Unrestricted directory traversal with @fs
#2820
Comments
GrygrFlzr
added
bug
p5-urgent
|
This feature is used to solve problems in monorepos. |
|
If we did want to support monorepos by default then various tools have their own way to find the root of the workspace:
As we can see this is a bit of a moving target (and there are more tools than these). I have no opinion on this as long as it is secure by default but leaving this info here in case it is useful. |
|
@marvinhagemeister I think this discussion may also be of interest for WMR. Maybe you already had similar talks about how to tackle the security implications of opening the dev server. |
|
@patak-js Yes, indeed this is something I've been pondering a lot about and it was one of the reason we didn't add an In our case we limit file serving to the web root for now. We're planning to expand that to include aliased directories in the future. So we'd essentially have an array of allowed folders to load files from. Just before loading we normalize the path and check if the resolved path leads to a file inside one of those include directories (which is currently just the web root). If it it does indeed lies somewhere in those folders, we serve it and error if it does not. |
|
Thanks for the explanation. I like the idea of having web root + support for monorepos by default as @pngwn suggested (at least for common tools), and an array of allowed folders to manually cover the rest of the cases like it is done in WMR |
|
Drafted a PR, #2820 Not sure if we should do the auto-detection, which could be a bit untransparent for users as the behavior would change based on users' environments. For example, having on |
|
Some thoughts:
|
|
I think that #2850 is a good first step, and should be considered a fix for this issue. But I agree with @dominikg that further changes are needed
This is a good idea. There is also a related issue #2587 so publicDir overrides the default public root in dev mode. I think we should only serve from the public directory for absolute paths and allow
How would you achieve something like this? |
Good question. A set of allow and deny list checks in the import analysis plugin and prohibiting imports that are not passing? |
I kinda think this is out-of-scope of Vite, developers should take the responsibility to use malicious modules. And we don't actually have the ability to completely prevent it as every node modules are capable of doing such things if they want. |
…default See also vitejs#2820 which makes this problem critically worse. Up until now, Vite has been listening on all public IP addresses by default, which could be a potential security vulnerability. This fixes the default behavior, so Vite only listens on 127.0.0.1. You can get the old behavior back (listen to all IPs) by running with the --listen-public CLI flag, or setting ``` export default defineConfig({ server: { listenPublic: true } // ... more config here }) ``` in the Vite config file.
…default See also vitejs#2820 which makes this problem critically worse. Up until now, Vite has been listening on all public IP addresses by default, which could be a potential security vulnerability. This fixes the default behavior, so Vite only listens on 127.0.0.1. You can get the old behavior back (listen to all IPs) by running with the --listen-public CLI flag, or setting ``` export default defineConfig({ server: { listenPublic: true } // ... more config here }) ``` in the Vite config file.
|
Sharing a piece of information we've discussed with @patak-js a few times, but I forgot to add it here. In a Vite Ruby project structure, The library leverages the fact that Vite can serve files in If the fix uses the location of |
|
@ElMassimo is there no way to do that, you detect all package.json and vite.config.ts (also in parents directories), and allow serve only directories that contain these files or are subfolder of folder that contain this files, and just omit all folders and files that doesn't contain this file and are not subfolder of folder containing these files? Or when I think about it, monorepo is just repo, so why not find .git folder? |
Co-authored-by: Shinigami <chrissi92@hotmail.de> Co-authored-by: patak <matias.capeletto@gmail.com>
|
Bring back for the record |
|
This issue gets locked because it has been closed for more than 14 days. |
Describe the bug
The entire filesystem is indiscriminately exposed while the Vite dev server is running. Combined with the fact that the server is exposed to
0.0.0.0by default, you're effectively opening your machine to the world during development.This is technically a Vite feature as currently documented, but probably not actually intended.
Reproduction
Any Vite project will do.
npm init @vitejs/app app cd app npm install npm run devCombined with the fact that any "out of root" directories already reveal the username of the current user, you can also easily do http://localhost:3000/@fs/home/username/.ssh/id_rsa
System Info
Used package manager: npm
The text was updated successfully, but these errors were encountered: