From 9280c6b3da7ac29b8ab1d7a5ac282a104179a26d Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 22 Aug 2024 17:38:15 +0000
Subject: [PATCH] Update dependency hono to v4.5.8 [SECURITY] (#130)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [hono](https://hono.dev/) ([source](https://togithub.com/honojs/hono))
| [`4.5.5` ->
`4.5.8`](https://renovatebot.com/diffs/npm/hono/4.5.5/4.5.8) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/hono/4.5.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/hono/4.5.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/hono/4.5.5/4.5.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/hono/4.5.5/4.5.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-43787](https://togithub.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5)

### Summary

Hono CSRF middleware can be bypassed using crafted Content-Type header.

### Details

MIME types are case insensitive, but `isRequestedByFormElementRe` only
matches lower-case.


https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17

As a result, attacker can bypass csrf middleware using upper-case
form-like MIME type, such as "Application/x-www-form-urlencoded".

### PoC

```html
<html>
  <head>
    <title>CSRF Test</title>
    <script defer>
      document.addEventListener("DOMContentLoaded", () => {
        document.getElementById("btn").addEventListener("click", async () => {
          const res = await fetch("http://victim.example.com/test", {
            method: "POST",
            credentials: "include",
            headers: {
              "Content-Type": "Application/x-www-form-urlencoded",
            },
          });
        });
      });
    </script>
          <style>
          .commit-tease,
          .user-profile-mini-avatar,
          .avatar,
          .vcard-details,
          .signup-prompt-bg {
            display: none !IMPORTANT;
          }
        </style>
         <script>
          document.addEventListener('DOMContentLoaded', function() {
            this.querySelectorAll('a').forEach(anchor => {
              anchor.addEventListener('click', e => {
                e.preventDefault();

                const redact = new URLSearchParams(window.location.search).get('redact');
                const hasExistingParams = anchor.href.includes('?');
                window.location.href = anchor.href + (hasExistingParams ? `&redact=${redact}` : `?redact=${redact}`);
              });
            });
          });
        </script>
 </head>
  <body>
    <h1>CSRF Test</h1>
    <button id="btn">Click me!</button>
  </body>
</html>
```

### Impact

Bypass csrf protection implemented with hono csrf middleware.

### Discussion

I'm not sure that omitting csrf checks for Simple POST request is a good
idea.
CSRF prevention and CORS are different concepts even though CORS can
prevent CSRF in some cases.

---

### Release Notes

<details>
<summary>honojs/hono (hono)</summary>

### [`v4.5.8`](https://togithub.com/honojs/hono/releases/tag/v4.5.8)

[Compare
Source](https://togithub.com/honojs/hono/compare/v4.5.7...v4.5.8)

##### Security Fix for CSRF Protection Middleware

Before this release, in versions 4.5.7 and below, the CSRF Protection
Middleware did not treat requests including `Content-Types` with
uppercase letters (e.g., `Application/x-www-form-urlencoded`) as
potential attacks, allowing them to pass.

This could cause unexpected behavior, leading to a vulnerability. If you
are using the CSRF Protection Middleware, please upgrade to version
4.5.8 or higher immediately.

For more details, see the report here:
https://github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5

### [`v4.5.7`](https://togithub.com/honojs/hono/releases/tag/v4.5.7)

[Compare
Source](https://togithub.com/honojs/hono/compare/v4.5.6...v4.5.7)

#### What's Changed

- fix(jsx/dom): Fixed a bug that caused Script elements to turn into
Style elements. by [@&#8203;usualoma](https://togithub.com/usualoma) in
[https://github.com/honojs/hono/pull/3294](https://togithub.com/honojs/hono/pull/3294)
- perf(jsx/dom): improve performance by
[@&#8203;usualoma](https://togithub.com/usualoma) in
[https://github.com/honojs/hono/pull/3288](https://togithub.com/honojs/hono/pull/3288)
- feat(jsx): improve a-tag types with well known values by
[@&#8203;ssssota](https://togithub.com/ssssota) in
[https://github.com/honojs/hono/pull/3287](https://togithub.com/honojs/hono/pull/3287)
- fix(validator): Fixed a bug in hono/validator where URL Encoded Data
could not be validated if the Content-Type included charset. by
[@&#8203;uttk](https://togithub.com/uttk) in
[https://github.com/honojs/hono/pull/3297](https://togithub.com/honojs/hono/pull/3297)
- feat(jsx): improve `target` and `formtarget` attribute types by
[@&#8203;ssssota](https://togithub.com/ssssota) in
[https://github.com/honojs/hono/pull/3299](https://togithub.com/honojs/hono/pull/3299)
- docs(README): change Twitter to X by
[@&#8203;nakasyou](https://togithub.com/nakasyou) in
[https://github.com/honojs/hono/pull/3301](https://togithub.com/honojs/hono/pull/3301)
- fix(client): replace optional params to url correctly by
[@&#8203;yusukebe](https://togithub.com/yusukebe) in
[https://github.com/honojs/hono/pull/3304](https://togithub.com/honojs/hono/pull/3304)
- feat(jsx): improve input attribute types based on react by
[@&#8203;ssssota](https://togithub.com/ssssota) in
[https://github.com/honojs/hono/pull/3302](https://togithub.com/honojs/hono/pull/3302)

#### New Contributors

- [@&#8203;uttk](https://togithub.com/uttk) made their first
contribution in
[https://github.com/honojs/hono/pull/3297](https://togithub.com/honojs/hono/pull/3297)

**Full Changelog**:
https://github.com/honojs/hono/compare/v4.5.6...v4.5.7

### [`v4.5.6`](https://togithub.com/honojs/hono/releases/tag/v4.5.6)

[Compare
Source](https://togithub.com/honojs/hono/compare/v4.5.5...v4.5.6)

#### What's Changed

- fix(jsx): handle async component error explicitly and throw the error
in the response by [@&#8203;usualoma](https://togithub.com/usualoma) in
[https://github.com/honojs/hono/pull/3274](https://togithub.com/honojs/hono/pull/3274)
- fix(validator): support multipart headers without a separating space
by [@&#8203;Ernxst](https://togithub.com/Ernxst) in
[https://github.com/honojs/hono/pull/3286](https://togithub.com/honojs/hono/pull/3286)
- fix(validator): Allow form data will mutliple values appended by
[@&#8203;nicksrandall](https://togithub.com/nicksrandall) in
[https://github.com/honojs/hono/pull/3273](https://togithub.com/honojs/hono/pull/3273)
- feat(jsx): improve meta-tag types with well known values by
[@&#8203;ssssota](https://togithub.com/ssssota) in
[https://github.com/honojs/hono/pull/3276](https://togithub.com/honojs/hono/pull/3276)

#### New Contributors

- [@&#8203;Ernxst](https://togithub.com/Ernxst) made their first
contribution in
[https://github.com/honojs/hono/pull/3286](https://togithub.com/honojs/hono/pull/3286)
- [@&#8203;ssssota](https://togithub.com/ssssota) made their first
contribution in
[https://github.com/honojs/hono/pull/3276](https://togithub.com/honojs/hono/pull/3276)

**Full Changelog**:
https://github.com/honojs/hono/compare/v4.5.5...v4.5.6

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone America/Chicago,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job log](https://developer.mend.io/github/autoblocksai/cli).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4yNi4xIiwidXBkYXRlZEluVmVyIjoiMzguMjYuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 package-lock.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 6c50542..14b6fab 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2782,9 +2782,9 @@
       }
     },
     "node_modules/hono": {
-      "version": "4.5.5",
-      "resolved": "https://registry.npmjs.org/hono/-/hono-4.5.5.tgz",
-      "integrity": "sha512-fXBXHqaVfimWofbelLXci8pZyIwBMkDIwCa4OwZvK+xVbEyYLELVP4DfbGaj1aEM6ZY3hHgs4qLvCO2ChkhgQw==",
+      "version": "4.5.8",
+      "resolved": "https://registry.npmjs.org/hono/-/hono-4.5.8.tgz",
+      "integrity": "sha512-pqpSlcdqGkpTTRpLYU1PnCz52gVr0zVR9H5GzMyJWuKQLLEBQxh96q45QizJ2PPX8NATtz2mu31/PKW/Jt+90Q==",
       "license": "MIT",
       "engines": {
         "node": ">=16.0.0"