Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Unrestricted directory traversal with `@fs`

See original GitHub issue

Describe the bug

The entire filesystem is indiscriminately exposed while the Vite dev server is running. Combined with the fact that the server is exposed to 0.0.0.0 by default, you’re effectively opening your machine to the world during development.

This is technically a Vite feature as currently documented, but probably not actually intended.

Reproduction

Any Vite project will do.

npm init @vitejs/app app
cd app
npm install
npm run dev

If running on Windows, visit http://localhost:3000/@fs/windows/debug/netsetup.log
If running on Linux, visit http://localhost:3000/@fs/etc/passwd
No idea of an equivalent on macOS but I’m sure you can think of something

Combined with the fact that any “out of root” directories already reveal the username of the current user, you can also easily do http://localhost:3000/@fs/home/username/.ssh/id_rsa

System Info

  System:
    OS: Windows 10 10.0.19042
    CPU: (16) x64 AMD Ryzen 7 3700X 8-Core Processor
    Memory: 19.47 GB / 31.95 GB
  Binaries:
    Node: 14.16.0 - C:\Program Files\nodejs\node.EXE
    Yarn: 1.22.10 - ~\AppData\Roaming\npm\yarn.CMD
    npm: 7.7.5 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Chrome: 89.0.4389.114
    Edge: Spartan (44.19041.423.0), Chromium (89.0.774.63)
    Internet Explorer: 11.0.19041.1
  npmPackages:
    vite: ^2.1.5 => 2.1.5

Used package manager: npm

Issue Analytics

State:
Created 2 years ago
Reactions:14
Comments:14 (11 by maintainers)

Top GitHub Comments

4reactions

antfucommented, Apr 4, 2021

Drafted a PR, https://github.com/vitejs/vite/issues/2820

Not sure if we should do the auto-detection, which could be a bit untransparent for users as the behavior would change based on users’ environments. For example, having on package.json with workspace accidentally on your ~/ will still unsafely expose /@fs/home/username/.ssh/id_rsa and others. So, I’d think maybe it’s better to strict by default and let users configure for monorepo setup explicitly.

2reactions

ElMassimocommented, Apr 26, 2021

Sharing a piece of information we’ve discussed with @patak-js a few times, but I forgot to add it here.

In a Vite Ruby project structure, vite.config.ts is at the project root while Vite’s <kbd>root</kbd> targets an inner directory such as app/frontend/entrypoints.

The library leverages the fact that Vite can serve files in app/frontend, that is, outside of the <kbd>root</kbd>.

If the fix uses the location of package.json or the location of vite.config.ts to determine the root of the workspace (if failing to detect a mono repo), it wouldn’t break Vite Ruby projects.