deps(prod): update dependency eta to v2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
eta (source)	^1.12.1 -> ^2.0.0

GitHub Vulnerability Alerts

CVE-2023-23630

Impact

XSS attack - anyone using the Express API is impacted

Patches

The problem has been resolved. Users should upgrade to version 2.0.0.

Workarounds

Don't pass user supplied data directly to res.renderFile.

References

Are there any links users can visit to find out more?
See https://github.com/eta-dev/eta/releases/tag/v2.0.0

CVE-2022-25967

Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. Note: This is exploitable only for users who are rendering templates with user-defined data.

---

Release Notes

eta-dev/eta (eta)

v2.0.0: Version 2.0.0

Compare Source

TL;DR

This commit includes fixes for several security vulnerabilities. Specifically, in version 1, Eta merged the data parameter of renderFile() into config -- meaning that malicious untrusted user data, passed through in a very specific way, could potentially modify the values of varName, include, includeFile, and useWith, and thus insert arbitrary code into user template functions.

With this release, such behavior is removed. Configuration cannot be passed through the data parameter to eta.renderFile().

Most users will be able to update from version 1 to version 2 without changing any code. All users are encouraged to update as soon as possible.

Practical Implications

• Configuration must be passed to renderFile explicitly, rather than merged with the data parameter
• Using Express.js app.set() to modify views and view cache will no longer change Eta's configuration of views and cache.
  • However, since Express still uses its own views and view cache options under the hood, users should configure both Eta and Express with desired values (example below)
• Eta no longer recognizes the legacy Express.js settings["view options"] property

Example Code Changes

// Change THIS:
renderFile(filePath, { cache: true }) // This worked in v1 but does not work in v2
// To THIS:
renderFile(filePath, {}, { cache: true }) // This works in v1 and v2

// Change THIS:
var eta = require("eta")
app.set("view engine", "eta")
app.set("views", "./views")
app.set("view cache", true)
// To THIS:
var eta = require("eta")
app.engine("eta", eta.renderFile)
eta.configure({  views: "./views", cache: true }) // configure eta
app.set("views", "./views") // configure Express
app.set("view cache", true) // configure Express
app.set("view engine", "eta")

Commits

• Don't use data object for Eta configuration (#​214) 5651392

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codeclimate]

Code Climate has analyzed commit c3240e5 and detected 0 issues on this pull request.

View more on Code Climate.