Merge pull request #656 from ably/web-4211-vuln-fix

[WEB-4211] esbuild/dompurify vuln fixes
ably · Feb 25, 2025 · 39118b1 · 39118b1
2 parents a401b2b + acecf71
commit 39118b1
Show file tree

Hide file tree

Showing 3 changed files with 353 additions and 321 deletions.
diff --git a/package.json b/package.json
@@ -19,14 +19,14 @@
     "workerDirectory": "./public"
   },
   "devDependencies": {
-    "@storybook/addon-a11y": "^8.5.6",
-    "@storybook/addon-essentials": "^8.5.6",
-    "@storybook/addon-interactions": "^8.5.6",
-    "@storybook/addon-links": "^8.5.6",
-    "@storybook/blocks": "^8.5.6",
-    "@storybook/react-vite": "^8.5.6",
-    "@storybook/test": "^8.5.6",
-    "@storybook/test-runner": "^0.21.1",
+    "@storybook/addon-a11y": "^8.6.0",
+    "@storybook/addon-essentials": "^8.6.0",
+    "@storybook/addon-interactions": "^8.6.0",
+    "@storybook/addon-links": "^8.6.0",
+    "@storybook/blocks": "^8.6.0",
+    "@storybook/react-vite": "^8.6.0",
+    "@storybook/test": "^8.6.0",
+    "@storybook/test-runner": "^0.21.3",
     "@swc/cli": "^0.6.0",
     "@swc/core": "^1.4.11",
     "@tailwindcss/container-queries": "^0.1.1",
@@ -53,13 +53,13 @@
     "posthog-js": "^1.217.4",
     "prettier": "^3.2.5",
     "react-syntax-highlighter": "^15.6.1",
-    "storybook": "^8.5.6",
+    "storybook": "^8.6.0",
     "storybook-dark-mode": "^4.0.2",
     "svg-sprite": "^2.0.4",
     "tailwindcss": "^3.3.6",
     "ts-node": "^10.9.2",
     "typescript": "5.7.3",
-    "vite": "^6.0.0"
+    "vite": "^6.2.0"
   },
   "scripts": {
     "build:prebuild": "rm -rf core reset && mkdir -p dist/core",
@@ -89,7 +89,7 @@
     "addsearch-js-client": "^1.0.2",
     "array-flat-polyfill": "^1.0.1",
     "clsx": "^2.1.1",
-    "dompurify": "^3.1.4",
+    "dompurify": "^3.2.4",
     "highlight.js": "^11.9.0",
     "highlightjs-curl": "^1.3.0",
     "js-cookie": "^3.0.5",

diff --git a/public/mockServiceWorker.js b/public/mockServiceWorker.js
@@ -8,8 +8,8 @@
  * - Please do NOT serve this file on production.
  */
 
-const PACKAGE_VERSION = '2.6.1'
-const INTEGRITY_CHECKSUM = '07a8241b182f8a246a7cd39894799a9e'
+const PACKAGE_VERSION = '2.7.1'
+const INTEGRITY_CHECKSUM = '00729d72e3b82faf54ca8b9621dbb96f'
 const IS_MOCKED_RESPONSE = Symbol('isMockedResponse')
 const activeClientIds = new Set()
 
@@ -192,12 +192,26 @@ async function getResponse(event, client, requestId) {
   const requestClone = request.clone()
 
   function passthrough() {
-    const headers = Object.fromEntries(requestClone.headers.entries())
+    // Cast the request headers to a new Headers instance
+    // so the headers can be manipulated with.
+    const headers = new Headers(requestClone.headers)
+
+    // Remove the "accept" header value that marked this request as passthrough.
+    // This prevents request alteration and also keeps it compliant with the
+    // user-defined CORS policies.
+    const acceptHeader = headers.get('accept')
+    if (acceptHeader) {
+      const values = acceptHeader.split(',').map((value) => value.trim())
+      const filteredValues = values.filter(
+        (value) => value !== 'msw/passthrough',
+      )
 
-    // Remove internal MSW request header so the passthrough request
-    // complies with any potential CORS preflight checks on the server.
-    // Some servers forbid unknown request headers.
-    delete headers['x-msw-intention']
+      if (filteredValues.length > 0) {
+        headers.set('accept', filteredValues.join(', '))
+      } else {
+        headers.delete('accept')
+      }
+    }
 
     return fetch(requestClone, { headers })
   }