fix(server): Listen only to 127.0.0.1 by default #2977
Conversation
|
Copying my comment from the prev PR for reference:
@eirslett We should add an equivalent paragraph to the docs. And this PR doesn't implement support for |
Shinigami92
added
p4-important
|
Also it seems there are some failing tests 🤔 At least on windows 🤔 @patak-js Do you have windows? Can you reproduce this on your machine? |
|
@Shinigami92 I can reproduce this on my machine, but I don't understand how this is related to this PR. Head is green. |
|
Yes, we should refactor it, my suggestion is that since this is a security fix, we could merge it (after code review) and do the other improvements in a separate PR. The code duplication should definitely be refactored, and supporting My suspicion is that Windows tries to use the public IP in the tests, but by default the server now only listens to 127.0.0.1, which might be the reason why the tests fail? |
|
@eirslett you should consider to create a PR/branch on top of |
FWIW, Luke mentioned he only made that the default due to a few complaints about having to type more to expose. You certainly could make the argument that forcing users to be more explicit when exposing could be of benefit. Just something to consider. |
|
Ok, I agree with @rschristian. We can have |
|
About the hint message, I think that it could be less intrusive. I think we should copy sirv here:
It could be: Instead of add if we don't default to 0.0.0.0 in this PR. We shouldn't change the |
|
The failing example in windows is working well when launching the dev server, but not in the jest tests. This may be an issue with |
|
Agree to keep the Where the |
|
There we go:
🤞 Let's hope that the tests pass... |
|
It is still failing in Windows, but it should be because of our tests and not because of the feature itself. @eirslett maybe we can force to use the |
|
Some findings about the failing tests:
I don't understand why using Other details:
|
I think the host will then be
I don't think it matters - the most valuable piece of information is the public IP address, which you can then pass on to coworkers, or your mobile phone, or whatever should access your dev server remotely. |
If const hostname = options.host || '127.0.0.1'Note: Looks like if the system supports IPv6, passing undefined defaults to
Users may still want to use localhost and give the public IP to others at the same time, and this is how Vite works until this moment. Using |
|
I pushed a new change now, which makes the logic even more explicit. |
|
Hey @eirslett, I just had a quick look over your PR Some thoughts I had are:
IPv6 support (if wanted) could be outsourced to another PR 🤔 |
It's not really checking that, it's just setting the default value to 127.0.0.1.
I'm sure it possible, but maybe that's a separate feature?
Absolutely, there's not really anything in the way now for passing an IPv6 address as the |
eirslett
force-pushed
the
bugfix-security-use-host-param-correctly
branch
from
75f68bb
to
33a4792
Compare
The security fix for listening only on 127.0.0.1 by default seems like it broke tests on Windows. Try using 0.0.0.0 for tests, and see if that fixes the tests.
packages/vite/src/node/preview.ts
Outdated
| let hostname: string | ||
| if (options.host === undefined) { | ||
| // Use a secure default | ||
| hostname = '127.0.0.1' | ||
| } else if (options.host === true) { | ||
| // The user probably passed --host in the CLI, without arguments | ||
| hostname = '0.0.0.0' | ||
| } else { | ||
| hostname = options.host as string | ||
| } |
There was a problem hiding this comment.
Since this is reused in both files, let's extract it to a function:
const getHostname(hostnameOption: string | boolean | undefined): string {
if (typeof hostnameOption === 'string') {
return hostnameOption
}
// `--host` without parameters
if (hostnameOption === true) {
return '0.0.0.0'
}
// secure loopback-only default
return '127.0.0.1'
}| if (hostname === '127.0.0.1') { | ||
| const url = `${protocol}://localhost:${chalk.bold(port)}${base}` | ||
| logger.info(` > Local: ${chalk.cyan(url)}`) | ||
| logger.info(` > Network: ${chalk.dim('use `--host` to expose')}`) | ||
| } else { | ||
| const interfaces = os.networkInterfaces() | ||
| Object.keys(interfaces).forEach((key) => | ||
| (interfaces[key] || []) | ||
| .filter((details) => details.family === 'IPv4') | ||
| .map((detail) => { | ||
| return { | ||
| type: detail.address.includes('127.0.0.1') | ||
| ? 'Local: ' | ||
| : 'Network: ', | ||
| host: detail.address | ||
| } | ||
| }) | ||
| .forEach(({ type, host }) => { | ||
| const url = `${protocol}://${host}:${chalk.bold(port)}${base}` | ||
| logger.info(` > ${type} ${chalk.cyan(url)}`) | ||
| }) | ||
| ) | ||
| } |
There was a problem hiding this comment.
This can be extracted too
There was a problem hiding this comment.
Agreed, but I think it is better if we do these refactorings in a future PR.
There was a problem hiding this comment.
👍🏼 Okay to leave this one out, but it would be good to extract the added code (previous comment)
|
Looks like all the tests pass now! I'm not 100 % sure about making |
@eirslett let's do this change, and we can then use |
Co-authored-by: Anthony Fu <anthonyfu117@hotmail.com>
| } else { | ||
| hostname = options.host as string |
There was a problem hiding this comment.
question: Is this also the case if options.host is set to false?
Cause I see that host is of type string | boolean | undefined
There was a problem hiding this comment.
@patak-js as I mentioned here, what is with the options.host being false case?
The as string just hides the TypeScript safeness here
|
I mean, yes, the code in there should probably be refactored, prettified, extracted, nitpicked and all, but this is first and foremost a security patch, and it's already been 29 days since I opened the first PR. I'm getting a little bit tired of all the bike shedding, sorry. All I wanted to do was to make Vite more secure. |
|
Thanks for the PR @eirslett. For later reference, this was not merged before because tests were not passing til yesterday. |
|
If you use |
@evromalarkey Could you open an issue or maybe directly a PR for that? |
|
Issue here #3355 |
Co-authored-by: Nihal Gonsalves <nihal@nihalgonsalves.com> Co-authored-by: Anthony Fu <anthonyfu117@hotmail.com>
Co-authored-by: antfu <hi@antfu.me>
This pull request supersedes #2865, after discussion that one should rely on the
--hostparameter to determine public/private network interface setup.