fix(server): Security fix: only listen to private network address by default #2865
Conversation
|
How about we just render the message stating its disabled instead of showing the address? It can't be accessed after all. This avoids some unnecessary information shown to the user. Something like: Additionally we could hint toward how to open the gates to the network: |
|
Instead of the "listenPublic" options, maybe it's more straightforward to let users use |
antfu
added
p4-important
Yes, that's more straightforward, at least a bit easier from an implementation perspective inside Vite. And after all, the But even though using I'm fine with both versions. WDYT? |
|
I recommend using the server: {
listen: ip, // 127.0.0.1 or 0.0.0.0 or 192.168.35.1/24
} |
|
Thanks for pushing for this change @eirslett. IMO, we shouldn't show the Network line at all. If we want to hint that there is a config option to enable this, maybe we can add a line about that |
|
Some tests are failing on AppVeyor 🤔 |
I suspect that the test is trying to connect to localhost, but to the public IP interface instead of the private one...? |
|
ping is there anybody with a Windows setup who can test locally that this change does what it's supposed to? I think the AppVeyor build fails because of the OS, but I'm not sure. |
|
We may rebase this PR when #2622 was merged into main With that we can then see if it's a windows problem or not |
…default See also vitejs#2820 which makes this problem critically worse. Up until now, Vite has been listening on all public IP addresses by default, which could be a potential security vulnerability. This fixes the default behavior, so Vite only listens on 127.0.0.1. You can get the old behavior back (listen to all IPs) by running with the --listen-public CLI flag, or setting ``` export default defineConfig({ server: { listenPublic: true } // ... more config here }) ``` in the Vite config file.
Co-authored-by: Shinigami <chrissi92@hotmail.de>
Co-authored-by: Shinigami <chrissi92@hotmail.de>
eirslett
force-pushed
the
listen-only-private-ip-by-default
branch
from
470f4f2 to
3fa2971
Compare
|
Looks like it's failing all over the place... on my MacOS locally, the tests pass. 😩 |
| @@ -555,7 +562,10 @@ async function startServer( | |||
|
|
|||
| httpServer.on('error', onError) | |||
|
|
|||
| httpServer.listen(port, options.host, () => { | |||
| const listenHostname = listenPublic | |||
There was a problem hiding this comment.
would this mean you'd have to specify listenPublic: true if you want to set a custom hostname?
There was a problem hiding this comment.
Correct - you would have to explicitly set both.
There was a problem hiding this comment.
hmm, not sure i like that. If i'm actively setting host it should work without having to set another option too. Imho defaulting host to 127.0.0.1 should suffice. Users can still do --host 0.0.0.0 to get the old behavior back. (they shouldn't).
There was a problem hiding this comment.
not to mention that listenPublic may be a misnomer. We don't know the network setup on the machine the devserver is running on. The only safe assumption is that 127.0.0.1 isn't "public".
There was a problem hiding this comment.
I also think that if a user specifies a --host, it is already opting in.
As @c-bandy was proposing, we should add a message in the console to let the user know this option
Use --host to expose the server to other devices on this network
I think we should implement the same scheme as sirv: https://github.com/lukeed/sirv/tree/master/packages/sirv-cli#network-access
For security reasons, sirv-cli does not expose your server to the network by default. This means that your machine, and only your machine, will be able to access the localhost server.
If, however, your coworker wants to access the server from their computer, or you want to preview your work on a mobile device, you must use the --host flag. Only then will your server be accessible to other devices on the same network.
Using --host without a value is equivalent to --host 0.0.0.0, which is makes it discoverable publicly. You may customize this by passing a different value – but you probably don't need to!
@antfu what do you think? I like the --host option without parameters scheme here for the old behavior. And we wouldn't need an extra option
|
I created a new PR that implements this, but uses only the |
See also #2820 which makes this problem critically worse.
Up until now, Vite has been listening on all public IP addresses
by default, which could be a potential security vulnerability.
This fixes the default behavior, so Vite only listens on 127.0.0.1.
You can get the old behavior back (listen to all IPs) by running
with the --listen-public CLI flag, or setting
in the Vite config file.
This is how the two alternatives look like in the terminal: You can see that it writes "(disabled)" next to the public IP.