Update dependency astro to v4.16.18 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
astro (source)	4.16.3 -> 4.16.18

GitHub Vulnerability Alerts

CVE-2024-56140

Summary

A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.

Details

When the security.checkOrigin configuration option is set to true, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)

For example, with the following Astro configuration:

// astro.config.mjs
import { defineConfig } from 'astro/config';
import node from '@​astrojs/node';

export default defineConfig({
	output: 'server',
	security: { checkOrigin: true },
	adapter: node({ mode: 'standalone' }),
});

A request like the following would be blocked if made from a different origin:

// fetch API or <form action="https://test.example.com/" method="POST">
fetch('https://test.example.com/', {
	method: 'POST',
	credentials: 'include',
	body: 'a=b',
	headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
});
// => Cross-site POST form submissions are forbidden

However, a vulnerability exists that can bypass this security.

Pattern 1: Requests with a semicolon after the Content-Type

A semicolon-delimited parameter is allowed after the type in Content-Type.

Web browsers will treat a Content-Type such as application/x-www-form-urlencoded; abc as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected.

fetch('https://test.example.com', {
	method: 'POST',
	credentials: 'include',
	body: 'test',
	headers: { 'Content-Type': 'application/x-www-form-urlencoded; abc' },
});
// => Server-side functions are executed (Response Code 200).

Pattern 2: Request without Content-Type header

The Content-Type header is not required for a request. The following examples are sent without a Content-Type header, resulting in CSRF.

// Pattern 2.1 Request without body
fetch('http://test.example.com', { method: 'POST', credentials: 'include' });

// Pattern 2.2 Blob object without type
fetch('https://test.example.com', {
	method: 'POST',
	credentials: 'include',
	body: new Blob(['a=b'], {}),
});

Impact

Bypass CSRF protection implemented with CSRF middleware.

Note

Even with credentials: 'include', browsers may not send cookies due to third-party cookie blocking. This feature depends on the browser version and settings, and is for privacy protection, not as a CSRF measure.

CVE-2024-56159

Summary

A bug in the build process allows any unauthenticated user to read parts of the server source code.

Details

During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible folder.
https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139

Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website.

While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in src/pages) are predictably named. For example. the sourcemap file for src/pages/index.astro gets named dist/client/pages/index.astro.mjs.map.

PoC

Here is one example of an affected open-source website:
https://creatorsgarten.org/pages/index.astro.mjs.map

The file can be saved and opened using https://evanw.github.io/source-map-visualization/ to reconstruct the source code.

The above accurately mirrors the source code as seen in the repository: https://github.com/creatorsgarten/creatorsgarten.org/blob/main/src/pages/index.astro

The above was found as the 4th result (and the first one on Astro 5.0+) when making the following search query on GitHub.com (search results link):

path:astro.config.mjs @​sentry/astro

This vulnerability is the root cause of https://github.com/withastro/astro/issues/12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the dist/client (referred to as config.build.client in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains .map files corresponding to the code that runs on the server.

Impact

All server-output (SSR) projects on Astro 5 versions v5.0.3 through v5.0.6 (inclusive), that have sourcemaps enabled, either directly or through an add-on such as sentry, are affected. The fix for server-output projects was released in [email protected].

Additionally, all static-output (SSG) projects built using Astro 4 versions 4.16.17 or older, or Astro 5 versions 5.0.7 or older, that have sourcemaps enabled are also affected. The fix for static-output projects was released in [email protected], and backported to Astro v4 in [email protected].

The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code.

There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code .

There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability.

• Network attack vector.
• Low attack complexity.
• No privileges required.
• No interaction required from an authorized user.
• Scope is limited to first party. Although the source code of closed-source third-party software may also be exposed.

Remediation

The fix for server-output projects was released in [email protected], and the fix for static-output projects was released in [email protected] and backported to Astro v4 in [email protected]. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.

---

Release Notes

withastro/astro (astro)

v4.16.18

Compare Source

Patch Changes

• #​12757 d0aaac3 Thanks @​matthewp! - Remove all assets created from the server build

• #​12757 d0aaac3 Thanks @​matthewp! - Clean server sourcemaps from static output

v4.16.17

Compare Source

Patch Changes

• #​12632 e7d14c3 Thanks @​ematipico! - Fixes an issue where the checkOrigin feature wasn't correctly checking the content-type header

v4.16.16

Compare Source

Patch Changes

• #​12542 65e50eb Thanks @​kadykov! - Fix JPEG image size determination

• #​12525 cf0d8b0 Thanks @​ematipico! - Fixes an issue where with i18n enabled, Astro couldn't render the 404.astro component for non-existent routes.

v4.16.15

Compare Source

Patch Changes

• #​12498 b140a3f Thanks @​ematipico! - Fixes a regression where Astro was trying to access Request.headers

v4.16.14

Compare Source

Patch Changes

• #​12480 c3b7e7c Thanks @​matthewp! - Removes the default throw behavior in astro:env

• #​12444 28dd3ce Thanks @​ematipico! - Fixes an issue where a server island hydration script might fail case the island ID misses from the DOM.

• #​12476 80a9a52 Thanks @​florian-lefebvre! - Fixes a case where the Content Layer glob() loader would not update when renaming or deleting an entry

• #​12418 25baa4e Thanks @​oliverlynch! - Fix cached image redownloading if it is the first asset

• #​12477 46f6b38 Thanks @​ematipico! - Fixes an issue where the SSR build was emitting the dist/server/entry.mjs file with an incorrect import at the top of the file/

• #​12365 a23985b Thanks @​apatel369! - Fixes an issue where Astro.currentLocale was not correctly returning the locale for 404 and 500 pages.

v4.16.13

Compare Source

Patch Changes

• #​12436 453ec6b Thanks @​martrapp! - Fixes a potential null access in the clientside router

• #​12392 0462219 Thanks @​apatel369! - Fixes an issue where scripts were not correctly injected during the build. The issue was triggered when there were injected routes with the same entrypoint and different pattern

v4.16.12

Compare Source

Patch Changes

• #​12420 acac0af Thanks @​ematipico! - Fixes an issue where the dev server returns a 404 status code when a user middleware returns a valid Response.

v4.16.11

Compare Source

Patch Changes

• #​12305 f5f7109 Thanks @​florian-lefebvre! - Fixes a case where the error overlay would not escape the message

• #​12402 823e73b Thanks @​ematipico! - Fixes a case where Astro allowed to call an action without using Astro.callAction. This is now invalid, and Astro will show a proper error.

v4.16.10

Compare Source

Patch Changes

• #​12311 bf2723e Thanks @​dinesh-58! - Adds checked to the list of boolean attributes.

• #​12363 222f718 Thanks @​Fryuni! - Fixes code generated by astro add command when adding a version of an integration other than the default latest.

• #​12368 493fe43 Thanks @​bluwy! - Improves error logs when executing commands

• #​12355 c4726d7 Thanks @​apatel369! - Improves error reporting for invalid frontmatter in MDX files during the astro build command. The error message now includes the file path where the frontmatter parsing failed.

v4.16.9

Compare Source

Patch Changes

• #​12333 836cd91 Thanks @​imattacus! - Destroy the server response stream if async error is thrown

• #​12358 7680349 Thanks @​spacedawwwg! - Honors inlineAstroConfig parameter in getViteConfig when creating a logger

• #​12353 35795a1 Thanks @​hippotastic! - Fixes an issue in dev server watch file handling that could cause multiple restarts for a single file change.

• #​12351 5751488 Thanks @​florian-lefebvre! - Reverts a change made in 4.16.6 that prevented usage of astro:env secrets inside middleware in SSR

• #​12346 20e5a84 Thanks @​bluwy! - Fixes sourcemap generation when prefetch is enabled

• #​12349 1fc83d3 Thanks @​norskeld! - Fixes the getImage options type so it properly extends ImageTransform

v4.16.8

Compare Source

Patch Changes

• #​12338 9ca89b3 Thanks @​situ2001! - Resets NODE_ENV to ensure install command run in dev mode

• #​12286 9d6bcdb Thanks @​florian-lefebvre! - Fixes a case where a warning for experimental astro:env support would be shown when using an adapter but not actually using astro:env

• #​12342 ffc836b Thanks @​liruifengv! - Fixes a typo in the command name of the CLI

• #​12301 0cfc69d Thanks @​apatel369! - Fixes an issue with action handler context by passing the correct context (ActionAPIContext).

• #​12312 5642ef9 Thanks @​koyopro! - Fixes an issue where using getViteConfig() returns incorrect and duplicate configuration

• #​12245 1d4f6a4 Thanks @​bmenant! - Add components property to MDXInstance type definition (RenderResult and module import)

• #​12340 94eaeea Thanks @​ematipico! - Fixes an issue where Astro actions didn't work when base was different from /

v4.16.7

Compare Source

Patch Changes

• #​12263 e9e8080 Thanks @​Fryuni! - Fixes conflict between server islands and on-demand dynamic routes in the form of /[...rest] or /[paramA]/[paramB].

• #​12279 b781f88 Thanks @​jsparkdev! - Update wrong error message

• #​12273 c2ee963 Thanks @​ascorbic! - Fixes an issue with some package managers where sites would not build if TypeScript was not installed.

• #​12235 a75bc5e Thanks @​ematipico! - Fixes a bug where Astro Actions couldn't redirect to the correct pathname when there was a rewrite involved.

• #​11839 ff522b9 Thanks @​icaliman! - Fixes error when returning a top-level null from an Astro file frontmatter

• #​12272 388d237 Thanks @​ascorbic! - Correctly handles local images when using a base path in SSR

v4.16.6

Compare Source

Patch Changes

• #​11823 a3d30a6 Thanks @​DerTimonius! - fix: improve error message when inferSize is used in local images with the Image component

• #​12227 8b1a641 Thanks @​florian-lefebvre! - Fixes a case where environment variables would not be refreshed when using astro:env

• #​12239 2b6daa5 Thanks @​ematipico! - BREAKING CHANGE to the experimental Container API only

  Changes the default page rendering behavior of Astro components in containers, and adds a new option partial: false to render full Astro pages as before.

  Previously, the Container API was rendering all Astro components as if they were full Astro pages containing <!DOCTYPE html> by default. This was not intended, and now by default, all components will render as page partials: only the contents of the components without a page shell.

  To render the component as a full-fledged Astro page, pass a new option called partial: false to renderToString() and renderToResponse():

  import { experimental_AstroContainer as AstroContainer } from 'astro/container';
  import Card from '../src/components/Card.astro';
  
  const container = AstroContainer.create();
  
  await container.renderToString(Card); // the string will not contain `<!DOCTYPE html>`
  await container.renderToString(Card, { partial: false }); // the string will contain `<!DOCTYPE html>`

v4.16.5

Compare Source

Patch Changes

• #​12232 ff68ba5 Thanks @​martrapp! - Fixes an issue with cssesc in dev mode when setting vite.ssr.noExternal: true

v4.16.4

Compare Source

Patch Changes

• #​12223 79ffa5d Thanks @​ArmandPhilippot! - Fixes a false positive reported by the dev toolbar Audit app where a label was considered missing when associated with a button

  The button element can be used with a label (e.g. to create a switch) and should not be reported as an accessibility issue when used as a child of a label.

• #​12199 c351352 Thanks @​ematipico! - Fixes a regression in the computation of Astro.currentLocale

• #​12222 fb55695 Thanks @​ematipico! - Fixes an issue where the edge middleware couldn't correctly compute the client IP address when calling ctx.clientAddress()

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.