Skip to content

chore(deps): update dependency pagefind to v1.1.1 [security] #660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

chore(deps): update dependency pagefind to v1.1.1 [security] #660

wants to merge 2 commits into from

Conversation

lfrancke
Copy link
Member

This PR contains the following updates:

Package Type Update Change
pagefind devDependencies patch 1.1.0 -> 1.1.1

GitHub Vulnerability Alerts

CVE-2024-45389

Pagefind initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script you load. This information is gathered by looking up the value of document.currentScript.src.

It is possible to "clobber" this lookup with otherwise benign HTML on the page, for example:

<img name="currentScript" src="blob:https://xxx.xxx.xxx/ui.js"></img>

This will cause document.currentScript.src to resolve as an external domain, which will then be used by Pagefind to load dependencies.

This exploit would only work in the case that an attacker could inject HTML to your live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, img tags with a name attribute), but not others, as adding a script to the page would itself be the XSS vector.

Pagefind has tightened this resolution by ensuring the source is loaded from a valid script element. There are no reports of this being exploited in the wild via Pagefind.

Original Report

If an attacker can inject benign html, such as:
<img name="currentScript" src="blob:https://xxx.xxx.xxx/ui.js"></img>

they can clobber document.currentScript.src leading to XSS in your library.

Here is the same attack on webpack that was accepted: GHSA-4vvj-4cpr-p986

Release Notes

CloudCannon/pagefind (pagefind)

v1.1.1

Compare Source

Fixes & Tweaks
  • Fixes an issue where internal anchor and weight tokens would leak when captured in meta or filter attributes.
  • Improves segmentation for extended languages (PR #​600 — thanks @​hamano !).
  • Improves Pagefind's processing of "index.html" URLs (PR #​604 — thanks @​dscho !).
  • Fixes some instances of incorrect types in the Pagefind NodeJS API (PRs #​642 & #​655 — thanks @​vanyauhalin & SKalt !).
UI Translations
  • Added Swahili translations
Secutiry
  • Fix potential DOM clobbering when initializing Pagefind

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@lfrancke lfrancke added the dependencies Pull requests that update a dependency file label Sep 10, 2024
@lfrancke lfrancke requested a review from a team September 10, 2024 13:15
@netlify Netlify
Copy link

netlify bot commented Sep 10, 2024
edited
Loading

Deploy Preview for stackable-docs ready!

Name Link
🔨 Latest commit c2209a7
🔍 Latest deploy log https://app.netlify.com/sites/stackable-docs/deploys/6748c72300214d0008050268
😎 Deploy Preview https://deploy-preview-660--stackable-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

NickLarsenNZ
NickLarsenNZ reviewed Sep 11, 2024
View reviewed changes
Copy link
Member

@NickLarsenNZ NickLarsenNZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For some reason the build fails due to:

npm error `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.

@stackable-bot
chore(deps): update dependency pagefind to v1.1.1 [security]
5bc670e 
| datasource | package  | from  | to    |
| ---------- | -------- | ----- | ----- |
| npm        | pagefind | 1.1.0 | 1.1.1 |
@stackable-bot stackable-bot force-pushed the renovate/npm-pagefind-vulnerability branch from 7d26c2e to 5bc670e Compare October 16, 2024 08:37
@NickLarsenNZ
Copy link
Member

@lfrancke, the build keeps failing on this branch.

@lfrancke
Copy link
Member Author

I'll close this in favor of #656

@lfrancke lfrancke closed this Dec 10, 2024
@lfrancke lfrancke deleted the renovate/npm-pagefind-vulnerability branch December 10, 2024 13:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NickLarsenNZ NickLarsenNZ NickLarsenNZ left review comments

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lfrancke @NickLarsenNZ @stackable-bot