Headline
CVE-2023-34238: fix(gatsby): don't serve codeframes for files outside of compilation … · gatsbyjs/gatsby@fc22f4b
Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the __file-code-frame and __original-stack-frame paths, exposed when running the Gatsby develop server (gatsby develop). Any file in scope of the development server could potentially be exposed. It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable. A patch has been introduced in [email protected] and [email protected] which mitigates the issue. Users are advised to upgrade. Users unable to upgrade should avoid exposing their development server to the internet.
@@ -1,7 +1,7 @@ import webpackHotMiddleware from “@gatsbyjs/webpack-hot-middleware” import webpackDevMiddleware from “webpack-dev-middleware” import got, { Method } from “got” import webpack from “webpack” import webpack, { Compilation } from “webpack” import express from “express” import compression from “compression” import { graphqlHTTP, OptionsData } from “express-graphql” Expand Down Expand Up @@ -55,6 +55,7 @@ import { getPageMode } from “./page-mode” import { configureTrailingSlash } from “./express-middlewares” import type { Express } from “express” import { addImageRoutes } from “gatsby-plugin-utils/polyfill-remote-file” import { isFileInsideCompilations } from “./webpack/utils/is-file-inside-compilations”
type ActivityTracker = any // TODO: Replace this with proper type once reporter is typed
Expand Down Expand Up @@ -502,7 +503,24 @@ export async function startServer( return }
const sourceContent = await fs.readFile(filePath, `utf-8`) const absolutePath = path.resolve( store.getState().program.directory, filePath )
const compilation: Compilation = res.locals?.webpack?.devMiddleware?.stats?.compilation if (!compilation) { res.json(emptyResponse) return }
if (!isFileInsideCompilations(absolutePath, compilation)) { res.json(emptyResponse) return }
const sourceContent = await fs.readFile(absolutePath, `utf-8`)
const codeFrame = codeFrameColumns( sourceContent, Expand Down
Related news
### Impact The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the `__file-code-frame` and `__original-stack-frame` paths, exposed when running the Gatsby develop server (`gatsby develop`). The following steps can be used to reproduce the vulnerability: ``` # Create a new Gatsby project $ npm init gatsby $ cd my-gatsby-site # Start the Gatsby develop server $ gatsby develop # Execute the Local File Inclusion vulnerability in __file-code-frame $ curl "http://127.0.0.1:8000/__file-code-frame?filePath=/etc/passwd&lineNumber=1" # Execute the Local File Inclusion vulnerability in __original-stack-frame $ curl "http://127.0.0.1:8000/__original-stack-frame?moduleId=/etc/hosts&lineNumber=1&skipSourceMap=1" ``` It should be noted that by default `gatsby develop` is only accessible via the localhost `127.0.0.1`, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options...