[security] upgrade to Vite 2.6.12, specify allow list, and print warning

.changeset/warm-frogs-tickle.md

@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+[security] upgrade to Vite 2.6.12, specify allow list, and print warning

packages/kit/package.json

@@ -12,7 +12,7 @@
 		"@sveltejs/vite-plugin-svelte": "^1.0.0-next.30",
 		"cheap-watch": "^1.0.4",
 		"sade": "^1.7.4",
-		"vite": "^2.6.11"
+		"vite": "^2.6.12"
 	},
 	"devDependencies": {
 		"@rollup/plugin-replace": "^3.0.0",

packages/kit/src/cli.js

@@ -1,6 +1,7 @@
 import { existsSync } from 'fs';
 import sade from 'sade';
 import colors from 'kleur';
+import { relative } from 'path';
 import * as ports from 'port-authority';
 import { load_config } from './core/config/index.js';
 import { networkInterfaces, release } from 'os';
@@ -111,7 +112,14 @@ prog
 			https = https || !!config.kit.vite().server?.https;
 			open = open || !!config.kit.vite().server?.open;
 
-			welcome({ port: address_info.port, host: address_info.address, https, open });
+			welcome({
+				port: address_info.port,
+				host: address_info.address,
+				https,
+				open,
+				allow: watcher.allowed_directories(),
+				cwd: watcher.cwd
+			});
 		} catch (error) {
 			handle_error(error);
 		}
@@ -221,9 +229,11 @@ async function check_port(port) {
  *   host: string;
  *   https: boolean;
  *   port: number;
+ *   allow?: string[];
+ *   cwd?: string;
  * }} param0
  */
-function welcome({ port, host, https, open }) {
+function welcome({ port, host, https, open, allow, cwd }) {
 	if (open) launch(port, https);
 
 	console.log(colors.bold().cyan(`\n  SvelteKit v${'__VERSION__'}\n`));
@@ -244,6 +254,9 @@ function welcome({ port, host, https, open }) {
 
 				if (exposed) {
 					console.log(`  ${colors.gray('network:')} ${protocol}//${colors.bold(`${details.address}:${port}`)}`);
+					if (allow?.length && cwd) {
+						console.log(`\n  ${colors.yellow('Note that all files in the following directories will be accessible to anyone on your network: ' + allow.map(a => relative(cwd, a)).join(', '))}`);
+					}
 				} else {
 					console.log(`  ${colors.gray('network: not exposed')}`);
 				}

packages/kit/src/core/dev/index.js

@@ -92,6 +92,20 @@ class Watcher extends EventEmitter {
 		});
 	}
 
+	allowed_directories() {
+		return [
+			...new Set([
+				this.config.kit.files.assets,
+				this.config.kit.files.lib,
+				this.config.kit.files.routes,
+				path.resolve(this.cwd, 'src'),
+				path.resolve(this.cwd, '.svelte-kit'),
+				path.resolve(this.cwd, 'node_modules'),
+				path.resolve(vite.searchForWorkspaceRoot(this.cwd), 'node_modules')
+			])
+		];
+	}
+
 	async init_server() {
 		if (!this.manifest) throw new Error('Must call init() before init_server()');
 
@@ -101,7 +115,8 @@ class Watcher extends EventEmitter {
 		const default_config = {
 			server: {
 				fs: {
-					strict: true
+					strict: true,
+					allow: this.allowed_directories()
 				},
 				strictPort: true
 			}