Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix security vulnerability #1794

Merged
merged 2 commits into from
Sep 25, 2018
Merged

Fix security vulnerability #1794

merged 2 commits into from
Sep 25, 2018

Conversation

DeMoorJasper
Copy link
Member

@DeMoorJasper DeMoorJasper commented Jul 25, 2018
edited
Loading

After having a short discussion with @chromium1337 we found a fix for the security vulnerability #1783

The vulnerability mainly had to do with people being able to steal your code as the origin of requests wasn't checked by websocket server.

However the CORS header in the static server comes down to the same vulnerability and as there is no general hostname flag, we can't really secure that server.

Unless we would agree, that both these hostnames would always be the same and deprecate --hmr-hostname and create a --hostname flag instead that adds a cors limitation to both the static and websocket server. This way allowing parcel to be run on a server without having to worry about any security risks (related to CORS).

Fixes #1783

fathyb
fathyb approved these changes Jul 25, 2018
View reviewed changes
Copy link
Contributor

@fathyb fathyb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, did someone check if this effectively fixes the issue, e.g. using a POC?

@DeMoorJasper
Copy link
Member Author

@chromium1337 Wrote a page about it explaining why it's an issue and origin would fix this. I'll DM you the page

@DeMoorJasper DeMoorJasper changed the title fix security vuln Fix security vulnerability Aug 11, 2018
@devongovett devongovett merged commit 92b5c08 into master Sep 25, 2018
@devongovett devongovett deleted the security-fix branch September 25, 2018 03:49
devongovett pushed a commit that referenced this pull request Oct 15, 2018
@DeMoorJasper @devongovett
fix security vuln (#1794)
fed12bc
devongovett pushed a commit that referenced this pull request Oct 15, 2018
@DeMoorJasper @devongovett
fix security vuln (#1794)
066e0bf
carlosgeos pushed a commit to carlosgeos/parcel that referenced this pull request Jan 1, 2019
fixes parcel-bundler#1794, makes the websocket server validate the or…
8231917 
…igin
carlosgeos pushed a commit to carlosgeos/parcel that referenced this pull request Jan 2, 2019
adapt some tests for commit fixing parcel-bundler#1794
c1d187e 
tests use the ws library to establish a websocket connection, and they
have an undefined origin by default. This is changed

tests have no defined hmrHostname so it was set too.
@carlosgeos carlosgeos mentioned this pull request Jan 2, 2019
Closed
3 tasks
@micksatana micksatana mentioned this pull request Feb 3, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fathyb fathyb fathyb approved these changes

@devongovett devongovett devongovett approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

A vulnerability found in parcel-bundler
3 participants
@DeMoorJasper @devongovett @fathyb