GHSA-f6gv-hh8j-q8vq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f6gv-hh8j-q8vq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-f6gv-hh8j-q8vq/GHSA-f6gv-hh8j-q8vq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f6gv-hh8j-q8vq
- Aliases
- Published
- 2023-12-15T02:45:54Z
- Modified
- 2023-12-15T03:11:28.318172Z
- Severity
-
- 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L CVSS Calculator
- Summary
- Named path parameters can be overridden in TrieRouter
- Details
-
Impact
The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.
TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.
The code to reproduce it. The server side application:
import { Hono } from 'hono' import { TrieRouter } from 'hono/router/trie-router' const wait = async (ms: number) => { return new Promise((resolve) => { setTimeout(resolve, ms) }) } const app = new Hono({ router: new TrieRouter() }) app.use('*', async (c, next) => { await wait(Math.random() * 200) return next() }) app.get('/modules/:id/versions/:version', async (c) => { const id = c.req.param('id') const version = c.req.param('version') console.log('path', c.req.path) console.log('version', version) return c.json({ id, version, }) }) export default appThe client code which makes requests to the server application:
const examples = [ 'http://localhost:8787/modules/first/versions/first', 'http://localhost:8787/modules/second/versions/second', 'http://localhost:8787/modules/third/versions/third', ] const test = () => { for (const example of examples) { fetch(example) .then((response) => response.json()) .then((data) => { const splitted = example.split('/') const expected = splitted[splitted.length - 1] if (expected !== data.version) { console.error(`Error: exprected ${expected} but got ${data.version} - url was ${example}`) } }) } } test()The results:
Error: exprected second but got third - url was http://localhost:8787/modules/second/versions/second Error: exprected first but got third - url was http://localhost:8787/modules/first/versions/firstPatches
"v3.11.7" includes the change to fix this issue.
Workarounds
Don't use TrieRouter directly.
// DON'T USE TrieRouter import { TrieRouter } from 'hono/router/trie-router' const app = new Hono({ router: new TrieRouter() })References
Router options on the Hono website: https://hono.dev/api/hono#router-option
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2023-12-14T18:15:45Z", "github_reviewed_at": "2023-12-15T02:45:54Z", "cwe_ids": [ "CWE-94" ] }- References
Affected packages
npm / hono
Package
- Name
- hono
- View open source insights on deps.dev
- Purl
- pkg:npm/hono