Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency eta to v2 [security] #554

Open
wants to merge 1 commit into
base: main-kampf
Choose a base branch
from
Open

fix(deps): update dependency eta to v2 [security] #554

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 16, 2023
edited

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
eta (source) 1.12.3 -> 2.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-23630

Impact

XSS attack - anyone using the Express API is impacted

Patches

The problem has been resolved. Users should upgrade to version 2.0.0.

Workarounds

Don't pass user supplied data directly to res.renderFile.

References

Are there any links users can visit to find out more?
See https://github.com/eta-dev/eta/releases/tag/v2.0.0

CVE-2022-25967

Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. Note: This is exploitable only for users who are rendering templates with user-defined data.

Release Notes

eta-dev/eta (eta)

v2.0.0: Version 2.0.0

Compare Source

TL;DR

This commit includes fixes for several security vulnerabilities. Specifically, in version 1, Eta merged the data parameter of renderFile() into config -- meaning that malicious untrusted user data, passed through in a very specific way, could potentially modify the values of varName, include, includeFile, and useWith, and thus insert arbitrary code into user template functions.

With this release, such behavior is removed. Configuration cannot be passed through the data parameter to eta.renderFile().

Most users will be able to update from version 1 to version 2 without changing any code. All users are encouraged to update as soon as possible.

Practical Implications

  • Configuration must be passed to renderFile explicitly, rather than merged with the data parameter
  • Using Express.js app.set() to modify views and view cache will no longer change Eta's configuration of views and cache.
    • However, since Express still uses its own views and view cache options under the hood, users should configure both Eta and Express with desired values (example below)
  • Eta no longer recognizes the legacy Express.js settings["view options"] property

Example Code Changes

// Change THIS:
renderFile(filePath, { cache: true }) // This worked in v1 but does not work in v2
// To THIS:
renderFile(filePath, {}, { cache: true }) // This works in v1 and v2

// Change THIS:
var eta = require("eta")
app.set("view engine", "eta")
app.set("views", "./views")
app.set("view cache", true)
// To THIS:
var eta = require("eta")
app.engine("eta", eta.renderFile)
eta.configure({  views: "./views", cache: true }) // configure eta
app.set("views", "./views") // configure Express
app.set("view cache", true) // configure Express
app.set("view engine", "eta")

Commits

v1.14.2: Version 1.14.2

Compare Source

TL;DR

  • Fixed "types" field in package.json

Commits

v1.14.1: Version 1.14.1

Compare Source

TL;DR

  • Fixed package.json exports and type fields

Commits

v1.14.0: Version 1.14.0

Compare Source

TL;DR

  • Refactored Eta's build process to make it more maintainable
  • Improved NodeNext support

Commits

v1.13.0: Version 1.13.0

Compare Source

TL;DR

  • Improved return types through TS function overloading
  • Fixed the "types" field in package.json

Commits

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Mar 16, 2023
@renovate renovate bot temporarily deployed to production March 16, 2023 07:43 Inactive
@sonarcloud
Copy link

sonarcloud bot commented Mar 16, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants