Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: prevent serving unrestricted files (fix #2820) #2850

Merged
merged 24 commits into from
May 7, 2021
Merged

fix: prevent serving unrestricted files (fix #2820) #2850

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
948d493
fix: new options fsServeRoot to prevent serving unrestricted files (f…
antfu Apr 4, 2021
d905918
chore: update jsdoc
antfu Apr 4, 2021
d4dd106
Update packages/vite/src/node/server/middlewares/static.ts
antfu Apr 4, 2021
f47345b
chore: update docs
antfu Apr 4, 2021
a0e0221
Apply suggestions from code review
Shinigami92 Apr 4, 2021
7066730
Update packages/vite/src/node/server/middlewares/static.ts
antfu Apr 5, 2021
34334d9
chore: fix imports
antfu Apr 5, 2021
2679e0c
Merge branch 'main' into fix/fs-root
antfu May 4, 2021
3051625
chore: add 403 page
antfu May 4, 2021
f4e3869
feat: search for workspace root
antfu May 4, 2021
391ad14
chore: update
antfu May 4, 2021
f9141dd
docs: update
antfu May 4, 2021
2f06f53
chore: update jsdoc
antfu May 4, 2021
c8acfff
chore: remove depth limit
antfu May 4, 2021
5db3fdc
chore: update docs
antfu May 4, 2021
92b825c
Update packages/vite/src/node/server/searchRoot.ts
antfu May 5, 2021
3bb52aa
chore: update
antfu May 5, 2021
28c90bc
Update packages/vite/src/node/server/middlewares/static.ts
antfu May 5, 2021
93cf900
Update packages/vite/src/node/server/middlewares/static.ts
antfu May 5, 2021
0501f3d
Update packages/vite/src/node/server/searchRoot.ts
antfu May 5, 2021
099ce97
chore: remove detection for .git
antfu May 7, 2021
f771868
chore: change options to fsServe object
antfu May 7, 2021
8bed0d8
Merge branch 'main' into fix/fs-root
antfu May 7, 2021
7b7bef9
fix: expose type
antfu May 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions docs/config/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -430,6 +430,17 @@ export default async ({ command, mode }) => {

File system watcher options to pass on to [chokidar](https://github.com/paulmillr/chokidar#api).

### server.fsServe.root

- **Type:** `string`

Restrict files that could be served via `/@fs/`. Accessing files outside this directory will result in a 403.

Vite will search for the root of the potential workspace and use it as default. A valid workspace met the following conditions, otherwise will fallback to the [project root](/guide/#index-html-and-project-root).
- contains `workspaces` field in `package.json`
- contains one of the following file
- `pnpm-workspace.yaml`

## Build Options

### build.target
Expand Down
1 change: 1 addition & 0 deletions packages/vite/src/node/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ export type {
ViteDevServer,
ServerOptions,
CorsOptions,
FileSystemServeOptions,
CorsOrigin,
ServerHook
} from './server'
Expand Down
3 changes: 3 additions & 0 deletions packages/vite/src/node/server/__tests__/fixtures/none/nested/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"private": true
}
3 changes: 3 additions & 0 deletions packages/vite/src/node/server/__tests__/fixtures/pnpm/nested/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"private": true
}
3 changes: 3 additions & 0 deletions packages/vite/src/node/server/__tests__/fixtures/pnpm/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"private": true
}
Empty file added packages/vite/src/node/server/__tests__/fixtures/pnpm/pnpm-workspace.yaml
View file
Open in desktop
Empty file.
3 changes: 3 additions & 0 deletions packages/vite/src/node/server/__tests__/fixtures/yarn/nested/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"private": true
}
6 changes: 6 additions & 0 deletions packages/vite/src/node/server/__tests__/fixtures/yarn/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"private": true,
"workspaces": [
"nested"
]
}
31 changes: 31 additions & 0 deletions packages/vite/src/node/server/__tests__/search-root.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
import { searchForWorkspaceRoot } from '../searchRoot'
import { resolve } from 'path'

describe('searchForWorkspaceRoot', () => {
test('pnpm', () => {
const resolved = searchForWorkspaceRoot(
resolve(__dirname, 'fixtures/pnpm/nested')
)
expect(resolved).toBe(resolve(__dirname, 'fixtures/pnpm'))
})

test('yarn', () => {
const resolved = searchForWorkspaceRoot(
resolve(__dirname, 'fixtures/yarn/nested')
)
expect(resolved).toBe(resolve(__dirname, 'fixtures/yarn'))
})

test('yarn at root', () => {
const resolved = searchForWorkspaceRoot(resolve(__dirname, 'fixtures/yarn'))
expect(resolved).toBe(resolve(__dirname, 'fixtures/yarn'))
})

test('none', () => {
const resolved = searchForWorkspaceRoot(
resolve(__dirname, 'fixtures/none/nested')
)
// resolved to vite repo's root
expect(resolved).toBe(resolve(__dirname, '../../../../../..'))
})
})
16 changes: 15 additions & 1 deletion packages/vite/src/node/server/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,20 @@ export interface ServerOptions {
* Should start and end with the `/` character
*/
base?: string
/**
* Options for files served via '/\@fs/'.
*/
fsServe?: FileSystemServeOptions
}

export interface FileSystemServeOptions {
/**
* Restrict accessing files outside this directory will result in a 403.
*
* Accepts absolute path or a path relative to project root.
* Will try to search up for workspace root by default.
*/
root?: string
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussion with @patak-js, we are likely to add more options to configure /@fs/ to enhance further security in the future. For example, disabling dotfiles (.env) by default (e.g. sirv). Changed this to an object for further extensions.

}

/**
Expand Down Expand Up @@ -443,7 +457,7 @@ export async function createServer(
middlewares.use(transformMiddleware(server))

// serve static files
middlewares.use(serveRawFsMiddleware())
middlewares.use(serveRawFsMiddleware(config))
middlewares.use(serveStaticMiddleware(root, config))

// spa fallback
Expand Down
45 changes: 43 additions & 2 deletions packages/vite/src/node/server/middlewares/static.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,8 @@ import sirv, { Options } from 'sirv'
import { Connect } from 'types/connect'
import { ResolvedConfig } from '../..'
import { FS_PREFIX } from '../../constants'
import { cleanUrl, isImportRequest } from '../../utils'
import { cleanUrl, fsPathFromId, isImportRequest } from '../../utils'
import { searchForWorkspaceRoot } from '../searchRoot'

const sirvOptions: Options = {
dev: true,
Expand Down Expand Up @@ -74,9 +75,15 @@ export function serveStaticMiddleware(
}
}

export function serveRawFsMiddleware(): Connect.NextHandleFunction {
export function serveRawFsMiddleware(
config: ResolvedConfig
): Connect.NextHandleFunction {
const isWin = os.platform() === 'win32'
const serveFromRoot = sirv('/', sirvOptions)
const serveRoot = path.resolve(
config.root,
config.server?.fsServe?.root || searchForWorkspaceRoot(config.root)
)

// Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
return function viteServeRawFsMiddleware(req, res, next) {
Expand All @@ -86,6 +93,14 @@ export function serveRawFsMiddleware(): Connect.NextHandleFunction {
// the paths are rewritten to `/@fs/` prefixed paths and must be served by
// searching based from fs root.
if (url.startsWith(FS_PREFIX)) {
// restrict files outside of `fsServe.root`
if (!path.resolve(fsPathFromId(url)).startsWith(serveRoot + path.sep)) {
res.statusCode = 403
res.write(renderFsRestrictedHTML(serveRoot))
res.end()
return
}

url = url.slice(FS_PREFIX.length)
if (isWin) url = url.replace(/^[A-Z]:/i, '')

Expand All @@ -96,3 +111,29 @@ export function serveRawFsMiddleware(): Connect.NextHandleFunction {
}
}
}

function renderFsRestrictedHTML(root: string) {
// to have syntax highlighting and autocompletion in IDE
const html = String.raw
return html`
<body>
<h1>403 Restricted</h1>
<p>
For security concerns, accessing files outside of workspace root
(<code>${root}</code>) is restricted since Vite v2.3.x
</p>
<p>
Refer to docs
<a href="https://vitejs.dev/config/#server-fsserveroot">
https://vitejs.dev/config/#server-fsserveroot
</a>
for configurations and more details.
</p>
<style>
body {
padding: 1em 2em;
}
</style>
</body>
`
}
49 changes: 49 additions & 0 deletions packages/vite/src/node/server/searchRoot.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
import fs from 'fs'
import { dirname } from 'path'
import { join } from 'path'

// https://github.com/vitejs/vite/issues/2820#issuecomment-812495079
const ROOT_FILES = [
// '.git',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the explanation for this?


// https://pnpm.js.org/workspaces/
'pnpm-workspace.yaml'

// https://rushjs.io/pages/advanced/config_files/
// 'rush.json',

// https://nx.dev/latest/react/getting-started/nx-setup
// 'workspace.json',
// 'nx.json'
antfu marked this conversation as resolved.
Show resolved Hide resolved
]

// npm: https://docs.npmjs.com/cli/v7/using-npm/workspaces#installing-workspaces
// yarn: https://classic.yarnpkg.com/en/docs/workspaces/#toc-how-to-use-it
function hasWorkspacePackageJSON(root: string): boolean {
const path = join(root, 'package.json')
try {
fs.accessSync(path, fs.constants.R_OK)
} catch {
return false
}
const content = JSON.parse(fs.readFileSync(path, 'utf-8')) || {}
antfu marked this conversation as resolved.
Show resolved Hide resolved
return !!content.workspaces
}

function hasRootFile(root: string): boolean {
return ROOT_FILES.some((file) => fs.existsSync(join(root, file)))
}

export function searchForWorkspaceRoot(
current: string,
root = current
): string {
if (hasRootFile(current)) return current
if (hasWorkspacePackageJSON(current)) return current

const dir = dirname(current)
// reach the fs root
if (!dir || dir === current) return root

return searchForWorkspaceRoot(dir, root)
}