-
-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(serve): prevent serving unrestricted files #3321
Conversation
This breaks legitimate usecases when one wants to serve a folder that contains an explicit symlink to another one that is outside the server root. |
@lovasoa You can configure it by https://vitejs.dev/config/#server-fsserve-root |
Yes, but there is no reason to break existing setups in a minor version for something that is not a security vulnerability. |
We have explained that in the changelog, and also see #2820. Sorry for the inconvenience, but we do think this is a serious security vulnerability. |
This breaks existing monorepo setups, and serving files that are explicitly symlinked is not a security vulnerability. Plus, how would I do if I had symlinked |
To be clear: I also do agree that the previous behavior of serving any files from anywhere is a serious security vulnerability. But serving files that have been explicitly symlinked in the server root (and in node_modules in particular), is not a vulnerabilty. |
Sure, this could indeed be overkill for some scenarios. But at this moment, I kinda think the trade-off is totally worth it. We could not figure out all the edge cases or do the assumptions about which files are safe and which are not. So, we do open up for contributions to propose more fine-grained configurations API, for example like But that said, they all require some certain discussions, decision making, implementations and testing. The current approach is what we could have to deliver the security fix to users asap. Hope this could make me clear. Thanks |
I do understand that this fix had to be rushed in order to patch the security issue quickly. Can I open a new issue to track a better fix that would avoid breakage for existing configurations ? Ideally, this should be fixed quickly before more people upgrade to v2.3.x and find themselves fix a broken configuration... I don't think there is a need for an explicit allow and disallow list, symlinks are a more general solution to the problem. |
Sure, that would be great. Thanks |
@antfu https://vitejs.dev/config/#server-fsserve-root this documentation is really not helping much, it's not clear from it what should I set in the first place if I want to expose some directories for serving |
@evromalarkey : I agree that the documentation is confusing. In the current setup, it should be set to the common parent of all the directories you want to be able to serve. So if you want to serve export default {
server: {
fsServe: {
// Allow serving all files starting from two levels above the current directory in the fs hierarchy
root: '../../'
}
}
} |
Yeah, good point. Would you like to make a PR to update the docs? Thanks |
Yeah I understand it now, thanks. Either way I think this change comes with a lot of problems, but it had to be done, I get it. |
fix: #3281
Description
Additional context
What is the purpose of this pull request?
Before submitting the PR, please make sure you do the following
fixes #123
).