From b5766eddc1fb585dfb69ed01228d85abb80eb67d Mon Sep 17 00:00:00 2001 From: Ben McCann <322311+benmccann@users.noreply.github.com> Date: Tue, 26 Oct 2021 09:52:48 -0700 Subject: [PATCH 1/8] [security] upgrade to Vite 2.6.12, specify allow list, and print warning --- .changeset/warm-frogs-tickle.md | 5 +++++ packages/kit/package.json | 2 +- packages/kit/src/cli.js | 17 +++++++++++++++-- packages/kit/src/core/dev/index.js | 12 +++++++++++- pnpm-lock.yaml | 14 +++++++------- 5 files changed, 39 insertions(+), 11 deletions(-) create mode 100644 .changeset/warm-frogs-tickle.md diff --git a/.changeset/warm-frogs-tickle.md b/.changeset/warm-frogs-tickle.md new file mode 100644 index 000000000000..d6541caac4e9 --- /dev/null +++ b/.changeset/warm-frogs-tickle.md @@ -0,0 +1,5 @@ +--- +'@sveltejs/kit': patch +--- + +[security] upgrade to Vite 2.6.12, specify allow list, and print warning diff --git a/packages/kit/package.json b/packages/kit/package.json index 10bee9e58f5c..9f4b4223ee30 100644 --- a/packages/kit/package.json +++ b/packages/kit/package.json @@ -12,7 +12,7 @@ "@sveltejs/vite-plugin-svelte": "^1.0.0-next.30", "cheap-watch": "^1.0.4", "sade": "^1.7.4", - "vite": "^2.6.11" + "vite": "^2.6.12" }, "devDependencies": { "@rollup/plugin-replace": "^3.0.0", diff --git a/packages/kit/src/cli.js b/packages/kit/src/cli.js index 17d0bdf6a036..68d17b5dc89c 100644 --- a/packages/kit/src/cli.js +++ b/packages/kit/src/cli.js @@ -1,6 +1,7 @@ import { existsSync } from 'fs'; import sade from 'sade'; import colors from 'kleur'; +import { relative } from 'path'; import * as ports from 'port-authority'; import { load_config } from './core/config/index.js'; import { networkInterfaces, release } from 'os'; @@ -111,7 +112,14 @@ prog https = https || !!config.kit.vite().server?.https; open = open || !!config.kit.vite().server?.open; - welcome({ port: address_info.port, host: address_info.address, https, open }); + welcome({ + port: address_info.port, + host: address_info.address, + https, + open, + allow: watcher.allowed_directories(), + cwd: watcher.cwd + }); } catch (error) { handle_error(error); } @@ -221,9 +229,11 @@ async function check_port(port) { * host: string; * https: boolean; * port: number; + * allow?: string[]; + * cwd?: string; * }} param0 */ -function welcome({ port, host, https, open }) { +function welcome({ port, host, https, open, allow, cwd }) { if (open) launch(port, https); console.log(colors.bold().cyan(`\n SvelteKit v${'__VERSION__'}\n`)); @@ -244,6 +254,9 @@ function welcome({ port, host, https, open }) { if (exposed) { console.log(` ${colors.gray('network:')} ${protocol}//${colors.bold(`${details.address}:${port}`)}`); + if (allow) { + console.log(`\n ${colors.yellow('Note that all files in the following directories will be accessible to anyone on your network: ' + allow.map(a => relative(cwd, a)).join(', '))}`); + } } else { console.log(` ${colors.gray('network: not exposed')}`); } diff --git a/packages/kit/src/core/dev/index.js b/packages/kit/src/core/dev/index.js index c3b0b8127309..eb9e1633aa3d 100644 --- a/packages/kit/src/core/dev/index.js +++ b/packages/kit/src/core/dev/index.js @@ -92,6 +92,15 @@ class Watcher extends EventEmitter { }); } + allowed_directories() { + return [ + this.config.kit.files.assets, + path.resolve(this.cwd, 'src'), + path.resolve(this.cwd, 'node_modules'), + path.resolve(this.cwd, '.svelte-kit') + ]; + } + async init_server() { if (!this.manifest) throw new Error('Must call init() before init_server()'); @@ -101,7 +110,8 @@ class Watcher extends EventEmitter { const default_config = { server: { fs: { - strict: true + strict: true, + allow: this.allowed_directories() }, strictPort: true } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 22f443b3a1c1..a2a3f9ac3c7d 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -230,12 +230,12 @@ importers: svelte2tsx: ~0.4.7 tiny-glob: ^0.2.9 uvu: ^0.5.2 - vite: ^2.6.11 + vite: ^2.6.12 dependencies: - '@sveltejs/vite-plugin-svelte': 1.0.0-next.30_svelte@3.44.0+vite@2.6.11 + '@sveltejs/vite-plugin-svelte': 1.0.0-next.30_svelte@3.44.0+vite@2.6.12 cheap-watch: 1.0.4 sade: 1.7.4 - vite: 2.6.11 + vite: 2.6.12 devDependencies: '@rollup/plugin-replace': 3.0.0_rollup@2.58.0 '@types/amphtml-validator': 1.0.1 @@ -761,7 +761,7 @@ packages: picomatch: 2.3.0 dev: false - /@sveltejs/vite-plugin-svelte/1.0.0-next.30_svelte@3.44.0+vite@2.6.11: + /@sveltejs/vite-plugin-svelte/1.0.0-next.30_svelte@3.44.0+vite@2.6.12: resolution: {integrity: sha512-YQqdMxjL1VgSFk4/+IY3yLwuRRapPafPiZTiaGEq1psbJYSNYUWx9F1zMm32GMsnogg3zn99mGJOqe3ld3HZSg==} engines: {node: ^14.13.1 || >= 16} peerDependencies: @@ -779,7 +779,7 @@ packages: require-relative: 0.8.7 svelte: 3.44.0 svelte-hmr: 0.14.7_svelte@3.44.0 - vite: 2.6.11 + vite: 2.6.12 transitivePeerDependencies: - supports-color dev: false @@ -4194,8 +4194,8 @@ packages: engines: {node: '>= 0.8'} dev: true - /vite/2.6.11: - resolution: {integrity: sha512-JWnGmiO1IFwou9aUWS4N0kMyHcgTTt1+2f4bJyzgBJLJDyAqGEX3HewE4jgrL6V4d9+mxs+lZ4L8HL2kyVBe7A==} + /vite/2.6.12: + resolution: {integrity: sha512-0K7HUgAFiWOCWMkshjunCieTgawoSfmtExTwNoaVc5uTUb3ZEWb3DUP9Ze1l5dZZBxmNrbo5GrmJp2UJA3g+jA==} engines: {node: '>=12.2.0'} hasBin: true peerDependencies: From 29e93fd6891c885bbaf157ba07004b9eb8b1ce1a Mon Sep 17 00:00:00 2001 From: Ben McCann <322311+benmccann@users.noreply.github.com> Date: Tue, 26 Oct 2021 10:18:55 -0700 Subject: [PATCH 2/8] Update packages/kit/src/cli.js Co-authored-by: Bjorn Lu <34116392+bluwy@users.noreply.github.com> --- packages/kit/src/cli.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/kit/src/cli.js b/packages/kit/src/cli.js index 68d17b5dc89c..29341cb50c64 100644 --- a/packages/kit/src/cli.js +++ b/packages/kit/src/cli.js @@ -254,7 +254,7 @@ function welcome({ port, host, https, open, allow, cwd }) { if (exposed) { console.log(` ${colors.gray('network:')} ${protocol}//${colors.bold(`${details.address}:${port}`)}`); - if (allow) { + if (allow && allow.length) { console.log(`\n ${colors.yellow('Note that all files in the following directories will be accessible to anyone on your network: ' + allow.map(a => relative(cwd, a)).join(', '))}`); } } else { From a4698c4fd63a4d6b04986857638fe7a39639fb12 Mon Sep 17 00:00:00 2001 From: Ben McCann <322311+benmccann@users.noreply.github.com> Date: Tue, 26 Oct 2021 10:22:32 -0700 Subject: [PATCH 3/8] pnpm check --- packages/kit/src/cli.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/kit/src/cli.js b/packages/kit/src/cli.js index 29341cb50c64..ec6eeb470226 100644 --- a/packages/kit/src/cli.js +++ b/packages/kit/src/cli.js @@ -254,7 +254,7 @@ function welcome({ port, host, https, open, allow, cwd }) { if (exposed) { console.log(` ${colors.gray('network:')} ${protocol}//${colors.bold(`${details.address}:${port}`)}`); - if (allow && allow.length) { + if (allow?.length && cwd) { console.log(`\n ${colors.yellow('Note that all files in the following directories will be accessible to anyone on your network: ' + allow.map(a => relative(cwd, a)).join(', '))}`); } } else { From d6a8bdc90f45199d59c5bc402a0b4153a1864b82 Mon Sep 17 00:00:00 2001 From: Ben McCann <322311+benmccann@users.noreply.github.com> Date: Tue, 26 Oct 2021 20:30:33 -0700 Subject: [PATCH 4/8] include root node_modules --- packages/kit/src/core/dev/index.js | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/packages/kit/src/core/dev/index.js b/packages/kit/src/core/dev/index.js index eb9e1633aa3d..6e6cd0ee78cb 100644 --- a/packages/kit/src/core/dev/index.js +++ b/packages/kit/src/core/dev/index.js @@ -94,10 +94,13 @@ class Watcher extends EventEmitter { allowed_directories() { return [ - this.config.kit.files.assets, - path.resolve(this.cwd, 'src'), - path.resolve(this.cwd, 'node_modules'), - path.resolve(this.cwd, '.svelte-kit') + ...new Set([ + this.config.kit.files.assets, + path.resolve(this.cwd, 'src'), + path.resolve(this.cwd, '.svelte-kit'), + path.resolve('node_modules'), + path.resolve(vite.searchForWorkspaceRoot(this.cwd), 'node_modules') + ]) ]; } From b3885d4460e00c2caadeca3e74290f34c931593c Mon Sep 17 00:00:00 2001 From: Ben McCann <322311+benmccann@users.noreply.github.com> Date: Tue, 26 Oct 2021 20:34:57 -0700 Subject: [PATCH 5/8] don't hardcode src directory --- packages/kit/src/core/dev/index.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/packages/kit/src/core/dev/index.js b/packages/kit/src/core/dev/index.js index 6e6cd0ee78cb..92261fb09f6e 100644 --- a/packages/kit/src/core/dev/index.js +++ b/packages/kit/src/core/dev/index.js @@ -93,10 +93,13 @@ class Watcher extends EventEmitter { } allowed_directories() { + const template = this.config.kit.files.template; return [ ...new Set([ this.config.kit.files.assets, - path.resolve(this.cwd, 'src'), + this.config.kit.files.lib, + this.config.kit.files.routes, + template.substring(0, Math.max(template.lastIndexOf('/'), template.lastIndexOf('\\'))), path.resolve(this.cwd, '.svelte-kit'), path.resolve('node_modules'), path.resolve(vite.searchForWorkspaceRoot(this.cwd), 'node_modules') From 588ac7ebdf1e1c405195583d8db3d999f0e971c4 Mon Sep 17 00:00:00 2001 From: Ben McCann <322311+benmccann@users.noreply.github.com> Date: Tue, 26 Oct 2021 20:52:50 -0700 Subject: [PATCH 6/8] add missing cwd --- packages/kit/src/core/dev/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/kit/src/core/dev/index.js b/packages/kit/src/core/dev/index.js index 92261fb09f6e..759e8d49b5fb 100644 --- a/packages/kit/src/core/dev/index.js +++ b/packages/kit/src/core/dev/index.js @@ -101,7 +101,7 @@ class Watcher extends EventEmitter { this.config.kit.files.routes, template.substring(0, Math.max(template.lastIndexOf('/'), template.lastIndexOf('\\'))), path.resolve(this.cwd, '.svelte-kit'), - path.resolve('node_modules'), + path.resolve(this.cwd, 'node_modules'), path.resolve(vite.searchForWorkspaceRoot(this.cwd), 'node_modules') ]) ]; From 3eff74b4a2d19bb38f44fbc92a2a97ee24679494 Mon Sep 17 00:00:00 2001 From: Ben McCann <322311+benmccann@users.noreply.github.com> Date: Tue, 26 Oct 2021 21:50:18 -0700 Subject: [PATCH 7/8] remove template --- packages/kit/src/core/dev/index.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/packages/kit/src/core/dev/index.js b/packages/kit/src/core/dev/index.js index 759e8d49b5fb..7e11c3bee8ef 100644 --- a/packages/kit/src/core/dev/index.js +++ b/packages/kit/src/core/dev/index.js @@ -93,13 +93,11 @@ class Watcher extends EventEmitter { } allowed_directories() { - const template = this.config.kit.files.template; return [ ...new Set([ this.config.kit.files.assets, this.config.kit.files.lib, this.config.kit.files.routes, - template.substring(0, Math.max(template.lastIndexOf('/'), template.lastIndexOf('\\'))), path.resolve(this.cwd, '.svelte-kit'), path.resolve(this.cwd, 'node_modules'), path.resolve(vite.searchForWorkspaceRoot(this.cwd), 'node_modules') From 0b9d3df82419eacdd0404e5f0782faf7d7168d81 Mon Sep 17 00:00:00 2001 From: Ben McCann <322311+benmccann@users.noreply.github.com> Date: Tue, 26 Oct 2021 21:51:59 -0700 Subject: [PATCH 8/8] add src --- packages/kit/src/core/dev/index.js | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/kit/src/core/dev/index.js b/packages/kit/src/core/dev/index.js index 7e11c3bee8ef..11e247c3b1fb 100644 --- a/packages/kit/src/core/dev/index.js +++ b/packages/kit/src/core/dev/index.js @@ -98,6 +98,7 @@ class Watcher extends EventEmitter { this.config.kit.files.assets, this.config.kit.files.lib, this.config.kit.files.routes, + path.resolve(this.cwd, 'src'), path.resolve(this.cwd, '.svelte-kit'), path.resolve(this.cwd, 'node_modules'), path.resolve(vite.searchForWorkspaceRoot(this.cwd), 'node_modules')