-
Notifications
You must be signed in to change notification settings - Fork 800
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency rollup to v3 [SECURITY] - autoclosed #39500
Closed
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
matticbot
added
[Status] Needs Review
To request a review from fellow Jetpack developers. Label will be renamed soon.
[Type] Janitorial
labels
Sep 24, 2024
|
Are you an Automattician? The PR will need to be tested on WordPress.com. This comment will be updated with testing instructions as soon the build is complete. |
matticbot
changed the title
Update dependency rollup to v3 [SECURITY]
Update dependency rollup to v3 [SECURITY] - autoclosed
Sep 25, 2024
github-actions
bot
removed
the
[Status] Needs Review
To request a review from fellow Jetpack developers. Label will be renamed soon.
label
Sep 25, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.79.1
->3.29.5
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
CVE-2024-47068 / GHSA-gcx4-mw62-g8wm
More information
Details
Summary
A DOM Clobbering vulnerability was discovered in rollup when bundling scripts that use
import.meta.url
or with plugins that emit and reference asset files from code incjs
/umd
/iife
format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., animg
tag with an unsanitizedname
attribute) are present.It's worth noting that similar issues in other popular bundlers like Webpack (CVE-2024-43788) have been reported, which might serve as a good reference.
Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadget found in
rollup
A DOM Clobbering vulnerability in
rollup
bundled scripts was identified, particularly when the scripts usesimport.meta
and set output in format ofcjs
/umd
/iife
. In such cases,rollup
replaces meta property with the URL retrieved fromdocument.currentScript
.https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162
https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185
However, this implementation is vulnerable to a DOM Clobbering attack. The
document.currentScript
lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, thesrc
attribute of the attacker-controlled element (e.g., animg
tag ) is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.PoC
Considering a website that contains the following
main.js
script, the devloper decides to use therollup
to bundle up the program:rollup main.js --format cjs --file bundle.js
.The output
bundle.js
is shown in the following code snippet.Adding the
rollup
bundled script,bundle.js
, as part of the web page source code, the page could load theextra.js
file from the attacker's domain,attacker.controlled.server
due to the introduced gadget during bundling. The attacker only needs to insert animg
tag with the name attribute set tocurrentScript
. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.Impact
This vulnerability can result in cross-site scripting (XSS) attacks on websites that include rollup-bundled files (configured with an output format of
cjs
,iife
, orumd
and useimport.meta
) and allow users to inject certain scriptless HTML tags without properly sanitizing thename
orid
attributes.Patch
Patching the following two functions with type checking would be effective mitigations against DOM Clobbering attack.
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
rollup/rollup (rollup)
v3.29.5
Compare Source
v3.29.4
Compare Source
2023-09-28
Bug Fixes
Pull Requests
v3.29.3
Compare Source
2023-09-24
Bug Fixes
Pull Requests
v3.29.2
Compare Source
2023-09-15
Bug Fixes
TreeshakingPreset
type (#5131)Pull Requests
TreeshakingPreset
(@moltar)v3.29.1
Compare Source
2023-09-10
Bug Fixes
Pull Requests
v3.29.0
Compare Source
2023-09-06
Features
api
to Plugin type (#5112)Bug Fixes
Pull Requests
v3.28.1
Compare Source
2023-08-22
Bug Fixes
Pull Requests
v3.28.0
Compare Source
2023-08-09
Features
preliminaryFileName
to generated chunks containing the file name placeholder (#5086)Bug Fixes
code
property of rendered modules in the output readonly (#5091)Pull Requests
preliminaryFileName
toOutputChunk
(@lsdsjy)v3.27.2
Compare Source
2023-08-04
Bug Fixes
Pull Requests
v3.27.1
Compare Source
2023-08-03
Bug Fixes
Pull Requests
v3.27.0
Compare Source
2023-07-28
Features
Object.values
andObject.entries
as pure if their argument does not contain getters (#5072)Pull Requests
v3.26.3
Compare Source
2023-07-17
Bug Fixes
manualChunks
to avoid breaking existing configs (#5068)Pull Requests
v3.26.2
Compare Source
2023-07-06
Bug Fixes
Pull Requests
v3.26.1
Compare Source
2023-07-05
Bug Fixes
hasOwnProperty
as exported name in CommonJS (#5010)Pull Requests
v3.26.0
Compare Source
2023-06-30
Features
--filterLogs
CLI flag andROLLUP_FILTER_LOGS
environment variable for log filtering (#5035)Pull Requests
v3.25.3
Compare Source
2023-06-26
Bug Fixes
Pull Requests
v3.25.2
Compare Source
2023-06-24
Bug Fixes
code
is not a string (#5042)Pull Requests
this.error
withpos
intransform
hook (@sapphi-red)v3.25.1
Compare Source
2023-06-12
Bug Fixes
__NO_SIDE_EFFECTS__
for async functions (#5031)Pull Requests
__NO_SIDE_EFFECTS__
annotation for async function (@antfu)v3.25.0
Compare Source
2023-06-11
Features
this.info
andthis.debug
plugin context logging functions (#5026)onLog
option to read, map and filter logs (#5026)logLevel
option to fully suppress logs by level (#5026)this.warn
,this.info
andthis.debug
to avoid heavy computations based on log level ( #5026)onLog
plugin hook to read, filter and map logs from plugins (#5026)Pull Requests
v3.24.1
Compare Source
2023-06-10
Bug Fixes
@rollup/plugin-commonjs
were missing internal dependencies when code-splitting ( #5029)process.exit(0)
in watch mode to avoid issues in embedded scenarios (#5027)Pull Requests
v3.24.0
Compare Source
2023-06-07
Features
/* #__NO_SIDE_EFFECTS__ */
to mark function declarations as side effect free (#5024)Pull Requests
#__NO_SIDE_EFFECTS__
annotation for function declaration (@antfu)v3.23.1
Compare Source
2023-06-04
Bug Fixes
Pull Requests
v3.23.0
Compare Source
2023-05-22
Features
Bug Fixes
Pull Requests
v3.22.1
Compare Source
2023-05-21
Bug Fixes
Pull Requests
v3.22.0
Compare Source
2023-05-17
Features
experimentalMinChunkSize
to take tree-shaking into account ( #4989)Bug Fixes
experimentalMinChunkSize
(#4989)Pull Requests
v3.21.8
Compare Source
2023-05-16
Bug Fixes
Pull Requests
v3.21.7
Compare Source
2023-05-13
Bug Fixes
Pull Requests
v3.21.6
Compare Source
2023-05-09
Bug Fixes
Pull Requests
v3.21.5
Compare Source
2023-05-05
Bug Fixes
Pull Requests
v3.21.4
Compare Source
2023-05-03
Bug Fixes
Pull Requests
v3.21.3
Compare Source
2023-05-02
Bug Fixes
process.exit()
when Rollup CLI finishes successfully to solve issues on some systems (#4969)Pull Requests
v3.21.2
Compare Source
2023-04-30
Bug Fixes
Pull Requests
v3.21.1
Compare Source
2023-04-29
Bug Fixes
arguments
variable (#4965)Pull Requests
v3.21.0
Compare Source
2023-04-23
Features
Pull Requests
v3.20.7
Compare Source
2023-04-21
Bug Fixes
Pull Requests
v3.20.6
Compare Source
2023-04-18
Bug Fixes
Pull Requests
v3.20.5
Compare Source
2023-04-18
Bug Fixes
Pull Requests
v3.20.4
Compare Source
2023-04-17
Bug Fixes
Pull Requests
v3.20.3
Compare Source
2023-04-16
Bug Fixes
shouldTransformCachedModule
(#4932)Pull Requests
v3.20.2
Compare Source
2023-03-24
Bug Fixes
Pull Requests
v3.20.1
Compare Source
2023-03-23
Bug Fixes
Pull Requests
v3.20.0
Compare Source
2023-03-20
Features
Bug Fixes
Pull Requests
v3.19.1
Compare Source
2023-03-10
Bug Fixes
Pull Requests
output.sanitizeFileName
section (@0x009922)v3.19.0
Compare Source
2023-03-09
Features
Pull Requests
npm run dev
(@lukastaegert)v3.18.0
Compare Source
2023-03-01
Features
experimentalLogSideEffects
to log the first detected side effect in every module (#4871)Pull Requests
node_modules
as ignore-listed by default (@bmeurer)v3.17.3
Compare Source
2023-02-25
Bug Fixes
Pull Requests
import.meta.url
in CommonJS (@fasttime)v3.17.2
Compare Source
2023-02-20
Bug Fixes
moduleSideEffects
set totrue
(#4867)needsCodeReference
property in TypeScript for asset tree-shaking (#4868)Pull Requests
needsCodeReference
property toEmittedAsset
(@sapphi-red)v3.17.1
Compare Source
2023-02-18
Bug Fixes
loadConfigFile
(#4853)moduleSideEffects: false
(#4866)Pull Requests
v3.17.0
Compare Source
2023-02-18
Features
experimentalDeepDynamicChunkOptimization
and always run the full chunk generation algorithm (#4862)Bug Fixes
experimentalDeepDynamicChunkOptimization
was enabled (#4862)Pull Requests
v3.16.0
Compare Source
2023-02-17
Features
output.sourcemapIgnoreList
option to mark file sources as ignored in thex_google_ignoreList
attribute of the resulting sourcemap (#4848)sourcesContent
containsnull
entries (#4846)true
for thecache
option to override Vite's default (#4859)Bug Fixes
experimentalMinChunkSize
option ( #4851)Pull Requests
sourcemapIgnoreList
predicate. (@bmeurer)v3.15.0
Compare Source
2023-02-10
Features
Bug Fixes
Pull Requests
v3.14.0
Compare Source
2023-02-05
Features
experimentalDeepDynamicChunkOptimization
option to produce fewer chunks from dynamic imports (#4837)Pull Requests
v3.13.0
Compare Source
2023-02-03
Features
experimentalMinChunkSize
(#4723)Pull Requests
v3.12.1
Compare Source
2023-02-01
Bug Fixes
Pull Requests
Configuration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.