Fix security issues reported by Dependabot for version 4

[kretajak]

• This is a bugfix
• This is a feature
• This is a code refactor
• This is a test update
• This is a docs update
• This is a metadata update

For Bugs and Features; did you add new tests?

Fixes Security issues present in version 4 of webpack-dev-server. Similar fixes were already merged into version 5 of webpack-dev-server.

Motivation / Use-Case

Fix issues reported by Dependabot:

• GHSA-9jgg-88mc-972h
• GHSA-4v9v-hfq4-rm2v

Breaking Changes

It is breaking change but it's security wise. Similar changes are already in 5.x.x branch. See commits d2575ad and 5c9378b

Additional Info

[alexander-akait]

Recently we added some fixes here to skip check for allowedHost, please add it here

[kretajak]

It seems not that straightforward. To me bigger effort is needed to incorporate changes from 03d1214. This PR uses functions defined in previous commits not available in line 4.

If it's not a problem, I would consider merging this PR and creating separate PR for task you mentioned.

[alexander-akait]

@kretajak let's include 03d1214 here, otherwise in some cases it will be impossible to setup a new version and we can merge

[slorber]

@kretajak let me know if you need help backporting that commit. I could try to add it on top of your existing PR if you don't have time to. We have at least 3 Docusaurus issues asking us to solve this security warning so happy to help and get this solved asap.

[kretajak]

I'm currently trying to backport that commit. I'll inform you whether I was able to make it.

[kretajak]

I have added new commit which should move us a bit closer. Seems like also changes from 6045b1e might be required as they are tightly connected to 03d1214.

@slorber feel free to continue the work.

[slorber]

Thanks, we'd also appreciate a backport for Docusaurus because our current minor supports Node 18.0, incompatible with dev server v5, and all newly initialized Docusaurus sites will get dev server v4.

We could bump to the latest Node 18 like Astro did recently (since it reached end of life) but if it's possible to avoid that it's better to not force our users to upgrade Node.js when upgrading a minor version (and I'd rather not release a new major version just for that security fix)

facebook/docusaurus#11252 (comment)

[pikachugb]

Hello :) Is there an ETA for the release of potentially version 4.15.3 with the changes from this PR?

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: sapphi-red / name: 翠 (5ba835f, ba2e692)
• ✅ login: alexander-akait / name: Alexander Akait (8de7782)

[kretajak]

I believe there is a bug in version 5 of weboack-dev-server. false is returned there, but my guess is that when validateHost is false we should bypass checking and return true here.

Above function when called: isValidHost({host: '127.0.0.1 }, 'host', validateHost = false) return false while it should return true. I assume that is the reason so many tests of 6045b1e were changed.

[alexander-akait]

@kretajak it is not a bug, because 127.0.0.1 can be used for attack, you should manually set 127.0.0.1 in allowedHosts for CORS requests, i.e. you opened bad-site.com, this this site can try to connect to ws://localhost:3000 and without such headers non chromium and old chromium browsers will connect to your websockets and can take your source code (in some cases)

[kretajak]

Okey. I reverted it to false.

[alexander-akait]

@kretajak Can you change your email in the last commin, CLA is failed, we can't merge commits without CLA

@pikachugb This week

[kretajak]

I have converted it to draft as it's incomplete.

[wissemayadi21]

hello please when this version will be published ?

[dharaneesh127]

@hiroppy@anshumanv@snitin315 could you guys please review the PR, and if good can it be published ?

[kretajak]

As I wrote here: #5514 (comment) backporting these extra changes is not straightforward. I would recommend dropping the last commit and merge this PR with the very first two commits, as they are essentially fixing the security issue.

[wissemayadi21]

that sounds good , we looking forward to get this release.

[alexander-akait]

@kretajak Do you need any help with this?

[kretajak]

@kretajak Do you need any help with this?

That would be great, if you feel changes from 03d1214 and 6045b1e must be incorporated here.

[pikachugb]

Any news on this one? @kretajak@alexander-akait

[kretajak]

Hi, I'm not able to continue the effort, as I do not feel confident enough to incorporate changes from 03d1214 and 6045b1e.

[hilalevx]

hi :) is there an ETA to the new 4 version release?