Content Toolkit

Strapi Release: 4.10.8

Tag Name: v4.10.8

Release Date: 6/7/2023

Open-source headless CMS built with Node.js. Provides developers with complete freedom in choosing their favorite tools and frameworks for frontend development.

Open Source Headless Developer-Friendly

TL;DR

Strapi v4.10.8 is a security-focused release that patches two vulnerabilities: one high and one medium severity. The update removes access to private attributes and improves query sanitization to prevent potential security exploits. This release is critical for all Strapi users to maintain the security of their applications.

Highlight of the Release

Patched two security vulnerabilities (one high severity, one medium severity)
Removed getter access to private attributes in content types
Improved query sanitization in sanitizeQuery and convertQueryParams
Fixed case sensitivity handling for operators in filters
Enhanced filtering capabilities while maintaining security

Migration Guide

This release contains security patches that don't require specific migration steps beyond updating your Strapi version. However, if you have custom code that:

Accesses private attributes directly
Relies on case-insensitive operator matching in queries
Uses custom filtering logic that might bypass the standard sanitization

You should review and update that code to ensure compatibility with the security improvements.

To update to v4.10.8:

npm install @strapi/[email protected] --save
# or
yarn upgrade @strapi/[email protected]

After updating, restart your Strapi application and verify that all functionality works as expected.

Upgrade Recommendations

Priority: Critical

All Strapi users should upgrade to v4.10.8 immediately to address the security vulnerabilities patched in this release. The vulnerabilities include one high severity and one medium severity issue that could potentially expose sensitive data or allow unauthorized operations.

While Strapi has indicated that these vulnerabilities have a very low probability of being exploited in the wild (as they require specific knowledge), it's still strongly recommended to update as soon as possible to maintain the security of your application.

The update process should be straightforward and doesn't introduce breaking changes to the public API.

Bug Fixes

Fixed a flaky test in transactions.test.api.js
Resolved issues with case sensitivity in operator handling
Fixed filtering behavior to properly handle ID filters
Improved query parameter conversion for more consistent behavior
Updated the strapi/utils package with necessary fixes

New Features

No new features were introduced in this release as it focuses primarily on security patches and bug fixes.

Security Updates

Removed getter for private attributes: Patched a high severity vulnerability that could potentially expose private data attributes in content types
Improved sanitization in query handling: Enhanced the sanitization process in sanitizeQuery and convertQueryParams to prevent a medium severity vulnerability
Restricted filter operations: Now only allowing attributes and operators on filters to prevent potential security exploits
Enforced case sensitivity for operators: Added requirement for matching case for operators to prevent potential security bypasses

Note: Detailed disclosure of these vulnerabilities is planned for July 25th, 2023, to give users time to upgrade before public disclosure.

Performance Improvements

Optimized query filtering by moving operators to utils
Improved query parameter handling which may result in more efficient database queries
Enhanced sanitization processes to maintain security without sacrificing performance

Impact Summary

This security-focused release addresses two vulnerabilities in Strapi's core functionality. The first vulnerability involved potential exposure of private attributes in content types, while the second improved query sanitization to prevent potential security exploits.

The changes primarily affect the internal handling of queries and attribute access, with minimal impact on standard usage patterns. Developers who have built custom extensions that directly access private attributes or rely on specific query parameter behavior may need to review their code.

The security improvements strengthen Strapi's data protection capabilities without introducing breaking changes to the public API. This release demonstrates Strapi's commitment to security and responsible disclosure, giving users time to update before detailed vulnerability information is published.

Full Release Notes

⚠️ Security Warning and Notice ⚠️

Strapi was made aware of two vulnerabilities that were patched in this release, for now we are going to delay the detailed disclosure of the exact details on how to exploit it and how it was patched to give time for users to upgrade before we do public disclosure.

For now the delay timeline looks like we will release the detailed information in the next four (4) weeks, we expect to do public disclosure (via a blog post) on Monday July 25th, 2023.

The vulnerabilities are 1 high and 1 medium and both have a very low/basically zero probability of being used in the wild as it requires very specific knowledge of how these work.

🚨 Security

[core:strapi] Remove getter for private attributes (https://github.com/strapi/strapi-ghsa-chmr-rg2f-9jmf/pull/2) @nathan-pichon
[core:utils] Improve sanitization in sanitizeQuery and convertQueryParams (https://github.com/strapi/strapi-ghsa-9xg4-3qfm-9w8f/pull/3) @innerdvations

📚 Update and Migration Guides

General update guide can be found here
Migration guides can be found here 📚

Statistics:

File Changed67

Line Additions453

Line Deletions367

Line Changes820

Total Commits19

User Affected:

Need to update their Strapi instances to maintain security
Benefit from improved protection against potential security exploits