New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security] files outside of ./static are served publicly in dev mode #2627
Comments
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
I think the bug is on this line: https://github.com/vitejs/vite/blob/d1c85d1c053bf65ab691e697063f9796109120de/packages/vite/src/node/server/index.ts#L528 I believe it is serving the root directory regardless of what |
PR to fix: vitejs/vite#5361 |
I've upgraded SvelteKit to Vite 2.6.11, but it looks like there's another issue preventing this from being fixed yet: vitejs/vite#5416 |
Great, think it's been merged now. |
@benmccann I did dig a little into the whole Vite serveStaticMiddleware / serveRawFsMiddleware / isFileServingAllowed / ensureServingAccess code. I find this a little too complex for security relevant code. The whole things can be bypassed via URL encoded path traversal: cd /tmp/
npm init svelte@next my-app
cd my-app
npm install
npm run dev
# In other terminal:
curl http://localhost:3000/@fs/tmp/my-app/%2E%2E/%2E%2E/etc/passwd In contrast to To me this whole things does not belong into Vite, it is the responsibility of Couldn't this entire code be deleted from Vite and replaced with something like this? fs.allow.forEach((dir) => {
middlewares.use(sirv(dir))
}); To be fair I've never used Vite outside of SvelteKit and only played with SvelteKit a little. But I do follow all security related issues. Edit: fwiw, because of |
Good find @Prinzhorn ! I'd recommend filing an issue in the Vite repo about this |
As an aside, you shouldn't keep sensitive files in a project folder structure anyway, especially if it is under source control (which it should be). If you need to, consider using SOPS or some other form of source-control safe encryption mechanism. There are a few alternative offerings out there. |
As another aside, this whole issue only affects projects served in dev mode, and if you're worried about what people accessing your app served in dev mode might see, you have a whole additional set of largely unsolvable problems. |
I think an even more important point is that the dev mode server is only accessible from outside your machine if you explicitly pass the |
I had a similar idea, but didn't wanna overstep other people and tell them how to run their libraries. Oh well. |
Describe the bug
Unexpected behaviour / Security vunerabilty. Files inside the root directory (outside of the static directory) are exposed to anyone via URLs.
Users may have secrets, & keys in their root directory, which should NOT be visible to anyone viewing from the web
Reproduction
npm run dev
localhost:3000/svelte.config.js
-> This file should not be accessible.Logs
No response
System Info
Severity
blocking all usage of SvelteKit
Additional Information
No response
The text was updated successfully, but these errors were encountered: