Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency @builder.io/qwik to v1.7.3 [SECURITY] #573

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency @builder.io/qwik to v1.7.3 [SECURITY] #573

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@builder.io/qwik (source) 1.4.5 -> 1.7.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-41677

Summary

A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0.

Details

Qwik improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208

  • If the string is an attribute value:
    • " -> "
    • & -> &
    • Other characters -> No conversion
  • Otherwise:
    • < -> &lt;
    • > -> &gt;
    • & -> &amp;
    • Other characters -> No conversion

It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS).

PoC

A vulnerable component:

import { component$ } from "@&#8203;builder.io/qwik";
import { useLocation } from "@&#8203;builder.io/qwik-city";

export default component$(() => {
  
  // user input
  const { url } = useLocation();
  const href = url.searchParams.get("href") ?? "https://example.com";

  return (
    <div>
      <noscript>
        <a href={href}>test</a>
      </noscript>
    </div>
  );
});

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS

Release Notes

QwikDev/qwik (@​builder.io/qwik)

v1.7.3

v1.7.2

Patch Changes

  • Library builds now correctly generate _fnSignal calls again. Any Qwik library that exports components should be built again. (by @​wmertens in #​6732)

    • built files are now under dist/ or lib/. All tools that respect package export maps should just work. (by @​wmertens in #​6715)
      If you have trouble with Typescript, ensure that you use moduleResolution: "Bundler" in your tsconfig.json.
    • @builder.io/qwik no longer depends on undici

  • fix dev mode on windows (by @​Varixo in #​6713)

v1.7.1

Compare Source

What's Changed

There are very important bugfixes around build and development in this release and we recommend upgrading.

PRs

Full Changelog: QwikDev/qwik@v1.7.0...v1.7.1

v1.7.0

Compare Source

Notable changes
  • Form errors when using dot notation have a slightly different type
  • Changes to search parameters in the URL will cause routeloaders to re-run now
  • Fixed several issues in dev mode
PRs merged
New Contributors

Full Changelog: QwikDev/qwik@v1.6.0...v1.7.0

v1.6.0

Compare Source

What's Changed
Features
Bug Fixes
Docs
New Contributors

Full Changelog: QwikDev/qwik@v1.5.7...v1.6.0

v1.5.7

Compare Source

What's Changed
New Contributors

Full Changelog: QwikDev/qwik@v1.5.6...v1.5.7

v1.5.6

Compare Source

What's Changed

Many bugfixes and documentation updates.

We also added an API tech preview: createSignal, useConstant and createComputed$, which should be self-explanatory. Feedback welcome on Discord or in issues. We cannot guarantee the stability of these APIs yet, although they are simple enough that they probably won't need changing.

Commits
New Contributors

Full Changelog: QwikDev/qwik@v1.5.5...v1.5.6

v1.5.5

Compare Source

What's Changed
New Contributors

Full Changelog: QwikDev/qwik@v1.5.4...v1.5.5

v1.5.4

Compare Source

What's Changed

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies label Aug 6, 2024
@codecov Codecov
Copy link

codecov bot commented Aug 6, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 64.25%. Comparing base (87632f6) to head (0e53e69).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #573   +/-   ##
=======================================
  Coverage   64.25%   64.25%           
=======================================
  Files         262      262           
  Lines       19527    19527           
  Branches     1550     1550           
=======================================
  Hits        12547    12547           
  Misses       6980     6980

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants