-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency rollup to v3.29.5 [security] #6623
base: next
Are you sure you want to change the base?
Conversation
Hey there and thank you for opening this pull request! 👋 We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted. Your PR title is: Details: Unknown scope "deps" found in pull request title "chore(deps): update dependency rollup to v3.29.5 [security]". Scope must match one of: root, api, dashboard, inbound-mail, web, webhook, widget, worker, ws, ee-auth, ee-billing, ee-dal, ee-shared-services, ee-translation, application-generic, automation, dal, design-system, embed, novui, testing, client, framework, headless, js, nest, nextjs, node, notification-center, novu, providers, react, react-native, shared, stateless, nestjs, nextjs. |
❌ Deploy Preview for novu-stg-vite-dashboard-poc failed. Why did it fail? →
|
52d59d3
to
fa58dc3
Compare
fa58dc3
to
38ee3c0
Compare
38ee3c0
to
ef47150
Compare
ef47150
to
c338f56
Compare
c338f56
to
9755e87
Compare
9755e87
to
41354b1
Compare
41354b1
to
7e692b1
Compare
a8da683
to
22051fd
Compare
22051fd
to
38b7bd3
Compare
38b7bd3
to
7257484
Compare
7257484
to
9f5ef57
Compare
9f5ef57
to
704f54c
Compare
704f54c
to
a4d7211
Compare
a4d7211
to
39c9868
Compare
This PR contains the following updates:
3.20.2
->3.29.5
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2024-47068
Summary
We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use
import.meta.url
or with plugins that emit and reference asset files from code incjs
/umd
/iife
format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., animg
tag with an unsanitizedname
attribute) are present.It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.
Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadget found in
rollup
We have identified a DOM Clobbering vulnerability in
rollup
bundled scripts, particularly when the scripts usesimport.meta
and set output in format ofcjs
/umd
/iife
. In such cases,rollup
replaces meta property with the URL retrieved fromdocument.currentScript
.https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162
https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185
However, this implementation is vulnerable to a DOM Clobbering attack. The
document.currentScript
lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, thesrc
attribute of the attacker-controlled element (e.g., animg
tag ) is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.PoC
Considering a website that contains the following
main.js
script, the devloper decides to use therollup
to bundle up the program:rollup main.js --format cjs --file bundle.js
.The output
bundle.js
is shown in the following code snippet.Adding the
rollup
bundled script,bundle.js
, as part of the web page source code, the page could load theextra.js
file from the attacker's domain,attacker.controlled.server
due to the introduced gadget during bundling. The attacker only needs to insert animg
tag with the name attribute set tocurrentScript
. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.Impact
This vulnerability can result in cross-site scripting (XSS) attacks on websites that include rollup-bundled files (configured with an output format of
cjs
,iife
, orumd
and useimport.meta
) and allow users to inject certain scriptless HTML tags without properly sanitizing thename
orid
attributes.Patch
Patching the following two functions with type checking would be effective mitigations against DOM Clobbering attack.
Release Notes
rollup/rollup (rollup)
v3.29.5
Compare Source
v3.29.4
Compare Source
2023-09-28
Bug Fixes
Pull Requests
v3.29.3
Compare Source
2023-09-24
Bug Fixes
Pull Requests
v3.29.2
Compare Source
2023-09-15
Bug Fixes
TreeshakingPreset
type (#5131)Pull Requests
TreeshakingPreset
(@moltar)v3.29.1
Compare Source
2023-09-10
Bug Fixes
Pull Requests
v3.29.0
Compare Source
2023-09-06
Features
api
to Plugin type (#5112)Bug Fixes
Pull Requests
v3.28.1
Compare Source
2023-08-22
Bug Fixes
Pull Requests
v3.28.0
Compare Source
2023-08-09
Features
preliminaryFileName
to generated chunks containing the file name placeholder (#5086)Bug Fixes
code
property of rendered modules in the output readonly (#5091)Pull Requests
preliminaryFileName
toOutputChunk
(@lsdsjy)v3.27.2
Compare Source
2023-08-04
Bug Fixes
Pull Requests
v3.27.1
Compare Source
2023-08-03
Bug Fixes
Pull Requests
v3.27.0
Compare Source
2023-07-28
Features
Object.values
andObject.entries
as pure if their argument does not contain getters (#5072)Pull Requests
v3.26.3
Compare Source
2023-07-17
Bug Fixes
manualChunks
to avoid breaking existing configs (#5068)Pull Requests
v3.26.2
Compare Source
2023-07-06
Bug Fixes
Pull Requests
v3.26.1
Compare Source
2023-07-05
Bug Fixes
hasOwnProperty
as exported name in CommonJS (#5010)Pull Requests
v3.26.0
Compare Source
2023-06-30
Features
--filterLogs
CLI flag andROLLUP_FILTER_LOGS
environment variable for log filtering (#5035)Pull Requests
v3.25.3
Compare Source
2023-06-26
Bug Fixes
Pull Requests
v3.25.2
Compare Source
2023-06-24
Bug Fixes
code
is not a string (#5042)Pull Requests
this.error
withpos
intransform
hook (@sapphi-red)v3.25.1
Compare Source
2023-06-12
Bug Fixes
__NO_SIDE_EFFECTS__
for async functions (#5031)Pull Requests
__NO_SIDE_EFFECTS__
annotation for async function (@antfu)v3.25.0
Compare Source
2023-06-11
Features
this.info
andthis.debug
plugin context logging functions (#5026)onLog
option to read, map and filter logs (#5026)logLevel
option to fully suppress logs by level (#5026)this.warn
,this.info
andthis.debug
to avoid heavy computations based on log level (#5026)onLog
plugin hook to read, filter and map logs from plugins (#5026)Pull Requests
v3.24.1
Compare Source
2023-06-10
Bug Fixes
@rollup/plugin-commonjs
were missing internal dependencies when code-splitting (#5029)process.exit(0)
in watch mode to avoid issues in embedded scenarios (#5027)Pull Requests
v3.24.0
Compare Source
2023-06-07
Features
/* #__NO_SIDE_EFFECTS__ */
to mark function declarations as side effect free (#5024)Pull Requests
#__NO_SIDE_EFFECTS__
annotation for function declaration (@antfu)v3.23.1
Compare Source
2023-06-04
Bug Fixes
Pull Requests
v3.23.0
Compare Source
2023-05-22
Features
Bug Fixes
Pull Requests
v3.22.1
Compare Source
2023-05-21
Bug Fixes
Pull Requests
v3.22.0
Compare Source
2023-05-17
Features
experimentalMinChunkSize
to take tree-shaking into account (#4989)Bug Fixes
experimentalMinChunkSize
(#4989)Pull Requests
v3.21.8
Compare Source
2023-05-16
Bug Fixes
Pull Requests
v3.21.7
Compare Source
2023-05-13
Bug Fixes
Pull Requests
v3.21.6
Compare Source
2023-05-09
Bug Fixes
Pull Requests
v3.21.5
Compare Source
2023-05-05
Bug Fixes
Pull Requests
v3.21.4
Compare Source
2023-05-03
Bug Fixes
Pull Requests
v3.21.3
Compare Source
2023-05-02
Bug Fixes
process.exit()
when Rollup CLI finishes successfully to solve issues on some systems (#4969)Pull Requests
v3.21.2
Compare Source
2023-04-30
Bug Fixes
Pull Requests
v3.21.1
Compare Source
2023-04-29
Bug Fixes
arguments
variable (#4965)Pull Requests
v3.21.0
Compare Source
2023-04-23
Features
Pull Requests
v3.20.7
Compare Source
2023-04-21
Bug Fixes
Pull Requests
v3.20.6
Compare Source
2023-04-18
Bug Fixes
Pull Requests
v3.20.5
Compare Source
2023-04-18
Bug Fixes
Pull Requests
v3.20.4
Compare Source
2023-04-17
Bug Fixes
Pull Requests
v3.20.3
Compare Source
2023-04-16
Bug Fixes
shouldTransformCachedModule
(#4932)Pull Requests
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.