fix(deps): update dependency astro to v4.16.17 [security] #3185
+238
−384
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.16.11
->4.16.17
GitHub Vulnerability Alerts
CVE-2024-56140
Summary
A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.
Details
When the
security.checkOrigin
configuration option is set totrue
, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)For example, with the following Astro configuration:
A request like the following would be blocked if made from a different origin:
However, a vulnerability exists that can bypass this security.
Pattern 1: Requests with a semicolon after the
Content-Type
A semicolon-delimited parameter is allowed after the type in
Content-Type
.Web browsers will treat a
Content-Type
such asapplication/x-www-form-urlencoded; abc
as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected.Pattern 2: Request without
Content-Type
headerThe
Content-Type
header is not required for a request. The following examples are sent without aContent-Type
header, resulting in CSRF.Impact
Bypass CSRF protection implemented with CSRF middleware.
Note
Even with
credentials: 'include'
, browsers may not send cookies due to third-party cookie blocking. This feature depends on the browser version and settings, and is for privacy protection, not as a CSRF measure.Release Notes
withastro/astro (astro)
v4.16.17
Compare Source
Patch Changes
e7d14c3
Thanks @ematipico! - Fixes an issue where thecheckOrigin
feature wasn't correctly checking thecontent-type
headerv4.16.16
Compare Source
Patch Changes
#12542
65e50eb
Thanks @kadykov! - Fix JPEG image size determination#12525
cf0d8b0
Thanks @ematipico! - Fixes an issue where withi18n
enabled, Astro couldn't render the404.astro
component for non-existent routes.v4.16.15
Compare Source
Patch Changes
b140a3f
Thanks @ematipico! - Fixes a regression where Astro was trying to accessRequest.headers
v4.16.14
Compare Source
Patch Changes
#12480
c3b7e7c
Thanks @matthewp! - Removes the default throw behavior inastro:env
#12444
28dd3ce
Thanks @ematipico! - Fixes an issue where a server island hydration script might fail case the island ID misses from the DOM.#12476
80a9a52
Thanks @florian-lefebvre! - Fixes a case where the Content Layerglob()
loader would not update when renaming or deleting an entry#12418
25baa4e
Thanks @oliverlynch! - Fix cached image redownloading if it is the first asset#12477
46f6b38
Thanks @ematipico! - Fixes an issue where the SSR build was emitting thedist/server/entry.mjs
file with an incorrect import at the top of the file/#12365
a23985b
Thanks @apatel369! - Fixes an issue whereAstro.currentLocale
was not correctly returning the locale for 404 and 500 pages.v4.16.13
Compare Source
Patch Changes
#12436
453ec6b
Thanks @martrapp! - Fixes a potential null access in the clientside router#12392
0462219
Thanks @apatel369! - Fixes an issue where scripts were not correctly injected during the build. The issue was triggered when there were injected routes with the sameentrypoint
and differentpattern
v4.16.12
Compare Source
Patch Changes
acac0af
Thanks @ematipico! - Fixes an issue where the dev server returns a 404 status code when a user middleware returns a validResponse
.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.