marty-media/server
1
0
Fork 0
Code Issues 9 Pull requests 10 Projects Releases 75 Packages Wiki Activity Actions

chore: [security] bump rollup from 4.21.3 to 4.28.0 #343

Closed
martinr92 wants to merge 0 commits from dependabot-npm_and_yarn-develop-rollup-4.28.0 into develop
pull from: dependabot-npm_and_yarn-develop-rollup-4.28.0
merge into: marty-media:develop
Conversation 3 Commits - Files changed -
martinr92 commented 2024-12-02 18:15:33 +00:00 (Migrated from gitlab.com)
Copy link

Bumps rollup from 4.21.3 to 4.28.0. This update includes a security fix.

Vulnerabilities fixed

DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use import.meta.url or with plugins that emit and reference asset files from code in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadget found in rollup

We have identified a DOM Clobbering vulnerability in rollup bundled scripts, particularly when the scripts uses import.meta and set output in format of cjs/umd/iife. In such cases, rollup replaces meta property with the URL retrieved from document.currentScript.

https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162

... (truncated)

Patched versions: 2.79.2; 3.29.5; 4.22.4 Affected versions: = 4.0.0, < 4.22.4

Release notes

Sourced from rollup's releases.

v4.28.0

4.28.0

2024-11-30

Features

  • Allow to specify how to handle import attributes when transpiling Rollup config files (#5743)

Pull Requests

v4.27.4

4.27.4

2024-11-23

Bug Fixes

  • Update bundled magic-string to support sourcemap debug ids (#5740)

Pull Requests

v4.27.3

4.27.3

2024-11-18

Bug Fixes

  • Revert object property tree-shaking for now (#5736)

Pull Requests

v4.27.2

4.27.2

2024-11-15

Bug Fixes

  • Ensure unused variables in patterns are always deconflicted if rendered (#5728)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.28.0

2024-11-30

Features

  • Allow to specify how to handle import attributes when transpiling Rollup config files (#5743)

Pull Requests

4.27.4

2024-11-23

Bug Fixes

  • Update bundled magic-string to support sourcemap debug ids (#5740)

Pull Requests

4.27.3

2024-11-18

Bug Fixes

  • Revert object property tree-shaking for now (#5736)

Pull Requests

4.27.2

2024-11-15

Bug Fixes

  • Ensure unused variables in patterns are always deconflicted if rendered (#5728)

Pull Requests

... (truncated)

Commits

Bumps [rollup](https://github.com/rollup/rollup) from 4.21.3 to 4.28.0. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS</strong></p> <h3>Summary</h3> <p>We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use <code>import.meta.url</code> or with plugins that emit and reference asset files from code in <code>cjs</code>/<code>umd</code>/<code>iife</code> format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an <code>img</code> tag with an unsanitized <code>name</code> attribute) are present.</p> <p>It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (<a href="https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986">CVE-2024-43788</a>), which might serve as a good reference.</p> <h3>Details</h3> <h4>Backgrounds</h4> <p>DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:</p> <p>[1] <a href="https://scnps.co/papers/sp23_domclob.pdf">https://scnps.co/papers/sp23_domclob.pdf</a> [2] <a href="https://research.securitum.com/xss-in-amp4email-dom-clobbering/">https://research.securitum.com/xss-in-amp4email-dom-clobbering/</a></p> <h4>Gadget found in <code>rollup</code></h4> <p>We have identified a DOM Clobbering vulnerability in <code>rollup</code> bundled scripts, particularly when the scripts uses <code>import.meta</code> and set output in format of <code>cjs</code>/<code>umd</code>/<code>iife</code>. In such cases, <code>rollup</code> replaces meta property with the URL retrieved from <code>document.currentScript</code>.</p> <p><a href="https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162">https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> <blockquote> <p>Patched versions: 2.79.2; 3.29.5; 4.22.4 Affected versions: <!-- raw HTML omitted -->= 4.0.0, &lt; 4.22.4</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rollup/rollup/releases">rollup's releases</a>.</em></p> <blockquote> <h2>v4.28.0</h2> <h2>4.28.0</h2> <p><em>2024-11-30</em></p> <h3>Features</h3> <ul> <li>Allow to specify how to handle import attributes when transpiling Rollup config files (<a href="https://github.com/rollup/rollup/issues/5743">#5743</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://github.com/rollup/rollup/pull/5743">#5743</a>: fix: supports modify the import attributes key in the config file (<a href="https://github.com/TrickyPi"><code>@​TrickyPi</code></a>, <a href="https://github.com/lukastaegert"><code>@​lukastaegert</code></a>)</li> <li><a href="https://github.com/rollup/rollup/pull/5747">#5747</a>: chore(deps): update codecov/codecov-action action to v5 (<a href="https://github.com/renovate"><code>@​renovate</code></a>[bot])</li> <li><a href="https://github.com/rollup/rollup/pull/5748">#5748</a>: chore(deps): lock file maintenance minor/patch updates (<a href="https://github.com/renovate"><code>@​renovate</code></a>[bot])</li> </ul> <h2>v4.27.4</h2> <h2>4.27.4</h2> <p><em>2024-11-23</em></p> <h3>Bug Fixes</h3> <ul> <li>Update bundled magic-string to support sourcemap debug ids (<a href="https://github.com/rollup/rollup/issues/5740">#5740</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://github.com/rollup/rollup/pull/5740">#5740</a>: chore(deps): lock file maintenance minor/patch updates (<a href="https://github.com/renovate"><code>@​renovate</code></a>[bot])</li> </ul> <h2>v4.27.3</h2> <h2>4.27.3</h2> <p><em>2024-11-18</em></p> <h3>Bug Fixes</h3> <ul> <li>Revert object property tree-shaking for now (<a href="https://github.com/rollup/rollup/issues/5736">#5736</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://github.com/rollup/rollup/pull/5736">#5736</a>: Revert object tree-shaking until some issues have been resolved (<a href="https://github.com/lukastaegert"><code>@​lukastaegert</code></a>)</li> </ul> <h2>v4.27.2</h2> <h2>4.27.2</h2> <p><em>2024-11-15</em></p> <h3>Bug Fixes</h3> <ul> <li>Ensure unused variables in patterns are always deconflicted if rendered (<a href="https://github.com/rollup/rollup/issues/5728">#5728</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rollup/rollup/blob/master/CHANGELOG.md">rollup's changelog</a>.</em></p> <blockquote> <h2>4.28.0</h2> <p><em>2024-11-30</em></p> <h3>Features</h3> <ul> <li>Allow to specify how to handle import attributes when transpiling Rollup config files (<a href="https://github.com/rollup/rollup/issues/5743">#5743</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://github.com/rollup/rollup/pull/5743">#5743</a>: fix: supports modify the import attributes key in the config file (<a href="https://github.com/TrickyPi"><code>@​TrickyPi</code></a>, <a href="https://github.com/lukastaegert"><code>@​lukastaegert</code></a>)</li> <li><a href="https://github.com/rollup/rollup/pull/5747">#5747</a>: chore(deps): update codecov/codecov-action action to v5 (<a href="https://github.com/renovate"><code>@​renovate</code></a>[bot])</li> <li><a href="https://github.com/rollup/rollup/pull/5748">#5748</a>: chore(deps): lock file maintenance minor/patch updates (<a href="https://github.com/renovate"><code>@​renovate</code></a>[bot])</li> </ul> <h2>4.27.4</h2> <p><em>2024-11-23</em></p> <h3>Bug Fixes</h3> <ul> <li>Update bundled magic-string to support sourcemap debug ids (<a href="https://github.com/rollup/rollup/issues/5740">#5740</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://github.com/rollup/rollup/pull/5740">#5740</a>: chore(deps): lock file maintenance minor/patch updates (<a href="https://github.com/renovate"><code>@​renovate</code></a>[bot])</li> </ul> <h2>4.27.3</h2> <p><em>2024-11-18</em></p> <h3>Bug Fixes</h3> <ul> <li>Revert object property tree-shaking for now (<a href="https://github.com/rollup/rollup/issues/5736">#5736</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://github.com/rollup/rollup/pull/5736">#5736</a>: Revert object tree-shaking until some issues have been resolved (<a href="https://github.com/lukastaegert"><code>@​lukastaegert</code></a>)</li> </ul> <h2>4.27.2</h2> <p><em>2024-11-15</em></p> <h3>Bug Fixes</h3> <ul> <li>Ensure unused variables in patterns are always deconflicted if rendered (<a href="https://github.com/rollup/rollup/issues/5728">#5728</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://github.com/rollup/rollup/pull/5728">#5728</a>: Fix more variable deconflicting issues (<a href="https://github.com/lukastaegert"><code>@​lukastaegert</code></a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/rollup/rollup/commit/0595e433edec3608bfc0331d8f02912374e7f7f7"><code>0595e43</code></a> 4.28.0</li> <li><a href="https://github.com/rollup/rollup/commit/50530197529860f449087eda7f44eb5d3b49f9e9"><code>5053019</code></a> fix: supports modify the import attributes key in the config file (<a href="https://github.com/rollup/rollup/issues/5743">#5743</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/a0f1dcc009b97a24c17fc0450728d8826d69c05c"><code>a0f1dcc</code></a> chore(deps): lock file maintenance minor/patch updates (<a href="https://github.com/rollup/rollup/issues/5748">#5748</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/a949c87a05977333c45f8abd94ef2c1540afe0d3"><code>a949c87</code></a> chore(deps): update codecov/codecov-action action to v5 (<a href="https://github.com/rollup/rollup/issues/5747">#5747</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/e805b546405a4e6cfccd3fe73e9f4df770023824"><code>e805b54</code></a> 4.27.4</li> <li><a href="https://github.com/rollup/rollup/commit/dd623b56e340e51ebb09d5d1a3a9323f5f50fb3a"><code>dd623b5</code></a> chore(deps): lock file maintenance minor/patch updates (<a href="https://github.com/rollup/rollup/issues/5740">#5740</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/7c0b1f8810013b5a351a976df30a6a5da4fa164b"><code>7c0b1f8</code></a> 4.27.3</li> <li><a href="https://github.com/rollup/rollup/commit/10bc15096ffe3c155fe5e81f1e474f208adbc667"><code>10bc150</code></a> Revert object tree-shaking (<a href="https://github.com/rollup/rollup/issues/5420">#5420</a>) until some issues have been resolved (<a href="https://github.com/rollup/rollup/issues/5736">#5736</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/a503a4dd9982bf20fd38aeb171882a27828906ae"><code>a503a4d</code></a> 4.27.2</li> <li><a href="https://github.com/rollup/rollup/commit/6c6845551c5469fe9e49f2b2b8d6b0d821909c27"><code>6c68455</code></a> Fix more variable deconflicting issues (<a href="https://github.com/rollup/rollup/issues/5728">#5728</a>)</li> <li>Additional commits viewable in <a href="https://github.com/rollup/rollup/compare/v4.21.3...v4.28.0">compare view</a></li> </ul> </details> <br />
martinr92 commented 2024-12-02 18:15:34 +00:00 (Migrated from gitlab.com)
Copy link

assigned to @martinr92

assigned to @martinr92
martinr92 commented 2024-12-02 18:21:45 +00:00 (Migrated from gitlab.com)
Copy link

SonarQube Cloud Code Analysis

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

## SonarQube Cloud Code Analysis ## Quality Gate passed Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0 New issues](https://sonarcloud.io/project/issues?id=marty-media_server&pullRequest=319&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted.svg '') [0 Accepted issues](https://sonarcloud.io/project/issues?id=marty-media_server&pullRequest=319&issueStatuses=ACCEPTED) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=marty-media_server&pullRequest=319&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=marty-media_server&pullRequest=319&metric=new_coverage&view=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=marty-media_server&pullRequest=319&metric=new_duplicated_lines_density&view=list) [See analysis details on SonarQube Cloud](https://sonarcloud.io/dashboard?id=marty-media_server&pullRequest=319)
martinr92 commented 2024-12-07 03:58:56 +00:00 (Migrated from gitlab.com)
Copy link

This merge request has been superseded by !326+

This merge request has been superseded by !326+
martinr92 (Migrated from gitlab.com) closed this pull request 2024-12-07 03:58:57 +00:00

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

   
confirmed

   
critical

   
dependencies
Pull requests that update a dependency file

  
discussion

   
docker

   
documentation

   
enhancement

   
go

   
javascript

   
security
Pull requests that address a security vulnerability

  
severity:high

   
severity:low

   
severity:moderate

   
suggestion

   
support
No labels
bug
confirmed
critical
dependencies
discussion
docker
documentation
enhancement
go
javascript
security
severity:high
severity:low
severity:moderate
suggestion
support
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
marty-media/server!343
No description provided.