Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: normalize url in ensureServingAccess #3350

Merged
merged 3 commits into from
May 12, 2021
Merged

fix: normalize url in ensureServingAccess #3350

merged 3 commits into from
May 12, 2021

Conversation

cawa-93
Copy link
Contributor

@cawa-93 cawa-93 commented May 11, 2021

Description

Fix #3346

What is the purpose of this pull request?

  • Bug fix
  • New Feature
  • Documentation update
  • Other

Before submitting the PR, please make sure you do the following

  • Read the Contributing Guidelines.
  • Read the Pull Request Guidelines and follow the Commit Convention.
  • Check that there isn't already a PR that solves the problem the same way to avoid creating a duplicate.
  • Provide a description in this PR that addresses what the PR is solving, or reference the issue that it solves (e.g. fixes #123).
  • Ideally, include relevant tests that fail without this PR but pass with it.

antfu
antfu previously approved these changes May 11, 2021
View reviewed changes
@Shinigami92 Shinigami92 added the p3-minor-bug An edge case that only affects very specific usage (priority) label May 11, 2021
@mangowh mangowh mentioned this pull request May 11, 2021
Closed
2 tasks
@lovasoa
Copy link
Contributor

lovasoa commented May 11, 2021

I think the problem here is with the approach of using string manipulation to prevent path traversal. The way path are resolved depends on the file system and its mount options, and trying to solve that with a String.startsWith is always going to be problematic.

It is already causing a lot of issues:

@patak-dev patak-dev mentioned this pull request May 11, 2021
Closed
9 tasks
lovasoa
lovasoa suggested changes May 11, 2021
View reviewed changes
Copy link
Contributor

@lovasoa lovasoa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't fix the issue for e.g. case-insensitive file systems.

@patak-dev
Copy link
Member

This doesn't fix the issue for e.g. case-insensitive file systems.

Please search the issues for case-insensitive fs, there is no easy way to support them and be generic with other systems in Vite. This is not related to this PR in particular.

@patak-dev patak-dev requested a review from antfu May 11, 2021 14:20
@lovasoa
Copy link
Contributor

lovasoa commented May 11, 2021

@patak-js What I am saying is that this PR is trying to solve the wrong problem. There is one common cause to all the issues I mentioned above, the problem is the general approach of trying to "normalize" the path, and then testing it with String.startsWith.

@cawa-93
Copy link
Contributor Author

cawa-93 commented May 11, 2021
edited
Loading

@lovasoa

@patak-js What I am saying is that this PR is trying to solve the wrong problem. There is one common cause to all the issues I mentioned above, the problem is the general approach of trying to "normalize" the path, and then testing it with String.startsWith.

This PR is not intended to correct logic (which requires more time and effort). This PR is a quick hot fix for that can't wait long.

You can solve a right problem later.

@lovasoa
Copy link
Contributor

lovasoa commented May 11, 2021
edited
Loading

Yes, I see where you are coming from. The boggy logic itself was also introduced by a quick hot fix that couldn't wait long. I find vite amazing, but piling hot fixes is dangerous on the long run...

@patak-dev
Copy link
Member

Yes, I see where you are coming from. The boggy logic itself was also introduced by a quick hot fix for that couldn't wait long. I find vite amazing, but piling hot fixes is dangerous on the long run...

This is fixing a bug in Windows, we are using normalizePath across the board in the code-base and was missing. That being said, we all agree that further PRs are needed to improve fsServe (for example, better handling of symlinks)

@Conduitry Conduitry mentioned this pull request May 11, 2021
Closed
@antfu antfu merged commit deb465b into vitejs:main May 12, 2021
@cawa-93 cawa-93 deleted the fix-static-mid branch May 12, 2021 06:21
@jods4
Copy link
Contributor

jods4 commented May 12, 2021

Looking forward to this being released!
image

fi3ework pushed a commit to fi3ework/vite that referenced this pull request May 22, 2021
@cawa-93 @fi3ework
fix: normalize url in ensureServingAccess (vitejs#3350)
c0e72b0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lovasoa lovasoa lovasoa requested changes

@patak-dev patak-dev patak-dev approved these changes

@Shinigami92 Shinigami92 Shinigami92 approved these changes

@antfu antfu Awaiting requested review from antfu

Assignees
No one assigned
Labels
p3-minor-bug An edge case that only affects very specific usage (priority)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

.map file that is in fsServe.root is defined as one that is outside
6 participants
@cawa-93 @lovasoa @patak-dev @jods4 @Shinigami92 @antfu