chore(deps): update dependency rollup to v2.79.2 [security] (master) #1368
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.79.1
->2.79.2
GitHub Vulnerability Alerts
CVE-2024-47068
Summary
We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use
import.meta.url
or with plugins that emit and reference asset files from code incjs
/umd
/iife
format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., animg
tag with an unsanitizedname
attribute) are present.It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.
Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadget found in
rollup
We have identified a DOM Clobbering vulnerability in
rollup
bundled scripts, particularly when the scripts usesimport.meta
and set output in format ofcjs
/umd
/iife
. In such cases,rollup
replaces meta property with the URL retrieved fromdocument.currentScript
.https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162
https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185
However, this implementation is vulnerable to a DOM Clobbering attack. The
document.currentScript
lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, thesrc
attribute of the attacker-controlled element (e.g., animg
tag ) is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.PoC
Considering a website that contains the following
main.js
script, the devloper decides to use therollup
to bundle up the program:rollup main.js --format cjs --file bundle.js
.The output
bundle.js
is shown in the following code snippet.Adding the
rollup
bundled script,bundle.js
, as part of the web page source code, the page could load theextra.js
file from the attacker's domain,attacker.controlled.server
due to the introduced gadget during bundling. The attacker only needs to insert animg
tag with the name attribute set tocurrentScript
. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.Impact
This vulnerability can result in cross-site scripting (XSS) attacks on websites that include rollup-bundled files (configured with an output format of
cjs
,iife
, orumd
and useimport.meta
) and allow users to inject certain scriptless HTML tags without properly sanitizing thename
orid
attributes.Patch
Patching the following two functions with type checking would be effective mitigations against DOM Clobbering attack.
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
CVE-2024-47068 / GHSA-gcx4-mw62-g8wm
More information
Details
Summary
We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use
import.meta.url
or with plugins that emit and reference asset files from code incjs
/umd
/iife
format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., animg
tag with an unsanitizedname
attribute) are present.It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.
Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadget found in
rollup
We have identified a DOM Clobbering vulnerability in
rollup
bundled scripts, particularly when the scripts usesimport.meta
and set output in format ofcjs
/umd
/iife
. In such cases,rollup
replaces meta property with the URL retrieved fromdocument.currentScript
.https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162
https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185
However, this implementation is vulnerable to a DOM Clobbering attack. The
document.currentScript
lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, thesrc
attribute of the attacker-controlled element (e.g., animg
tag ) is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.PoC
Considering a website that contains the following
main.js
script, the devloper decides to use therollup
to bundle up the program:rollup main.js --format cjs --file bundle.js
.The output
bundle.js
is shown in the following code snippet.Adding the
rollup
bundled script,bundle.js
, as part of the web page source code, the page could load theextra.js
file from the attacker's domain,attacker.controlled.server
due to the introduced gadget during bundling. The attacker only needs to insert animg
tag with the name attribute set tocurrentScript
. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.Impact
This vulnerability can result in cross-site scripting (XSS) attacks on websites that include rollup-bundled files (configured with an output format of
cjs
,iife
, orumd
and useimport.meta
) and allow users to inject certain scriptless HTML tags without properly sanitizing thename
orid
attributes.Patch
Patching the following two functions with type checking would be effective mitigations against DOM Clobbering attack.
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
rollup/rollup (rollup)
v2.79.2
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.