fix(validator): Allow form data will mutliple values appended #3273
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nicksrandall
force-pushed
the
main
branch
3 times, most recently
from
434f13e
to
c622964
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3273 +/- ##
=======================================
Coverage 96.20% 96.20%
=======================================
Files 151 151
Lines 15293 15293
Branches 2639 2628 -11
=======================================
Hits 14713 14713
Misses 580 580 ☔ View full report in Codecov by Sentry. |
yusukebe
reviewed
Aug 15, 2024
|
Thanks! It's a good fix. I'll merge this now. |
adamnolte
referenced
this pull request
in autoblocksai/cli
Aug 22, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [hono](https://hono.dev/) ([source](https://github.com/honojs/hono)) | [`4.5.5` -> `4.5.8`](https://renovatebot.com/diffs/npm/hono/4.5.5/4.5.8) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-43787](https://github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5) ### Summary Hono CSRF middleware can be bypassed using crafted Content-Type header. ### Details MIME types are case insensitive, but `isRequestedByFormElementRe` only matches lower-case. https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17 As a result, attacker can bypass csrf middleware using upper-case form-like MIME type, such as "Application/x-www-form-urlencoded". ### PoC ```html <html> <head> <title>CSRF Test</title> <script defer> document.addEventListener("DOMContentLoaded", () => { document.getElementById("btn").addEventListener("click", async () => { const res = await fetch("http://victim.example.com/test", { method: "POST", credentials: "include", headers: { "Content-Type": "Application/x-www-form-urlencoded", }, }); }); }); </script> </head> <body> <h1>CSRF Test</h1> <button id="btn">Click me!</button> </body> </html> ``` ### Impact Bypass csrf protection implemented with hono csrf middleware. ### Discussion I'm not sure that omitting csrf checks for Simple POST request is a good idea. CSRF prevention and CORS are different concepts even though CORS can prevent CSRF in some cases. --- ### Release Notes <details> <summary>honojs/hono (hono)</summary> ### [`v4.5.8`](https://github.com/honojs/hono/releases/tag/v4.5.8) [Compare Source](https://github.com/honojs/hono/compare/v4.5.7...v4.5.8) ##### Security Fix for CSRF Protection Middleware Before this release, in versions 4.5.7 and below, the CSRF Protection Middleware did not treat requests including `Content-Types` with uppercase letters (e.g., `Application/x-www-form-urlencoded`) as potential attacks, allowing them to pass. This could cause unexpected behavior, leading to a vulnerability. If you are using the CSRF Protection Middleware, please upgrade to version 4.5.8 or higher immediately. For more details, see the report here: GHSA-rpfr-3m35-5vx5 ### [`v4.5.7`](https://github.com/honojs/hono/releases/tag/v4.5.7) [Compare Source](https://github.com/honojs/hono/compare/v4.5.6...v4.5.7) #### What's Changed - fix(jsx/dom): Fixed a bug that caused Script elements to turn into Style elements. by [@​usualoma](https://github.com/usualoma) in [https://github.com/honojs/hono/pull/3294](https://github.com/honojs/hono/pull/3294) - perf(jsx/dom): improve performance by [@​usualoma](https://github.com/usualoma) in [https://github.com/honojs/hono/pull/3288](https://github.com/honojs/hono/pull/3288) - feat(jsx): improve a-tag types with well known values by [@​ssssota](https://github.com/ssssota) in [https://github.com/honojs/hono/pull/3287](https://github.com/honojs/hono/pull/3287) - fix(validator): Fixed a bug in hono/validator where URL Encoded Data could not be validated if the Content-Type included charset. by [@​uttk](https://github.com/uttk) in [https://github.com/honojs/hono/pull/3297](https://github.com/honojs/hono/pull/3297) - feat(jsx): improve `target` and `formtarget` attribute types by [@​ssssota](https://github.com/ssssota) in [https://github.com/honojs/hono/pull/3299](https://github.com/honojs/hono/pull/3299) - docs(README): change Twitter to X by [@​nakasyou](https://github.com/nakasyou) in [https://github.com/honojs/hono/pull/3301](https://github.com/honojs/hono/pull/3301) - fix(client): replace optional params to url correctly by [@​yusukebe](https://github.com/yusukebe) in [https://github.com/honojs/hono/pull/3304](https://github.com/honojs/hono/pull/3304) - feat(jsx): improve input attribute types based on react by [@​ssssota](https://github.com/ssssota) in [https://github.com/honojs/hono/pull/3302](https://github.com/honojs/hono/pull/3302) #### New Contributors - [@​uttk](https://github.com/uttk) made their first contribution in [https://github.com/honojs/hono/pull/3297](https://github.com/honojs/hono/pull/3297) **Full Changelog**: honojs/hono@v4.5.6...v4.5.7 ### [`v4.5.6`](https://github.com/honojs/hono/releases/tag/v4.5.6) [Compare Source](https://github.com/honojs/hono/compare/v4.5.5...v4.5.6) #### What's Changed - fix(jsx): handle async component error explicitly and throw the error in the response by [@​usualoma](https://github.com/usualoma) in [https://github.com/honojs/hono/pull/3274](https://github.com/honojs/hono/pull/3274) - fix(validator): support multipart headers without a separating space by [@​Ernxst](https://github.com/Ernxst) in [https://github.com/honojs/hono/pull/3286](https://github.com/honojs/hono/pull/3286) - fix(validator): Allow form data will mutliple values appended by [@​nicksrandall](https://github.com/nicksrandall) in [https://github.com/honojs/hono/pull/3273](https://github.com/honojs/hono/pull/3273) - feat(jsx): improve meta-tag types with well known values by [@​ssssota](https://github.com/ssssota) in [https://github.com/honojs/hono/pull/3276](https://github.com/honojs/hono/pull/3276) #### New Contributors - [@​Ernxst](https://github.com/Ernxst) made their first contribution in [https://github.com/honojs/hono/pull/3286](https://github.com/honojs/hono/pull/3286) - [@​ssssota](https://github.com/ssssota) made their first contribution in [https://github.com/honojs/hono/pull/3276](https://github.com/honojs/hono/pull/3276) **Full Changelog**: honojs/hono@v4.5.5...v4.5.6 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone America/Chicago, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/autoblocksai/cli). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4yNi4xIiwidXBkYXRlZEluVmVyIjoiMzguMjYuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
This was referenced Sep 17, 2024
This was referenced Sep 18, 2024
1 task
This was referenced Oct 17, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The author should do the following, if applicable
bun run format:fix && bun run lint:fixto format the code