path traversal vulnerability #3281

vinnitu · 2021-05-06T07:46:54Z

Hi, how to prevent such behavior?

npm init @vitejs/app vite-path-traversal-vulnerability
cd vite-path-traversal-vulnerability
npm i
npm run dev

what do you see in response ?

curl http://localhost:3000/etc/passwd

The text was updated successfully, but these errors were encountered:

ygj6 · 2021-05-06T09:04:05Z

Hi @vinnitu , this URL shows the demo page.
Do you mean that 404 is not returned when there is no url path?

vinnitu · 2021-05-06T10:40:08Z

I mean it shows me contain passwd file.

antfu · 2021-05-09T11:57:19Z

Duplicated of #2820, where it fix is merged in #2850, which will be released in next monday

vinnitu added the pending triage label May 6, 2021

underfin added a commit that referenced this issue May 9, 2021

fix(serve): prevent serving unrestricted files

9ca1dd1

fix: #3281

underfin mentioned this issue May 9, 2021

fix(serve): prevent serving unrestricted files #3321

Merged

9 tasks

underfin added bug p3-minor-bug An edge case that only affects very specific usage (priority) and removed pending triage labels May 9, 2021

antfu closed this as completed in #3321 May 10, 2021

meteorlxy mentioned this issue May 12, 2021

[Feature Request] Internal allowlist of @fs serving files #3373

Closed

github-actions bot locked and limited conversation to collaborators Jul 16, 2021

Provide feedback