Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: re-encode url to prevent fs.allow bypass (fixes #8498) #8979

Merged
merged 2 commits into from
Jul 8, 2022

Conversation

sapphi-red
Copy link
Member

@sapphi-red sapphi-red commented Jul 7, 2022

Description

I think this fix is not the ideal way but at least it works.

The reason why #8498 (comment) was happening is:

  1. Vite decodes URL (%252ffoo.txt => %2ffoo.txt)
  2. Vite filters URL (%2ffoo.txt)
  3. sirv decodes URL (%2ffoo.txt => /foo.txt)
  4. sirv reponses (/foo.txt)

The file path mapped from URL is different between 2 and 4.

This PR adds encode after 2. (%2ffoo.txt => %252ffoo.txt)

fixes #8498
refs #8804
refs lukeed/sirv#139

Additional context


What is the purpose of this pull request?

  • Bug fix
  • New Feature
  • Documentation update
  • Other

Before submitting the PR, please make sure you do the following

  • Read the Contributing Guidelines.
  • Read the Pull Request Guidelines and follow the Commit Convention.
  • Check that there isn't already a PR that solves the problem the same way to avoid creating a duplicate.
  • Provide a description in this PR that addresses what the PR is solving, or reference the issue that it solves (e.g. fixes #123).
  • Ideally, include relevant tests that fail without this PR but pass with it.

@sapphi-red sapphi-red added bug p5-urgent Fix build-breaking bugs affecting most users, should be released ASAP (priority) security labels Jul 7, 2022
@netlify
Copy link

netlify bot commented Jul 7, 2022

Deploy Preview for vite-docs-main canceled.

Name Link
🔨 Latest commit 5cc05bf
🔍 Latest deploy log https://app.netlify.com/sites/vite-docs-main/deploys/62c7b182d5c6ff000868525c

@sapphi-red sapphi-red closed this Jul 8, 2022
@sapphi-red sapphi-red deleted the fix/reencode-url branch July 8, 2022 03:56
@sapphi-red sapphi-red restored the fix/reencode-url branch July 8, 2022 03:56
@sapphi-red sapphi-red reopened this Jul 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
p5-urgent Fix build-breaking bugs affecting most users, should be released ASAP (priority) security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Unrestricted directory traversal with @fs (Bypass)
3 participants