marty-media/server

Fork 0

chore: [security] bump rollup from 4.21.3 to 4.28.1 #350

Merged

martinr92 merged 1 commit from dependabot-npm_and_yarn-develop-rollup-4.28.1 into develop

2024-12-15 10:57:28 +00:00

martinr92 commented

2024-12-07 03:58:52 +00:00

(Migrated from gitlab.com)

Bumps rollup from 4.21.3 to 4.28.1. This update includes a security fix.

Vulnerabilities fixed

DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use import.meta.url or with plugins that emit and reference asset files from code in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadget found in rollup

We have identified a DOM Clobbering vulnerability in rollup bundled scripts, particularly when the scripts uses import.meta and set output in format of cjs/umd/iife. In such cases, rollup replaces meta property with the URL retrieved from document.currentScript.

https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162

... (truncated)

Patched versions: 2.79.2; 3.29.5; 4.22.4 Affected versions: = 4.0.0, < 4.22.4

Release notes

Sourced from rollup's releases.

v4.28.1

4.28.1

2024-12-06

Bug Fixes

Support running Rollup natively on LoongArch (#5749)

Add optional debugId to SourceMap types (#5751)

Pull Requests

#5749: feat: add support for LoongArch (@darkyzhou)

#5751: feat: Add debugId to SourceMap types (@timfish, @lukastaegert)

#5752: chore(deps): update dependency mocha to v11 (@renovate[bot])

#5753: chore(deps): update dependency vite to v6 (@renovate[bot])

#5754: fix(deps): update swc monorepo (major) (@renovate[bot])

#5755: chore(deps): lock file maintenance minor/patch updates (@renovate[bot])

#5756: Test if saving the Cargo cache can speed up FreeBSD (@lukastaegert)

v4.28.0

4.28.0

2024-11-30

Features

Allow to specify how to handle import attributes when transpiling Rollup config files (#5743)

Pull Requests

#5743: fix: supports modify the import attributes key in the config file (@TrickyPi, @lukastaegert)

#5747: chore(deps): update codecov/codecov-action action to v5 (@renovate[bot])

#5748: chore(deps): lock file maintenance minor/patch updates (@renovate[bot])

v4.27.4

4.27.4

2024-11-23

Bug Fixes

Update bundled magic-string to support sourcemap debug ids (#5740)

Pull Requests

#5740: chore(deps): lock file maintenance minor/patch updates (@renovate[bot])

v4.27.3

4.27.3

... (truncated)

Changelog

Sourced from rollup's changelog.

4.28.1

2024-12-06

Bug Fixes

Support running Rollup natively on LoongArch (#5749)

Add optional debugId to SourceMap types (#5751)

Pull Requests

#5749: feat: add support for LoongArch (@darkyzhou)

#5751: feat: Add debugId to SourceMap types (@timfish, @lukastaegert)

#5752: chore(deps): update dependency mocha to v11 (@renovate[bot])

#5753: chore(deps): update dependency vite to v6 (@renovate[bot])

#5754: fix(deps): update swc monorepo (major) (@renovate[bot])

#5755: chore(deps): lock file maintenance minor/patch updates (@renovate[bot])

#5756: Test if saving the Cargo cache can speed up FreeBSD (@lukastaegert)

4.28.0

2024-11-30

Features

Allow to specify how to handle import attributes when transpiling Rollup config files (#5743)

Pull Requests

#5743: fix: supports modify the import attributes key in the config file (@TrickyPi, @lukastaegert)

#5747: chore(deps): update codecov/codecov-action action to v5 (@renovate[bot])

#5748: chore(deps): lock file maintenance minor/patch updates (@renovate[bot])

4.27.4

2024-11-23

Bug Fixes

Update bundled magic-string to support sourcemap debug ids (#5740)

Pull Requests

#5740: chore(deps): lock file maintenance minor/patch updates (@renovate[bot])

4.27.3

2024-11-18

Bug Fixes

... (truncated)

Commits

e60fb1c 4.28.1
224247b chore(deps): lock file maintenance minor/patch updates (#5755)
c3283cf Test if saving the Cargo cache can speed up FreeBSD (#5756)
87a911c feat: Add debugId to SourceMap types (#5751)
1b78f74 chore(deps): update dependency mocha to v11 (#5752)
89e1c70 chore(deps): update dependency vite to v6 (#5753)
4d6b077 feat: add support for LoongArch (#5749)
d3464e4 fix(deps): update swc monorepo (major) (#5754)
0595e43 4.28.0
5053019 fix: supports modify the import attributes key in the config file (#5743)
Additional commits viewable in compare view

Bumps [rollup](https://github.com/rollup/rollup) from 4.21.3 to 4.28.1. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS</strong></p> <h3>Summary</h3> <p>We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use <code>import.meta.url</code> or with plugins that emit and reference asset files from code in <code>cjs</code>/<code>umd</code>/<code>iife</code> format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an <code>img</code> tag with an unsanitized <code>name</code> attribute) are present.</p> <p>It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (<a href="https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986">CVE-2024-43788</a>), which might serve as a good reference.</p> <h3>Details</h3> <h4>Backgrounds</h4> <p>DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:</p> <p>[1] <a href="https://scnps.co/papers/sp23_domclob.pdf">https://scnps.co/papers/sp23_domclob.pdf</a> [2] <a href="https://research.securitum.com/xss-in-amp4email-dom-clobbering/">https://research.securitum.com/xss-in-amp4email-dom-clobbering/</a></p> <h4>Gadget found in <code>rollup</code></h4> <p>We have identified a DOM Clobbering vulnerability in <code>rollup</code> bundled scripts, particularly when the scripts uses <code>import.meta</code> and set output in format of <code>cjs</code>/<code>umd</code>/<code>iife</code>. In such cases, <code>rollup</code> replaces meta property with the URL retrieved from <code>document.currentScript</code>.</p> <p><a href="https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162">https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162</a></p>  </blockquote> <p>... (truncated)</p> <blockquote> <p>Patched versions: 2.79.2; 3.29.5; 4.22.4 Affected versions: = 4.0.0, < 4.22.4</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rollup/rollup/releases">rollup's releases</a>.</em></p> <blockquote> <h2>v4.28.1</h2> <h2>4.28.1</h2> <p><em>2024-12-06</em></p> <h3>Bug Fixes</h3> <ul> <li>Support running Rollup natively on LoongArch (<a href="https://github.com/rollup/rollup/issues/5749">#5749</a>)</li> <li>Add optional <code>debugId</code> to <code>SourceMap</code> types (<a href="https://github.com/rollup/rollup/issues/5751">#5751</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://github.com/rollup/rollup/pull/5749">#5749</a>: feat: add support for LoongArch (<a href="https://github.com/darkyzhou"><code>@darkyzhou</code></a>)</li> <li><a href="https://github.com/rollup/rollup/pull/5751">#5751</a>: feat: Add <code>debugId</code> to <code>SourceMap</code> types (<a href="https://github.com/timfish"><code>@timfish</code></a>, <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://github.com/rollup/rollup/pull/5752">#5752</a>: chore(deps): update dependency mocha to v11 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://github.com/rollup/rollup/pull/5753">#5753</a>: chore(deps): update dependency vite to v6 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://github.com/rollup/rollup/pull/5754">#5754</a>: fix(deps): update swc monorepo (major) (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://github.com/rollup/rollup/pull/5755">#5755</a>: chore(deps): lock file maintenance minor/patch updates (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://github.com/rollup/rollup/pull/5756">#5756</a>: Test if saving the Cargo cache can speed up FreeBSD (<a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> </ul> <h2>v4.28.0</h2> <h2>4.28.0</h2> <p><em>2024-11-30</em></p> <h3>Features</h3> <ul> <li>Allow to specify how to handle import attributes when transpiling Rollup config files (<a href="https://github.com/rollup/rollup/issues/5743">#5743</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://github.com/rollup/rollup/pull/5743">#5743</a>: fix: supports modify the import attributes key in the config file (<a href="https://github.com/TrickyPi"><code>@TrickyPi</code></a>, <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://github.com/rollup/rollup/pull/5747">#5747</a>: chore(deps): update codecov/codecov-action action to v5 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://github.com/rollup/rollup/pull/5748">#5748</a>: chore(deps): lock file maintenance minor/patch updates (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> </ul> <h2>v4.27.4</h2> <h2>4.27.4</h2> <p><em>2024-11-23</em></p> <h3>Bug Fixes</h3> <ul> <li>Update bundled magic-string to support sourcemap debug ids (<a href="https://github.com/rollup/rollup/issues/5740">#5740</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://github.com/rollup/rollup/pull/5740">#5740</a>: chore(deps): lock file maintenance minor/patch updates (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> </ul> <h2>v4.27.3</h2> <h2>4.27.3</h2>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rollup/rollup/blob/master/CHANGELOG.md">rollup's changelog</a>.</em></p> <blockquote> <h2>4.28.1</h2> <p><em>2024-12-06</em></p> <h3>Bug Fixes</h3> <ul> <li>Support running Rollup natively on LoongArch (<a href="https://github.com/rollup/rollup/issues/5749">#5749</a>)</li> <li>Add optional <code>debugId</code> to <code>SourceMap</code> types (<a href="https://github.com/rollup/rollup/issues/5751">#5751</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://github.com/rollup/rollup/pull/5749">#5749</a>: feat: add support for LoongArch (<a href="https://github.com/darkyzhou"><code>@darkyzhou</code></a>)</li> <li><a href="https://github.com/rollup/rollup/pull/5751">#5751</a>: feat: Add <code>debugId</code> to <code>SourceMap</code> types (<a href="https://github.com/timfish"><code>@timfish</code></a>, <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://github.com/rollup/rollup/pull/5752">#5752</a>: chore(deps): update dependency mocha to v11 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://github.com/rollup/rollup/pull/5753">#5753</a>: chore(deps): update dependency vite to v6 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://github.com/rollup/rollup/pull/5754">#5754</a>: fix(deps): update swc monorepo (major) (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://github.com/rollup/rollup/pull/5755">#5755</a>: chore(deps): lock file maintenance minor/patch updates (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://github.com/rollup/rollup/pull/5756">#5756</a>: Test if saving the Cargo cache can speed up FreeBSD (<a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> </ul> <h2>4.28.0</h2> <p><em>2024-11-30</em></p> <h3>Features</h3> <ul> <li>Allow to specify how to handle import attributes when transpiling Rollup config files (<a href="https://github.com/rollup/rollup/issues/5743">#5743</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://github.com/rollup/rollup/pull/5743">#5743</a>: fix: supports modify the import attributes key in the config file (<a href="https://github.com/TrickyPi"><code>@TrickyPi</code></a>, <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://github.com/rollup/rollup/pull/5747">#5747</a>: chore(deps): update codecov/codecov-action action to v5 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://github.com/rollup/rollup/pull/5748">#5748</a>: chore(deps): lock file maintenance minor/patch updates (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> </ul> <h2>4.27.4</h2> <p><em>2024-11-23</em></p> <h3>Bug Fixes</h3> <ul> <li>Update bundled magic-string to support sourcemap debug ids (<a href="https://github.com/rollup/rollup/issues/5740">#5740</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://github.com/rollup/rollup/pull/5740">#5740</a>: chore(deps): lock file maintenance minor/patch updates (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> </ul> <h2>4.27.3</h2> <p><em>2024-11-18</em></p> <h3>Bug Fixes</h3>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/rollup/rollup/commit/e60fb1c5d4e54ed5257495215eeda1bb43cf54ba"><code>e60fb1c</code></a> 4.28.1</li> <li><a href="https://github.com/rollup/rollup/commit/224247b1b95c27a104e32d5c3ffae1f950c06179"><code>224247b</code></a> chore(deps): lock file maintenance minor/patch updates (<a href="https://github.com/rollup/rollup/issues/5755">#5755</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/c3283cf454e0e95581b4cf964bbf04a3573cdb72"><code>c3283cf</code></a> Test if saving the Cargo cache can speed up FreeBSD (<a href="https://github.com/rollup/rollup/issues/5756">#5756</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/87a911cfffdad7e5c4ee6b6e386a681033cdb546"><code>87a911c</code></a> feat: Add <code>debugId</code> to <code>SourceMap</code> types (<a href="https://github.com/rollup/rollup/issues/5751">#5751</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/1b78f7405e9140e27810c468f3b7ee8fddd2a270"><code>1b78f74</code></a> chore(deps): update dependency mocha to v11 (<a href="https://github.com/rollup/rollup/issues/5752">#5752</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/89e1c705f280c45fafec9ffbae85ec85a96de1f4"><code>89e1c70</code></a> chore(deps): update dependency vite to v6 (<a href="https://github.com/rollup/rollup/issues/5753">#5753</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/4d6b077a416af2a6da2a5dd4ed87cb695dc858f1"><code>4d6b077</code></a> feat: add support for LoongArch (<a href="https://github.com/rollup/rollup/issues/5749">#5749</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/d3464e4bbfd520c2bc67958e8415ff7f2a6a56bb"><code>d3464e4</code></a> fix(deps): update swc monorepo (major) (<a href="https://github.com/rollup/rollup/issues/5754">#5754</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/0595e433edec3608bfc0331d8f02912374e7f7f7"><code>0595e43</code></a> 4.28.0</li> <li><a href="https://github.com/rollup/rollup/commit/50530197529860f449087eda7f44eb5d3b49f9e9"><code>5053019</code></a> fix: supports modify the import attributes key in the config file (<a href="https://github.com/rollup/rollup/issues/5743">#5743</a>)</li> <li>Additional commits viewable in <a href="https://github.com/rollup/rollup/compare/v4.21.3...v4.28.1">compare view</a></li> </ul> </details> <br />

martinr92 commented

2024-12-07 03:58:53 +00:00

(Migrated from gitlab.com)

assigned to @martinr92

martinr92 commented

2024-12-07 03:58:57 +00:00

(Migrated from gitlab.com)

mentioned in merge request !319

martinr92 commented

2024-12-15 10:42:07 +00:00

(Migrated from gitlab.com)

added 2 commits

b072c025 - 1 commit from branch develop
fd0794d7 - chore: [security] bump rollup from 4.21.3 to 4.28.1

Compare with previous version

added 2 commits <ul><li>b072c025 - 1 commit from branch <code>develop</code></li><li>fd0794d7 - chore: [security] bump rollup from 4.21.3 to 4.28.1</li></ul> [Compare with previous version](/marty-media/server/-/merge_requests/326/diffs?diff_id=1212202259&start_sha=f54ebb78827d12b366efa87a3feefe78d9b0de42)

martinr92 commented

2024-12-15 10:53:10 +00:00

(Migrated from gitlab.com)

SonarQube Cloud Code Analysis

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

## SonarQube Cloud Code Analysis ## Quality Gate passed Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0 New issues](https://sonarcloud.io/project/issues?id=marty-media_server&pullRequest=326&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted.svg '') [0 Accepted issues](https://sonarcloud.io/project/issues?id=marty-media_server&pullRequest=326&issueStatuses=ACCEPTED) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=marty-media_server&pullRequest=326&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=marty-media_server&pullRequest=326&metric=new_coverage&view=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=marty-media_server&pullRequest=326&metric=new_duplicated_lines_density&view=list) [See analysis details on SonarQube Cloud](https://sonarcloud.io/dashboard?id=marty-media_server&pullRequest=326)

martinr92 (Migrated from gitlab.com) merged commit into develop

2024-12-15 10:57:28 +00:00

martinr92 commented

2024-12-15 13:33:24 +00:00

(Migrated from gitlab.com)

🎉 This MR is included in version 0.5.6-beta.1 🎉

The release is available on GitLab release.

Your semantic-release bot 📦 🚀

:tada: This MR is included in version 0.5.6-beta.1 :tada: The release is available on [GitLab release](https://gitlab.com/marty-media/server/-/releases/v0.5.6-beta.1). Your **[semantic-release](https://github.com/semantic-release/semantic-release)** bot :package: :rocket:

martinr92 commented

2024-12-22 12:32:44 +00:00

(Migrated from gitlab.com)

🎉 This MR is included in version 0.5.6 🎉

The release is available on GitLab release.

Your semantic-release bot 📦 🚀

:tada: This MR is included in version 0.5.6 :tada: The release is available on [GitLab release](https://gitlab.com/marty-media/server/-/releases/v0.5.6). Your **[semantic-release](https://github.com/semantic-release/semantic-release)** bot :package: :rocket: