Skip to content

fix(deps): bump fast-uri to 3.1.2 to address path traversal CVE#1588

Merged
olexii4 merged 2 commits into
mainfrom
CRW-10862
Jun 2, 2026
Merged

fix(deps): bump fast-uri to 3.1.2 to address path traversal CVE#1588
olexii4 merged 2 commits into
mainfrom
CRW-10862

Conversation

@olexii4

@olexii4 olexii4 commented May 27, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

Bumps the transitive dependency fast-uri from 3.1.0 to 3.1.2 to address a path traversal vulnerability.

fast-uri versions <= 3.1.0 decoded percent-encoded path separators (%2F) and dot segments (%2E) before applying dot-segment normalization in its normalize() and equal() functions. This means that an attacker-controlled URI like:

/allowed/%2E%2E/secret

would normalize to /secret, bypassing any path-prefix policy that checked the raw string. Applications that compare or normalize untrusted URLs to enforce access control were affected.

3.1.1 introduced the fix; 3.1.2 is the latest patched release.

A resolution pin "fast-uri": "^3.1.1" is added to the root package.json to force all transitive dependents (e.g. @fastify/ajv-compiler, fast-json-stringify, ajv) to use the patched version.


Screenshot/screencast of this PR

N/A — dependency bump only.

What issues does this PR fix or reference?

fixes https://redhat.atlassian.net/browse/CRW-10862

olexii4 added 2 commits May 27, 2026 16:24
fast-uri <= 3.1.0 decoded percent-encoded path separators before
applying dot-segment removal in normalize() and equal(), allowing
attacker-controlled URIs to bypass path-based policy checks.
Add resolution pin fast-uri@^3.1.1 to force all transitive
dependents to use the patched release (3.1.2).

Fixes: CRW-10862
Signed-off-by: Oleksii Orel <oorel@redhat.com>
Signed-off-by: Oleksii Orel <oorel@redhat.com>
@olexii4 olexii4 requested review from akurinnoy and ibuziuk as code owners May 27, 2026 13:32
@che-bot

che-bot commented May 27, 2026

Copy link
Copy Markdown
Contributor

Click here to review and test in web IDE: Contribute

@github-actions

Copy link
Copy Markdown

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1588 (linux/amd64, linux/arm64)

kubectl patch command
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1588", name: che-dashboard}]}}]"

@codecov

codecov Bot commented May 27, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.48%. Comparing base (f87012b) to head (ea3165d).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1588      +/-   ##
==========================================
- Coverage   92.49%   92.48%   -0.01%     
==========================================
  Files         563      563              
  Lines       56254    56254              
  Branches     4267     4266       -1     
==========================================
- Hits        52030    52029       -1     
- Misses       4174     4175       +1     
  Partials       50       50              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@olexii4 olexii4 requested a review from svor May 28, 2026 14:05
@openshift-ci

openshift-ci Bot commented May 28, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: olexii4, svor

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@olexii4 olexii4 merged commit 54d1bae into main Jun 2, 2026
19 checks passed
@olexii4 olexii4 deleted the CRW-10862 branch June 2, 2026 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants