Update dependency rollup to v3.29.5 [SECURITY] #207
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.23.0
->3.29.5
GitHub Vulnerability Alerts
CVE-2024-47068
Summary
We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use
import.meta.url
or with plugins that emit and reference asset files from code incjs
/umd
/iife
format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., animg
tag with an unsanitizedname
attribute) are present.It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.
Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadget found in
rollup
We have identified a DOM Clobbering vulnerability in
rollup
bundled scripts, particularly when the scripts usesimport.meta
and set output in format ofcjs
/umd
/iife
. In such cases,rollup
replaces meta property with the URL retrieved fromdocument.currentScript
.https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162
https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185
However, this implementation is vulnerable to a DOM Clobbering attack. The
document.currentScript
lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, thesrc
attribute of the attacker-controlled element (e.g., animg
tag ) is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.PoC
Considering a website that contains the following
main.js
script, the devloper decides to use therollup
to bundle up the program:rollup main.js --format cjs --file bundle.js
.The output
bundle.js
is shown in the following code snippet.Adding the
rollup
bundled script,bundle.js
, as part of the web page source code, the page could load theextra.js
file from the attacker's domain,attacker.controlled.server
due to the introduced gadget during bundling. The attacker only needs to insert animg
tag with the name attribute set tocurrentScript
. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.Impact
This vulnerability can result in cross-site scripting (XSS) attacks on websites that include rollup-bundled files (configured with an output format of
cjs
,iife
, orumd
and useimport.meta
) and allow users to inject certain scriptless HTML tags without properly sanitizing thename
orid
attributes.Patch
Patching the following two functions with type checking would be effective mitigations against DOM Clobbering attack.
Release Notes
rollup/rollup (rollup)
v3.29.5
Compare Source
v3.29.4
Compare Source
2023-09-28
Bug Fixes
Pull Requests
v3.29.3
Compare Source
2023-09-24
Bug Fixes
Pull Requests
v3.29.2
Compare Source
2023-09-15
Bug Fixes
TreeshakingPreset
type (#5131)Pull Requests
TreeshakingPreset
(@moltar)v3.29.1
Compare Source
2023-09-10
Bug Fixes
Pull Requests
v3.29.0
Compare Source
2023-09-06
Features
api
to Plugin type (#5112)Bug Fixes
Pull Requests
v3.28.1
Compare Source
2023-08-22
Bug Fixes
Pull Requests
v3.28.0
Compare Source
2023-08-09
Features
preliminaryFileName
to generated chunks containing the file name placeholder (#5086)Bug Fixes
code
property of rendered modules in the output readonly (#5091)Pull Requests
preliminaryFileName
toOutputChunk
(@lsdsjy)v3.27.2
Compare Source
2023-08-04
Bug Fixes
Pull Requests
v3.27.1
Compare Source
2023-08-03
Bug Fixes
Pull Requests
v3.27.0
Compare Source
2023-07-28
Features
Object.values
andObject.entries
as pure if their argument does not contain getters (#5072)Pull Requests
v3.26.3
Compare Source
2023-07-17
Bug Fixes
manualChunks
to avoid breaking existing configs (#5068)Pull Requests
v3.26.2
Compare Source
2023-07-06
Bug Fixes
Pull Requests
v3.26.1
Compare Source
2023-07-05
Bug Fixes
hasOwnProperty
as exported name in CommonJS (#5010)Pull Requests
v3.26.0
Compare Source
2023-06-30
Features
--filterLogs
CLI flag andROLLUP_FILTER_LOGS
environment variable for log filtering (#5035)Pull Requests
v3.25.3
Compare Source
2023-06-26
Bug Fixes
Pull Requests
v3.25.2
Compare Source
2023-06-24
Bug Fixes
code
is not a string (#5042)Pull Requests
this.error
withpos
intransform
hook (@sapphi-red)v3.25.1
Compare Source
2023-06-12
Bug Fixes
__NO_SIDE_EFFECTS__
for async functions (#5031)Pull Requests
__NO_SIDE_EFFECTS__
annotation for async function (@antfu)v3.25.0
Compare Source
2023-06-11
Features
this.info
andthis.debug
plugin context logging functions (#5026)onLog
option to read, map and filter logs (#5026)logLevel
option to fully suppress logs by level (#5026)this.warn
,this.info
andthis.debug
to avoid heavy computations based on log level (#5026)onLog
plugin hook to read, filter and map logs from plugins (#5026)Pull Requests
v3.24.1
Compare Source
2023-06-10
Bug Fixes
@rollup/plugin-commonjs
were missing internal dependencies when code-splitting (#5029)process.exit(0)
in watch mode to avoid issues in embedded scenarios (#5027)Pull Requests
v3.24.0
Compare Source
2023-06-07
Features
/* #__NO_SIDE_EFFECTS__ */
to mark function declarations as side effect free (#5024)Pull Requests
#__NO_SIDE_EFFECTS__
annotation for function declaration (@antfu)v3.23.1
Compare Source
2023-06-04
Bug Fixes
Pull Requests
Configuration
📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.