The @storybook/addon-essentials package provides a curated set of essential Storybook addons designed to enhance the development and testing workflow for UI components. Comparing versions 7.0.5 and 7.0.4, the core functionality remains largely the same, with the primary difference being updates to the internal dependencies. Both versions include addons like @storybook/addon-docs for documenting components, @storybook/addon-actions for logging interactions, @storybook/addon-controls for live editing props, and more. These addons streamline common tasks, offering features such as measuring component dimensions, outlining elements for visual debugging, and controlling viewport sizes for responsive design testing. The peer dependencies specifying compatible React and ReactDOM versions also remain consistent, ensuring compatibility across a range of React projects. Developers upgrading from 7.0.4 to 7.0.5 should primarily anticipate internal improvements and bug fixes associated with the version bumps of its dependent @storybook packages, resulting in potential performance enhancements or subtle refinements to existing addon features. Specifically, all Storybook dependencies within addon-essentials are updated to 7.0.5, suggesting a focus on maintaining consistency and leveraging the latest enhancements across the Storybook ecosystem. This makes @storybook/addon-essentials a versatile toolkit for building and showcasing robust UIs via Storybook, and an upgrade to the latest version ensures you benefit from ongoing improvements.
All the vulnerabilities related to the version 7.0.5 of the package
esbuild enables any website to send any requests to the development server and read the response
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.
esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363
Attack scenario:
http://malicious.example.com).fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.http://127.0.0.1:8000/main.js.In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by
/index.html: normally you have a script tag here/assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files/esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.
npm inpm run watchfetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.Users using the serve feature may get the source code stolen by malicious websites.