chore(deps): update dependency astro to v4.16.18 [security] #40
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.3.1
->4.16.18
GitHub Vulnerability Alerts
CVE-2024-47885
Summary
A DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has stored attacker-controlled scriptless HTML elements (i.e.,
iframe
tags with unsanitizedname
attributes) on the destination pages.Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadgets found in Astro
We identified a DOM Clobbering gadget in Astro's client-side routing module, specifically in the
<ViewTransitions />
component. When integrated, this component introduces the following vulnerable code, which is executed during page transitions (e.g., clicking an<a>
link):https://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156
However, this implementation is vulnerable to a DOM Clobbering attack. The
document.scripts
lookup can be shadowed by an attacker injected non-script HTML elements (e.g.,<img name="scripts"><img name="scripts">
) via the browser's named DOM access mechanism. This manipulation allows an attacker to replace the intended script elements with an array of attacker-controlled scriptless HTML elements.The condition
script.dataset.astroExec === ''
on line 138 can be bypassed because the attacker-controlled element does not have a data-astroExec attribute. Similarly, the check on line 134 can be bypassed as the element does not require atype
attribute.Finally, the
innerHTML
of an attacker-injected non-script HTML elements, which is plain text content before, will be set to the.innerHTML
of an script element that leads to XSS.PoC
Consider a web application using Astro as the framework with client-side routing enabled and allowing users to embed certain scriptless HTML elements (e.g.,
form
oriframe
). This can be done through a bunch of website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.For PoC website, please refer to:
https://stackblitz.com/edit/github-4xgj2d
. Clicking the "about" button in the menu will trigger analert(1)
from an attacker-injectedform
element.Impact
This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with
ViewTransitions
and store the user-inserted scriptless HTML tags without properly sanitizing thename
attributes on the page.Patch
We recommend replacing
document.scripts
withdocument.getElementsByTagName('script')
for referring to script elements. This will mitigate the possibility of DOM Clobbering attacks leveraging thename
attribute.Reference
Similar issues for reference:
CVE-2024-56140
Summary
A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.
Details
When the
security.checkOrigin
configuration option is set totrue
, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)For example, with the following Astro configuration:
A request like the following would be blocked if made from a different origin:
However, a vulnerability exists that can bypass this security.
Pattern 1: Requests with a semicolon after the
Content-Type
A semicolon-delimited parameter is allowed after the type in
Content-Type
.Web browsers will treat a
Content-Type
such asapplication/x-www-form-urlencoded; abc
as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected.Pattern 2: Request without
Content-Type
headerThe
Content-Type
header is not required for a request. The following examples are sent without aContent-Type
header, resulting in CSRF.Impact
Bypass CSRF protection implemented with CSRF middleware.
Note
Even with
credentials: 'include'
, browsers may not send cookies due to third-party cookie blocking. This feature depends on the browser version and settings, and is for privacy protection, not as a CSRF measure.CVE-2024-56159
Summary
A bug in the build process allows any unauthenticated user to read parts of the server source code.
Details
During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible folder.
https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139
Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website.
While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in
src/pages
) are predictably named. For example. the sourcemap file forsrc/pages/index.astro
gets nameddist/client/pages/index.astro.mjs.map
.PoC
Here is one example of an affected open-source website:
https://creatorsgarten.org/pages/index.astro.mjs.map
The file can be saved and opened using https://evanw.github.io/source-map-visualization/ to reconstruct the source code.
The above accurately mirrors the source code as seen in the repository: https://github.com/creatorsgarten/creatorsgarten.org/blob/main/src/pages/index.astro
The above was found as the 4th result (and the first one on Astro 5.0+) when making the following search query on GitHub.com (search results link):
This vulnerability is the root cause of https://github.com/withastro/astro/issues/12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the
dist/client
(referred to asconfig.build.client
in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains.map
files corresponding to the code that runs on the server.Impact
All server-output (SSR) projects on Astro 5 versions v5.0.3 through v5.0.6 (inclusive), that have sourcemaps enabled, either directly or through an add-on such as sentry, are affected. The fix for server-output projects was released in [email protected].
Additionally, all static-output (SSG) projects built using Astro 4 versions 4.16.17 or older, or Astro 5 versions 5.0.7 or older, that have sourcemaps enabled are also affected. The fix for static-output projects was released in [email protected], and backported to Astro v4 in [email protected].
The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code.
There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code .
There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability.
Remediation
The fix for server-output projects was released in [email protected], and the fix for static-output projects was released in [email protected] and backported to Astro v4 in [email protected]. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.
Release Notes
withastro/astro (astro)
v4.16.18
Compare Source
Patch Changes
#12757
d0aaac3
Thanks @matthewp! - Remove all assets created from the server build#12757
d0aaac3
Thanks @matthewp! - Clean server sourcemaps from static outputv4.16.17
Compare Source
Patch Changes
e7d14c3
Thanks @ematipico! - Fixes an issue where thecheckOrigin
feature wasn't correctly checking thecontent-type
headerv4.16.16
Compare Source
Patch Changes
#12542
65e50eb
Thanks @kadykov! - Fix JPEG image size determination#12525
cf0d8b0
Thanks @ematipico! - Fixes an issue where withi18n
enabled, Astro couldn't render the404.astro
component for non-existent routes.v4.16.15
Compare Source
Patch Changes
b140a3f
Thanks @ematipico! - Fixes a regression where Astro was trying to accessRequest.headers
v4.16.14
Compare Source
Patch Changes
#12480
c3b7e7c
Thanks @matthewp! - Removes the default throw behavior inastro:env
#12444
28dd3ce
Thanks @ematipico! - Fixes an issue where a server island hydration script might fail case the island ID misses from the DOM.#12476
80a9a52
Thanks @florian-lefebvre! - Fixes a case where the Content Layerglob()
loader would not update when renaming or deleting an entry#12418
25baa4e
Thanks @oliverlynch! - Fix cached image redownloading if it is the first asset#12477
46f6b38
Thanks @ematipico! - Fixes an issue where the SSR build was emitting thedist/server/entry.mjs
file with an incorrect import at the top of the file/#12365
a23985b
Thanks @apatel369! - Fixes an issue whereAstro.currentLocale
was not correctly returning the locale for 404 and 500 pages.v4.16.13
Compare Source
Patch Changes
#12436
453ec6b
Thanks @martrapp! - Fixes a potential null access in the clientside router#12392
0462219
Thanks @apatel369! - Fixes an issue where scripts were not correctly injected during the build. The issue was triggered when there were injected routes with the sameentrypoint
and differentpattern
v4.16.12
Compare Source
Patch Changes
acac0af
Thanks @ematipico! - Fixes an issue where the dev server returns a 404 status code when a user middleware returns a validResponse
.v4.16.11
Compare Source
Patch Changes
#12305
f5f7109
Thanks @florian-lefebvre! - Fixes a case where the error overlay would not escape the message#12402
823e73b
Thanks @ematipico! - Fixes a case where Astro allowed to call an action without usingAstro.callAction
. This is now invalid, and Astro will show a proper error.v4.16.10
Compare Source
Patch Changes
#12311
bf2723e
Thanks @dinesh-58! - Addschecked
to the list of boolean attributes.#12363
222f718
Thanks @Fryuni! - Fixes code generated byastro add
command when adding a version of an integration other than the defaultlatest
.#12368
493fe43
Thanks @bluwy! - Improves error logs when executing commands#12355
c4726d7
Thanks @apatel369! - Improves error reporting for invalid frontmatter in MDX files during theastro build
command. The error message now includes the file path where the frontmatter parsing failed.v4.16.9
Compare Source
Patch Changes
#12333
836cd91
Thanks @imattacus! - Destroy the server response stream if async error is thrown#12358
7680349
Thanks @spacedawwwg! - HonorsinlineAstroConfig
parameter ingetViteConfig
when creating a logger#12353
35795a1
Thanks @hippotastic! - Fixes an issue in dev server watch file handling that could cause multiple restarts for a single file change.#12351
5751488
Thanks @florian-lefebvre! - Reverts a change made in4.16.6
that prevented usage ofastro:env
secrets inside middleware in SSR#12346
20e5a84
Thanks @bluwy! - Fixes sourcemap generation when prefetch is enabled#12349
1fc83d3
Thanks @norskeld! - Fixes thegetImage
options type so it properly extendsImageTransform
v4.16.8
Compare Source
Patch Changes
#12338
9ca89b3
Thanks @situ2001! - ResetsNODE_ENV
to ensure install command run in dev mode#12286
9d6bcdb
Thanks @florian-lefebvre! - Fixes a case where a warning for experimentalastro:env
support would be shown when using an adapter but not actually usingastro:env
#12342
ffc836b
Thanks @liruifengv! - Fixes a typo in the command name of the CLI#12301
0cfc69d
Thanks @apatel369! - Fixes an issue with action handler context by passing the correct context (ActionAPIContext
).#12312
5642ef9
Thanks @koyopro! - Fixes an issue where usinggetViteConfig()
returns incorrect and duplicate configuration#12245
1d4f6a4
Thanks @bmenant! - Addcomponents
property to MDXInstance type definition (RenderResult and module import)#12340
94eaeea
Thanks @ematipico! - Fixes an issue where Astro actions didn't work whenbase
was different from/
v4.16.7
Compare Source
Patch Changes
#12263
e9e8080
Thanks @Fryuni! - Fixes conflict between server islands and on-demand dynamic routes in the form of/[...rest]
or/[paramA]/[paramB]
.#12279
b781f88
Thanks @jsparkdev! - Update wrong error message#12273
c2ee963
Thanks @ascorbic! - Fixes an issue with some package managers where sites would not build if TypeScript was not installed.#12235
a75bc5e
Thanks @ematipico! - Fixes a bug where Astro Actions couldn't redirect to the correct pathname when there was a rewrite involved.#11839
ff522b9
Thanks @icaliman! - Fixes error when returning a top-levelnull
from an Astro file frontmatter#12272
388d237
Thanks @ascorbic! - Correctly handles local images when using a base path in SSRv4.16.6
Compare Source
Patch Changes
#11823
a3d30a6
Thanks @DerTimonius! - fix: improve error message when inferSize is used in local images with the Image component#12227
8b1a641
Thanks @florian-lefebvre! - Fixes a case where environment variables would not be refreshed when usingastro:env
#12239
2b6daa5
Thanks @ematipico! - BREAKING CHANGE to the experimental Container API onlyChanges the default page rendering behavior of Astro components in containers, and adds a new option
partial: false
to render full Astro pages as before.Previously, the Container API was rendering all Astro components as if they were full Astro pages containing
<!DOCTYPE html>
by default. This was not intended, and now by default, all components will render as page partials: only the contents of the components without a page shell.To render the component as a full-fledged Astro page, pass a new option called
partial: false
torenderToString()
andrenderToResponse()
:v4.16.5
Compare Source
Patch Changes
ff68ba5
Thanks @martrapp! - Fixes an issue with cssesc in dev mode when settingvite.ssr.noExternal: true
v4.16.4
Compare Source
Patch Changes
#12223
79ffa5d
Thanks @ArmandPhilippot! - Fixes a false positive reported by the dev toolbar Audit app where a label was considered missing when associated with a buttonThe
button
element can be used with a label (e.g. to create a switch) and should not be reported as an accessibility issue when used as a child of alabel
.#12199
c351352
Thanks @ematipico! - Fixes a regression in the computation ofAstro.currentLocale
#12222
fb55695
Thanks @ematipico! - Fixes an issue where the edge middleware couldn't correctly compute the client IP address when callingctx.clientAddress()
v4.16.3
Compare Source
Patch Changes
#12220
b049359
Thanks @bluwy! - Fixes accidental internalsetOnSetGetEnv
parameter rename that caused runtime errors#12197
2aa2dfd
Thanks @ematipico! - Fix a regression where a port was incorrectly added to theAstro.url
v4.16.2
Compare Source
Patch Changes
12b0022
Thanks @bluwy! - Reverts https://github.com/withastro/astro/pull/12173 which causedCan't modify immutable headers
warnings and 500 errors on Cloudflare Pagesv4.16.1
Compare Source
Patch Changes
#12177
a4ffbfa
Thanks @matthewp! - Ensure we target scripts for execution in the routerUsing
document.scripts
is unsafe because if the application has aname="scripts"
this will shadow the built-indocument.scripts
. Fix is to usegetElementsByTagName
to ensure we're only grabbing real scripts.#12173
2d10de5
Thanks @ematipico! - Fixes a bug where Astro Actions couldn't redirect to the correct pathname when there was a rewrite involved.v4.16.0
Compare Source
Minor Changes
#12039
710a1a1
Thanks @ematipico! - Adds amarkdown.shikiConfig.langAlias
option that allows aliasing a non-supported code language to a known language. This is useful when the language of your code samples is not a built-in Shiki language, but you want your Markdown source to contain an accurate language while also displaying syntax highlighting.The following example configures Shiki to highlight
cjs
code blocks using thejavascript
syntax highlighter:Then in your Markdown, you can use the alias as the language for a code block for syntax highlighting:
#11984
3ac2263
Thanks @chaegumi! - Adds a newbuild.concurreny
configuration option to specify the number of pages to build in parallelIn most cases, you should not change the default value of
1
.Use this option only when other attempts to reduce the overall rendering time (e.g. batch or cache long running tasks like fetch calls or data access) are not possible or are insufficient.
Use this option only if the refactors are not possible. If the number is set too high, the page rendering may slow down due to insufficient memory resources and because JS is single-threaded.
Patch Changes
#12160
c6fd1df
Thanks @louisescher! - Fixes a bug whereastro.config.mts
andastro.config.cts
weren't reloading the dev server upon modifications.#12130
e96bcae
Thanks @thehansys! - Fixes a bug in the parsing ofx-forwarded-\*
Request
headers, where multiple values assigned to those headers were not correctly parsed.Now, headers like
x-forwarded-proto: https,http
are correctly parsed.#12147
9db755a
Thanks @ascorbic! - Skips setting statusMessage header for HTTP/2 responseHTTP/2 doesn't support status message, so setting this was logging a warning.
#12151
bb6d37f
Thanks @ematipico! - Fixes an issue whereAstro.currentLocale
wasn't incorrectly computed when thedefaultLocale
belonged to a custom locale path.Updated dependencies [
710a1a1
]:v4.15.12
Compare Source
Patch Changes
#12121
2490ceb
Thanks @ascorbic! - Support passing the valuesInfinity
and-Infinity
as island props.#12118
f47b347
Thanks @Namchee! - Removes thestrip-ansi
dependency in favor of the native Node API#12126
6e1dfeb
Thanks @ascorbic! - Clear content layer cache when astro version changes#12117
a46839a
Thanks @ArmandPhilippot! - Updates Vite links to use their new domain#12124
499fbc9
Thanks @ascorbic! - Allows special characters in Action names#12123
b8673df
Thanks @Princesseuh! - Fixes missingbody
property on CollectionEntry types for content layer entries#12132
de35daa
Thanks @jcayzac! - Updates thecookie
dependency to avoid the CVE 2024-47764 vulnerability.#12113
a54e520
Thanks @ascorbic! - Adds a helpful error when attempting to render an undefined collection entryv4.15.11
Compare Source
Patch Changes
#12097
11d447f
Thanks @ascorbic! - Fixes error where references in content layer schemas sometimes incorrectly report as missing#12108
918953b
Thanks @lameuler! - Fixes a bug where data URL images were not correctly handled. The bug resulted in anENAMETOOLONG
error.#12105
42037f3
Thanks @ascorbic! - Returns custom statusText that has been set in a Response#12109
ea22558
Thanks @ematipico! - Fixes a regression that was introduced by an internal refactor of how the middleware is loaded by the Astro application. The regression was introduced by #11550.When the edge middleware feature is opted in, Astro removes the middleware function from the SSR manifest, and this wasn't taken into account during the refactor.
#12106
d3a74da
Thanks @ascorbic! - Handles case where an immutable Response object is returned from an endpoint#12090
d49a537
Thanks @markjaquith! - Server islands: changes the server island HTML placeholder comment so that it is much less likely to get removed by HTML minifiers.v4.15.10
Compare Source
Patch Changes
#12084
12dae50
Thanks @Princesseuh! - Adds missing filePath property on content layer entries#12046
d7779df
Thanks @martrapp! - View transitions: Fixes Astro's fade animation to prevent flashing during morph transitions.#12043
1720c5b
Thanks @bluwy! - Fixes injected endpointprerender
option detection#12095
76c5fbd
Thanks @TheOtterlord! - Fix installing non-stable versions of integrations withastro add
v4.15.9
Compare Source
Patch Changes
#12034
5b3ddfa
Thanks @ematipico! - Fixes an issue where the middleware wasn't called when a project uses404.astro
.#12042
243ecb6
Thanks @ematipico! - Fixes a problem in the Container API, where a polyfill wasn't correctly applied. This caused an issue in some environments wherecrypto
isn't supported.#12038
26ea5e8
Thanks @ascorbic! - Resolves image paths in content layer with initial slash as project-relativeWhen using the
image()
schema helper, previously paths with an initial slash were treated as public URLs. This was to match the behavior of markdown images. However this is a change from before, where paths with an initial slash were treated as project-relative. This change restores the previous behavior, so that paths with an initial slash are treated as project-relative.v4.15.8
Compare Source
Patch Changes
#12014
53cb41e
Thanks @ascorbic! - Fixes an issue where component styles were not correctly included in rendered MDX#12031
8c0cae6
Thanks @ematipico! - Fixes a bug where the rewrite vianext(/*..*/)
inside a middleware didn't compute the newAPIContext.params
#12026
40e7a1b
Thanks @bluwy! - Initializes the Markdown processor only when there's.md
files#12028
d3bd673
Thanks @bluwy! - Handles route collision detection only if it matchesgetStaticPaths
#12027
dd3b753
Thanks @fviolette! - Addselected
to the list of boolean attributes#12001
9be3e1b
Thanks @uwej711! - Remove dependency on path-to-regexpv4.15.7
Compare Source
Patch Changes
#12000
a2f8c5d
Thanks @ArmandPhilippot! - Fixes an outdated link used to document Content Layer API#11915
0b59fe7
Thanks @azhirov! - Fix: prevent island from re-rendering when using transition:persist (#11854)v4.15.6
Compare Source
Patch Changes
#11993
ffba5d7
Thanks @matthewp! - Fix getStaticPaths regressionThis reverts a previous change meant to remove a dependency, to fix a regression with multiple nested spread routes.
#11964
06eff60
Thanks @TheOtterlord! - Add wayland (wl-copy) support toastro info
v4.15.5
Compare Source
Patch Changes
#11939
7b09c62
Thanks @bholmesdev! - Adds support for Zod discriminated unions on Action form inputs. This allows forms with different inputs to be submitted to the same action, using a given input to decide which object should be used for validation.This example accepts either a
create
orupdate
form submission, and uses thetype
field to determine which object to validate against.The corresponding
create
andupdate
forms may look like this:v4.15.4
Compare Source
Patch Changes
#11879
bd1d4aa
Thanks @matthewp! - Allow passing a cryptography key via ASTRO_KEYFor Server islands Astro creates a cryptography key in order to hash props for the islands, preventing accidental leakage of secrets.
If you deploy to an environment with rolling updates then there could be multiple instances of your app with different keys, causing potential key mismatches.
To fix this you can now pass the
ASTRO_KEY
environment variable to your build in order to reuse the same key.To generate a key use:
This will print out an environment variable to set like:
#11935
c58193a
Thanks @Princesseuh! - Fixesastro add
not using the proper export point when adding certain adaptersv4.15.3
Compare Source
Patch Changes
#11902
d63bc50
Thanks @ascorbic! - Fixes case where content layer did not update during clean dev builds on Linux and Windows#11886
7ff7134
Thanks @matthewp! - Fixes a missing error message when actions throws duringastro sync
#11904
ca54e3f
Thanks @wtchnm! - perf(assets): avoid downloading original image when using cachev4.15.2
Compare Source
Patch Changes
#11870
8e5257a
Thanks @ArmandPhilippot! - Fixes typo in documenting thefallbackType
property in i18n routing#11884
e450704
Thanks @ascorbic! - Correctly handles content layer data where the transformed value does not match the input schema#11900
80b4a18
Thanks @delucis! - Fixes the user-facing type of the newi18n.routing.fallbackType
option to be optionalv4.15.1
Compare Source
Patch Changes
9327d56
](https://redirect.github.com/withaConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.