Skip to content

Fix security issues reported by Dependabot for version 4 #5514

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
kretajak wants to merge 3 commits into
base: version-4
Choose a base branch
from
+503 −46
Draft

Fix security issues reported by Dependabot for version 4 #5514

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5ba835f
fix(security): requests with an IP addresses Origin header are not al…
sapphi-red Mar 24, 2025
ba2e692
fix(security): check cross origin requests
sapphi-red Mar 24, 2025
8de7782
fix: respect the `allowedHosts` option for cross-origin header check …
alexander-akait Jun 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix(security): check cross origin requests
  • Loading branch information
@sapphi-red @kretajak
sapphi-red authored and kretajak committed Jun 6, 2025
commit ba2e692c170df23e0718c6be2e823e194c4252a2
26 changes: 26 additions & 0 deletions lib/Server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2209,6 +2209,32 @@ class Server {
this.options.onBeforeSetupMiddleware(this);
}

// Register setup cross origin request check for securityAdd commentMore actions
middlewares.push({
name: "cross-origin-header-check",
/**
* @param {Request} req
* @param {Response} res
* @param {NextFunction} next
* @returns {void}
*/
middleware: (req, res, next) => {
const headers =
/** @type {{ [key: string]: string | undefined }} */
(req.headers);
if (
Copy link
Member

@alexander-akait alexander-akait Jun 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recently we added some fixes here to skip check for allowedHost, please add it here

Copy link
Author

@kretajak kretajak Jun 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems not that straightforward. To me bigger effort is needed to incorporate changes from 03d1214. This PR uses functions defined in previous commits not available in line 4.

If it's not a problem, I would consider merging this PR and creating separate PR for task you mentioned.

Copy link
Member

@alexander-akait alexander-akait Jun 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kretajak let's include 03d1214 here, otherwise in some cases it will be impossible to setup a new version and we can merge

Copy link

@slorber slorber Jun 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kretajak let me know if you need help backporting that commit. I could try to add it on top of your existing PR if you don't have time to. We have at least 3 Docusaurus issues asking us to solve this security warning so happy to help and get this solved asap.

Copy link
Author

@kretajak kretajak Jun 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm currently trying to backport that commit. I'll inform you whether I was able to make it.

Copy link
Author

@kretajak kretajak Jun 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added new commit which should move us a bit closer. Seems like also changes from 6045b1e might be required as they are tightly connected to 03d1214.

@slorber feel free to continue the work.

headers["sec-fetch-mode"] === "no-cors" &&
headers["sec-fetch-site"] === "cross-site"
) {
res.statusCode = 403;
res.end("Cross-Origin request blocked");
return;
}

next();
},
});

if (typeof this.options.headers !== "undefined") {
middlewares.push({
name: "set-headers",
Expand Down
118 changes: 118 additions & 0 deletions test/e2e/cross-origin-request.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
"use strict";

const webpack = require("webpack");
const Server = require("../../lib/Server");
const config = require("../fixtures/client-config/webpack.config");
const runBrowser = require("../helpers/run-browser");
const [port1, port2] = require("../ports-map")["cross-origin-request"];

describe("cross-origin requests", () => {
const devServerPort = port1;
const htmlServerPort = port2;
const htmlServerHost = "127.0.0.1";

it("should return 403 for cross-origin no-cors non-module script tag requests", async () => {
const compiler = webpack(config);
const devServerOptions = {
port: devServerPort,
allowedHosts: "auto",
};
const server = new Server(devServerOptions, compiler);

await server.start();

// Start a separate server for serving the HTML file
const http = require("http");
const htmlServer = http.createServer((req, res) => {
res.writeHead(200, { "Content-Type": "text/html" });
res.end(`
<html>
<head>
<script src="http://localhost:${devServerPort}/main.js"></script>
</head>
<body></body>
</html>
`);
});
htmlServer.listen(htmlServerPort, htmlServerHost);

const { page, browser } = await runBrowser();
try {
const pageErrors = [];

page.on("pageerror", (error) => {
pageErrors.push(error);
});

const scriptTagRequest = page.waitForResponse(
`http://localhost:${devServerPort}/main.js`
);

await page.goto(`http://${htmlServerHost}:${htmlServerPort}`);

const response = await scriptTagRequest;

expect(response.status()).toBe(403);
} catch (error) {
throw error;
} finally {
await browser.close();
await server.stop();
htmlServer.close();
}
});

it("should return 200 for cross-origin cors non-module script tag requests", async () => {
const compiler = webpack(config);
const devServerOptions = {
port: devServerPort,
allowedHosts: "auto",
headers: {
"Access-Control-Allow-Origin": "*",
},
};
const server = new Server(devServerOptions, compiler);

await server.start();

// Start a separate server for serving the HTML file
const http = require("http");
const htmlServer = http.createServer((req, res) => {
res.writeHead(200, { "Content-Type": "text/html" });
res.end(`
<html>
<head>
<script src="http://localhost:${devServerPort}/main.js" crossorigin></script>
</head>
<body></body>
</html>
`);
});
htmlServer.listen(htmlServerPort, htmlServerHost);

const { page, browser } = await runBrowser();
try {
const pageErrors = [];

page.on("pageerror", (error) => {
pageErrors.push(error);
});

const scriptTagRequest = page.waitForResponse(
`http://localhost:${devServerPort}/main.js`
);

await page.goto(`http://${htmlServerHost}:${htmlServerPort}`);

const response = await scriptTagRequest;

expect(response.status()).toBe(200);
} catch (error) {
throw error;
} finally {
await browser.close();
await server.stop();
htmlServer.close();
}
});
});
1 change: 1 addition & 0 deletions test/ports-map.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ const listOfTests = {
"normalize-option": 1,
"setup-middlewares-option": 1,
"options-request-response": 2,
"cross-origin-request": 2,
};

let startPort = 8089;
Expand Down