@storybook/react sees a bump from version 7.0.27 to 7.1.0, introducing several noteworthy changes for React Storybook users. A key difference lies in dependency updates, with "@storybook/types", "@storybook/docs-tools", "@storybook/core-client", "@storybook/preview-api", and "@storybook/client-logger" all being updated to version 7.1.0, aligning them with the core Storybook ecosystem. In the previous version all of them used the 7.0.27 version. The type-fest dependency also receives an update, moving from version 2.19.0 to 3.11.0, potentially bringing in new utility types that could be beneficial for developers extending Storybook.
On the development dependency side, @babel/core is upgraded to version '^7.22.0' from '^7.20.2', while expect-type moves from version 0.14.2 to 0.15.0, and jest-specific-snapshot from version 7.0.0 to the newer version 8.0.0. Version 7.1.0 also includes the addition of a direct dependency on "@storybook/react-dom-shim":"7.1.0", that in the previous version does not exists. These updates likely incorporate bug fixes, performance improvements, and new features for a smoother development experience when working with Storybook. Notably, the explicit typescript dev dependency present in 7.0.27 is absent in 7.1.0, suggesting that it might be managed differently or assumed to be provided by the consuming project. Developers should evaluate these dependency changes for compatibility within their projects, taking advantage of the latest enhancements in the Storybook ecosystem.
All the vulnerabilities related to the version 7.1.0 of the package
esbuild enables any website to send any requests to the development server and read the response
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.
esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363
Attack scenario:
http://malicious.example.com).fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.http://127.0.0.1:8000/main.js.In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by
/index.html: normally you have a script tag here/assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files/esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.
npm inpm run watchfetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.Users using the serve feature may get the source code stolen by malicious websites.