-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency rollup to v4 [security] #6623
base: next
Are you sure you want to change the base?
Conversation
Hey there and thank you for opening this pull request! 👋 We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted. Your PR title is: Details: Unknown scope "deps" found in pull request title "chore(deps): update dependency rollup to v4 [security]". Scope must match one of: root, api, dashboard, inbound-mail, web, webhook, widget, worker, ws, ee-auth, ee-billing, ee-dal, ee-shared-services, ee-translation, application-generic, automation, dal, design-system, embed, novui, testing, novu, client, framework, headless, js, nest, node, notification-center, providers, react, shared, stateless, nextjs. |
✅ Deploy Preview for novu-stg-vite-dashboard-poc ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
52d59d3
to
fa58dc3
Compare
fa58dc3
to
38ee3c0
Compare
38ee3c0
to
ef47150
Compare
ef47150
to
c338f56
Compare
c338f56
to
9755e87
Compare
9755e87
to
41354b1
Compare
41354b1
to
7e692b1
Compare
This PR contains the following updates:
^3.15.0
->^4.0.0
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2024-47068
Summary
We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use
import.meta.url
or with plugins that emit and reference asset files from code incjs
/umd
/iife
format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., animg
tag with an unsanitizedname
attribute) are present.It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.
Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadget found in
rollup
We have identified a DOM Clobbering vulnerability in
rollup
bundled scripts, particularly when the scripts usesimport.meta
and set output in format ofcjs
/umd
/iife
. In such cases,rollup
replaces meta property with the URL retrieved fromdocument.currentScript
.https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162
https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185
However, this implementation is vulnerable to a DOM Clobbering attack. The
document.currentScript
lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, thesrc
attribute of the attacker-controlled element (e.g., animg
tag ) is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.PoC
Considering a website that contains the following
main.js
script, the devloper decides to use therollup
to bundle up the program:rollup main.js --format cjs --file bundle.js
.The output
bundle.js
is shown in the following code snippet.Adding the
rollup
bundled script,bundle.js
, as part of the web page source code, the page could load theextra.js
file from the attacker's domain,attacker.controlled.server
due to the introduced gadget during bundling. The attacker only needs to insert animg
tag with the name attribute set tocurrentScript
. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.Impact
This vulnerability can result in cross-site scripting (XSS) attacks on websites that include rollup-bundled files (configured with an output format of
cjs
,iife
, orumd
and useimport.meta
) and allow users to inject certain scriptless HTML tags without properly sanitizing thename
orid
attributes.Patch
Patching the following two functions with type checking would be effective mitigations against DOM Clobbering attack.
Release Notes
rollup/rollup (rollup)
v4.22.4
Compare Source
2024-09-21
Bug Fixes
Pull Requests
v4.22.3
Compare Source
2024-09-21
Bug Fixes
Pull Requests
v4.22.2
Compare Source
2024-09-20
Bug Fixes
Pull Requests
v4.22.1
Compare Source
2024-09-20
Bug Fixes
Pull Requests
v4.22.0
Compare Source
2024-09-19
Features
Bug Fixes
Pull Requests
AggregateError
,FinalizationRegistry
,WeakRef
to knownGlobals (@re-taro)v4.21.3
Compare Source
2024-09-12
Bug Fixes
Pull Requests
v4.21.2
Compare Source
2024-08-30
Bug Fixes
Pull Requests
v4.21.1
Compare Source
2024-08-26
Bug Fixes
closeWatcher
hook is called when watch mode is aborted via Ctrl+C (#5618)import.meta.url
in compact mode (#5624)Pull Requests
v4.21.0
Compare Source
2024-08-18
Features
Pull Requests
noConflict
option in REPL. (@7086cmd)v4.20.0
Compare Source
2024-08-03
Features
Pull Requests
v4.19.2
Compare Source
2024-08-01
Bug Fixes
Pull Requests
v4.19.1
Compare Source
2024-07-27
Bug Fixes
Pull Requests
v4.19.0
Compare Source
2024-07-20
Features
Bug Fixes
Pull Requests
v4.18.1
Compare Source
2024-07-08
Bug Fixes
Pull Requests
%
if URI malformed (@baseballyama, @lukastaegert)v4.18.0
Compare Source
2024-05-22
Features
Pull Requests
v4.17.2
Compare Source
2024-04-30
Bug Fixes
Pull Requests
v4.17.1
Compare Source
2024-04-29
Bug Fixes
Pull Requests
v4.17.0
Compare Source
2024-04-27
Features
Bug Fixes
Pull Requests
v4.16.4
Compare Source
2024-04-23
Bug Fixes
Pull Requests
v4.16.3
Compare Source
2024-04-23
Bug Fixes
Pull Requests
v4.16.2
Compare Source
2024-04-22
Bug Fixes
Pull Requests
v4.16.1
Compare Source
2024-04-21
Bug Fixes
Pull Requests
v4.16.0
Compare Source
2024-04-21
Features
Pull Requests
v4.15.0
Compare Source
2024-04-20
Features
Pull Requests
v4.14.3
Compare Source
2024-04-15
Bug Fixes
Pull Requests
v4.14.2
Compare Source
2024-04-12
Bug Fixes
Pull Requests
v4.14.1
Compare Source
2024-04-07
Bug Fixes
Pull Requests
v4.14.0
Compare Source
2024-04-03
Features
Pull Requests
@shikiji/vitepress-twoslash
(@sapphi-red)v4.13.2
Compare Source
2024-03-28
Bug Fixes
Pull Requests
v4.13.1
Compare Source
2024-03-27
Bug Fixes
Pull Requests
v4.13.0
Compare Source
2024-03-12
Features
Pull Requests
v4.12.1
Compare Source
2024-03-06
Bug Fixes
Pull Requests
getRollupEror
togetRollupError
(@MrRefactoring)import.meta.ROLLUP_FILE_URL_referenceId
correctly (@sapphi-red)v4.12.0
Compare Source
2024-02-16
Features
Pull Requests
v4.11.0
Compare Source
2024-02-15
Features
output.reexportProtoFromExternal
option to disable special code for handling__proto__
reexports (#5380)Bug Fixes
const
variables (#5388)Pull Requests
__proto__
for compatibility with CJS Transpiler Re-exports (@TrickyPi)v4.10.0
Compare Source
2024-02-10
Features
output.hashCharacters
option (#5371)Bug Fixes
Pull Requests
v4.9.6
Compare Source
2024-01-21
Bug Fixes
Pull Requests
v4.9.5
Compare Source
2024-01-12
Bug Fixes
Pull Requests
v4.9.4
Compare Source
2024-01-06
Bug Fixes
Pull Requests
v4.9.3
Compare Source
2024-01-05
Bug Fixes
__proto__
as export/import name (#5313)Pull Requests
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.