Vite's `server.fs.deny` did not deny requests for patterns with directories.
Package
Affected versions
>= 2.7.0, <= 2.9.17
>= 3.0.0, <= 3.2.8
>= 4.0.0, <= 4.5.2
>= 5.0.0, <= 5.0.12
>= 5.1.0, <= 5.1.6
>= 5.2.0, <= 5.2.5
Patched versions
2.9.18
3.2.10
4.5.3
5.0.13
5.1.7
5.2.6
Description
Published to the GitHub Advisory Database
Apr 3, 2024
Reviewed
Apr 3, 2024
Published by the National Vulnerability Database
Apr 4, 2024
Last updated
Apr 4, 2024
Summary
Vite dev server option
server.fs.deny
did not deny requests for patterns with directories. An example of such a pattern is/foo/**/*
.Impact
Only apps setting a custom
server.fs.deny
that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using--host
orserver.host
config option) are affected.Patches
Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18
Details
server.fs.deny
uses picomatch with the config of{ matchBase: true }
. matchBase only matches the basename of the file, not the path due to a bug (micromatch/picomatch#89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set{ dot: true }
and that causes dotfiles not to be denied unless they are explicitly defined.Reproduction
Set fs.deny to
['**/.git/**']
and then curl for/.git/config
.matchBase: true
, you can get any file under.git/
(config, HEAD, etc).matchBase: false
, you cannot get any file under.git/
(config, HEAD, etc).References