Skip to content

[Security] Bump webpack-dev-middleware from 5.3.3 to 5.3.4 in /frontend

Bumps webpack-dev-middleware from 5.3.3 to 5.3.4. This update includes a security fix.

Vulnerabilities fixed

Path traversal in webpack-dev-middleware

Summary

The webpack-dev-middleware middleware does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine.

Details

The middleware can either work with the physical filesystem when reading the files or it can use a virtualized in-memory memfs filesystem. If writeToDisk configuration option is set to true, the physical filesystem is used: https://github.com/webpack/webpack-dev-middleware/blob/7ed24e0b9f53ad1562343f9f517f0f0ad2a70377/src/utils/setupOutputFileSystem.js#L21

The getFilenameFromUrl method is used to parse URL and build the local file path. The public path prefix is stripped from the URL, and the unsecaped path suffix is appended to the outputPath: https://github.com/webpack/webpack-dev-middleware/blob/7ed24e0b9f53ad1562343f9f517f0f0ad2a70377/src/utils/getFilenameFromUrl.js#L82 As the URL is not unescaped and normalized automatically before calling the midlleware, it is possible to use %2e and %2f sequences to perform path traversal attack.

PoC

A blank project can be created containing the following configuration file webpack.config.js: `module.exports = { devServer: { devMiddleware: { writeToDisk: true }

... (truncated)

Patched versions: 5.3.4 Affected versions: <= 5.3.3

Release notes

Sourced from webpack-dev-middleware's releases.

v5.3.4

5.3.4 (2024-03-20)

Bug Fixes

  • security: do not allow to read files above (#1779) (189c4ac)
Changelog

Sourced from webpack-dev-middleware's changelog.

5.3.4 (2024-03-20)

Bug Fixes

  • security: do not allow to read files above (#1779) (189c4ac)
Commits


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading