[Security] Bump webpack-dev-middleware from 5.3.3 to 5.3.4 in /frontend
Bumps webpack-dev-middleware from 5.3.3 to 5.3.4. This update includes a security fix.
Vulnerabilities fixed
Path traversal in webpack-dev-middleware
Summary
The webpack-dev-middleware middleware does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine.
Details
The middleware can either work with the physical filesystem when reading the files or it can use a virtualized in-memory memfs filesystem. If writeToDisk configuration option is set to true, the physical filesystem is used: https://github.com/webpack/webpack-dev-middleware/blob/7ed24e0b9f53ad1562343f9f517f0f0ad2a70377/src/utils/setupOutputFileSystem.js#L21
The getFilenameFromUrl method is used to parse URL and build the local file path. The public path prefix is stripped from the URL, and the unsecaped path suffix is appended to the outputPath: https://github.com/webpack/webpack-dev-middleware/blob/7ed24e0b9f53ad1562343f9f517f0f0ad2a70377/src/utils/getFilenameFromUrl.js#L82 As the URL is not unescaped and normalized automatically before calling the midlleware, it is possible to use %2e and %2f sequences to perform path traversal attack.
PoC
A blank project can be created containing the following configuration file webpack.config.js: `module.exports = { devServer: { devMiddleware: { writeToDisk: true }
... (truncated)
Patched versions: 5.3.4 Affected versions: <= 5.3.3
Commits
-
86071eachore(release): 5.3.4 -
189c4acfix(security): do not allow to read files above (#1779) - See full diff in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot recreatewill recreate this MR rewriting all the manual changes and resolving conflicts