palau Zarza Date: Sat, 12 Oct 2024 20:57:14 -0600 Subject: [PATCH 1/8] update cookie --- packages/remix-server-runtime/cookies.ts | 22 ++++++++++++---------- packages/remix-server-runtime/package.json | 2 +- packages/remix-server-runtime/responses.ts | 2 +- packages/remix-server-runtime/sessions.ts | 8 ++++---- 4 files changed, 18 insertions(+), 16 deletions(-) diff --git a/packages/remix-server-runtime/cookies.ts b/packages/remix-server-runtime/cookies.ts index 80884fa8fc2..c94186ba5df 100644 --- a/packages/remix-server-runtime/cookies.ts +++ b/packages/remix-server-runtime/cookies.ts @@ -1,10 +1,13 @@ -import type { CookieParseOptions, CookieSerializeOptions } from "cookie"; +import type { ParseOptions, SerializeOptions } from "cookie"; import { parse, serialize } from "cookie"; import type { SignFunction, UnsignFunction } from "./crypto"; import { warnOnce } from "./warnings"; -export type { CookieParseOptions, CookieSerializeOptions }; +export type { + ParseOptions as CookieParseOptions, + SerializeOptions as CookieSerializeOptions, +}; export interface CookieSignatureOptions { /** @@ -18,8 +21,8 @@ export interface CookieSignatureOptions { secrets?: string[]; } -export type CookieOptions = CookieParseOptions & - CookieSerializeOptions & +export type CookieOptions = ParseOptions & + SerializeOptions & CookieSignatureOptions; /** @@ -55,16 +58,13 @@ export interface Cookie { * Parses a raw `Cookie` header and returns the value of this cookie or * `null` if it's not present. */ - parse( - cookieHeader: string | null, - options?: CookieParseOptions - ): Promise; + parse(cookieHeader: string | null, options?: ParseOptions): Promise; /** * Serializes the given value to a string and returns the `Set-Cookie` * header. */ - serialize(value: any, options?: CookieSerializeOptions): Promise; + serialize(value: any, options?: SerializeOptions): Promise; } export type CreateCookieFunction = ( @@ -113,7 +113,9 @@ export const createCookieFactory = return name in cookies ? cookies[name] === "" ? "" - : await decodeCookieValue(unsign, cookies[name], secrets) + : cookies[name] !== undefined + ? await decodeCookieValue(unsign, cookies[name]!, secrets) + : null : null; }, async serialize(value, serializeOptions) { diff --git a/packages/remix-server-runtime/package.json b/packages/remix-server-runtime/package.json index 770f7dfd6e4..81a4bdefc65 100644 --- a/packages/remix-server-runtime/package.json +++ b/packages/remix-server-runtime/package.json @@ -22,7 +22,7 @@ "@remix-run/router": "1.21.0-pre.0", "@types/cookie": "^0.6.0", "@web3-storage/multipart-parser": "^1.0.0", - "cookie": "^0.6.0", + "cookie": "^1.0.1", "set-cookie-parser": "^2.4.8", "source-map": "^0.7.3", "turbo-stream": "2.4.0" diff --git a/packages/remix-server-runtime/responses.ts b/packages/remix-server-runtime/responses.ts index 424b4296aaa..62b8cdd04d0 100644 --- a/packages/remix-server-runtime/responses.ts +++ b/packages/remix-server-runtime/responses.ts @@ -179,7 +179,7 @@ export function createDeferredReadableStream( ); } - let unsubscribe = deferredData.subscribe((aborted, settledKey) => { + let unsubscribe = deferredData.subscribe((_, settledKey) => { if (settledKey) { enqueueTrackedPromise( controller, diff --git a/packages/remix-server-runtime/sessions.ts b/packages/remix-server-runtime/sessions.ts index c00eedb2321..a1c54251125 100644 --- a/packages/remix-server-runtime/sessions.ts +++ b/packages/remix-server-runtime/sessions.ts @@ -1,4 +1,4 @@ -import type { CookieParseOptions, CookieSerializeOptions } from "cookie"; +import type { ParseOptions, SerializeOptions } from "cookie"; import type { Cookie, CookieOptions, CreateCookieFunction } from "./cookies"; import { isCookie } from "./cookies"; @@ -176,7 +176,7 @@ export interface SessionStorage { */ getSession: ( cookieHeader?: string | null, - options?: CookieParseOptions + options?: ParseOptions ) => Promise>; /** @@ -185,7 +185,7 @@ export interface SessionStorage { */ commitSession: ( session: Session, - options?: CookieSerializeOptions + options?: SerializeOptions ) => Promise; /** @@ -194,7 +194,7 @@ export interface SessionStorage { */ destroySession: ( session: Session, - options?: CookieSerializeOptions + options?: SerializeOptions ) => Promise; } From 24142180347487ba77631e12fa5f93ebb9413cd8 Mon Sep 17 00:00:00 2001 From: Miguel Palau Date: Sat, 12 Oct 2024 21:00:46 -0600 Subject: [PATCH 2/8] Update contributors.yml --- contributors.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/contributors.yml b/contributors.yml index 57082791773..ed9e7c9d53d 100644 --- a/contributors.yml +++ b/contributors.yml @@ -602,6 +602,7 @@ - shairez - shamsup - shashankboosi +- shelldandy - shininglovestar - shubhaguha - shumuu From 0c0a30d6f290463a7e6dce00386fcb57450e86e2 Mon Sep 17 00:00:00 2001 From: Miguel Palau Date: Sat, 12 Oct 2024 21:03:56 -0600 Subject: [PATCH 3/8] Create lovely-dingos-exist.md --- .changeset/lovely-dingos-exist.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/lovely-dingos-exist.md diff --git a/.changeset/lovely-dingos-exist.md b/.changeset/lovely-dingos-exist.md new file mode 100644 index 00000000000..695219c3c0b --- /dev/null +++ b/.changeset/lovely-dingos-exist.md @@ -0,0 +1,5 @@ +--- +"@remix-run/server-runtime": patch +--- + +[chore] update cookie to address CVE-2024-47764 From 74596d7fe8555bd321d53e3e61bba8cc4fc0b30a Mon Sep 17 00:00:00 2001 From: Miguel Palau Date: Mon, 14 Oct 2024 08:01:34 -0600 Subject: [PATCH 4/8] Update .changeset/lovely-dingos-exist.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Michaël De Boey --- .changeset/lovely-dingos-exist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changeset/lovely-dingos-exist.md b/.changeset/lovely-dingos-exist.md index 695219c3c0b..98e77a15a2f 100644 --- a/.changeset/lovely-dingos-exist.md +++ b/.changeset/lovely-dingos-exist.md @@ -2,4 +2,4 @@ "@remix-run/server-runtime": patch --- -[chore] update cookie to address CVE-2024-47764 +update `cookie` to v1 From 9133d59efec203e2be15a90c10d6f26e0b74bf63 Mon Sep 17 00:00:00 2001 From: Miguel Palau Date: Mon, 14 Oct 2024 08:01:47 -0600 Subject: [PATCH 5/8] Update packages/remix-server-runtime/cookies.ts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Michaël De Boey --- packages/remix-server-runtime/cookies.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/remix-server-runtime/cookies.ts b/packages/remix-server-runtime/cookies.ts index c94186ba5df..d2241d10b37 100644 --- a/packages/remix-server-runtime/cookies.ts +++ b/packages/remix-server-runtime/cookies.ts @@ -113,9 +113,9 @@ export const createCookieFactory = return name in cookies ? cookies[name] === "" ? "" - : cookies[name] !== undefined - ? await decodeCookieValue(unsign, cookies[name]!, secrets) - : null + : cookies[name] === undefined + ? null + : decodeCookieValue(unsign, cookies[name], secrets) : null; }, async serialize(value, serializeOptions) { From a1c8bae84453e86cfacbb4099e184ad58703fe9a Mon Sep 17 00:00:00 2001 From: Miguel Palau Date: Mon, 14 Oct 2024 08:01:59 -0600 Subject: [PATCH 6/8] Update packages/remix-server-runtime/responses.ts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Michaël De Boey --- packages/remix-server-runtime/responses.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/remix-server-runtime/responses.ts b/packages/remix-server-runtime/responses.ts index 62b8cdd04d0..424b4296aaa 100644 --- a/packages/remix-server-runtime/responses.ts +++ b/packages/remix-server-runtime/responses.ts @@ -179,7 +179,7 @@ export function createDeferredReadableStream( ); } - let unsubscribe = deferredData.subscribe((_, settledKey) => { + let unsubscribe = deferredData.subscribe((aborted, settledKey) => { if (settledKey) { enqueueTrackedPromise( controller, From 38de27ddc518df0fc9bb439d2f09be3b56e8e4cb Mon Sep 17 00:00:00 2001 From: Miguel Palau Date: Mon, 14 Oct 2024 08:04:08 -0600 Subject: [PATCH 7/8] Update packages/remix-server-runtime/package.json MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Michaël De Boey --- packages/remix-server-runtime/package.json | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/remix-server-runtime/package.json b/packages/remix-server-runtime/package.json index 81a4bdefc65..3cf27e4bc0f 100644 --- a/packages/remix-server-runtime/package.json +++ b/packages/remix-server-runtime/package.json @@ -20,7 +20,6 @@ }, "dependencies": { "@remix-run/router": "1.21.0-pre.0", - "@types/cookie": "^0.6.0", "@web3-storage/multipart-parser": "^1.0.0", "cookie": "^1.0.1", "set-cookie-parser": "^2.4.8", From 984330af7e648cfb7cad72276f36a3e682fd2c40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20De=20Boey?= Date: Thu, 7 Nov 2024 19:57:51 +0100 Subject: [PATCH 8/8] chore: update `pnpm-lock.yaml` --- pnpm-lock.yaml | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index d98e0fb1035..f67c65584d1 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -1366,15 +1366,12 @@ importers: '@remix-run/router': specifier: 1.21.0-pre.0 version: 1.21.0-pre.0 - '@types/cookie': - specifier: ^0.6.0 - version: 0.6.0 '@web3-storage/multipart-parser': specifier: ^1.0.0 version: 1.0.0 cookie: - specifier: ^0.6.0 - version: 0.6.0 + specifier: ^1.0.1 + version: 1.0.1 set-cookie-parser: specifier: ^2.4.8 version: 2.6.0 @@ -4714,10 +4711,6 @@ packages: resolution: {integrity: sha512-XW/Aa8APYr6jSVVA1y/DEIZX0/GMKLEVekNG727R8cs56ahETkRAy/3DR7+fJyh7oUgGwNQaRfXCun0+KbWY7Q==} dev: true - /@types/cookie@0.6.0: - resolution: {integrity: sha512-4Kh9a6B2bQciAhf7FSuMRRkUWecJgJu9nPnx3yzpsfXX/c50REIqpHY4C82bXP90qrLtXtkDxTZosYO3UpOwlA==} - dev: false - /@types/cookiejar@2.1.5: resolution: {integrity: sha512-he+DHOWReW0nghN24E1WUqM0efK4kI9oTqDm6XmK8ZPe2djZ90BSNdGnIyCLzCPw7/pogPlGbzI2wHGGmi4O/Q==} dev: true @@ -6664,15 +6657,15 @@ packages: resolution: {integrity: sha512-YZ3GUyn/o8gfKJlnlX7g7xq4gyO6OSuhGPKaaGssGB2qgDUS0gPgtTvoyZLTt9Ab6dC4hfc9dV5arkvc/OCmrw==} engines: {node: '>= 0.6'} - /cookie@0.6.0: - resolution: {integrity: sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==} - engines: {node: '>= 0.6'} - dev: false - /cookie@0.7.1: resolution: {integrity: sha512-6DnInpx7SJ2AK3+CTUE/ZM0vWTUboZCegxhC2xiIydHR9jNuTAASBrfEpHhiGOZw/nX51bHt6YQl8jsGo4y/0w==} engines: {node: '>= 0.6'} + /cookie@1.0.1: + resolution: {integrity: sha512-Xd8lFX4LM9QEEwxQpF9J9NTUh8pmdJO0cyRJhFiDoLTk2eH8FXlRv2IFGYVadZpqI3j8fhNrSdKCeYPxiAhLXw==} + engines: {node: '>=18'} + dev: false + /cookiejar@2.1.4: resolution: {integrity: sha512-LDx6oHrK+PhzLKJU9j5S7/Y3jM/mUHvD/DeI1WQmJn652iPC5Y4TBzC9l+5OMOXlyTTA+SmVUPm0HQUwpD5Jqw==} dev: true