Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: /@fs/ dir traversal with escaped chars (fixes #8498) #8804

Merged
merged 2 commits into from
Jun 27, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions packages/vite/src/node/server/middlewares/static.ts
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ export function serveStaticMiddleware(
return next()
}

const url = decodeURI(req.url!)
const url = decodeURIComponent(req.url!)

// apply aliases to static requests as well
let redirected: string | undefined
Expand Down Expand Up @@ -123,7 +123,7 @@ export function serveRawFsMiddleware(

// Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
return function viteServeRawFsMiddleware(req, res, next) {
let url = decodeURI(req.url!)
let url = decodeURIComponent(req.url!)
// In some cases (e.g. linked monorepos) files outside of root will
// reference assets that are also out of served root. In such cases
// the paths are rewritten to `/@fs/` prefixed paths and must be served by
Expand Down
12 changes: 12 additions & 0 deletions playground/fs-serve/__tests__/fs-serve.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,13 @@ describe.runIf(isServe)('main', () => {
expect(await page.textContent('.unsafe-fetch-status')).toBe('403')
})

test('unsafe fetch with special characters (#8498)', async () => {
expect(await page.textContent('.unsafe-fetch-8498')).toMatch(
'403 Restricted'
)
expect(await page.textContent('.unsafe-fetch-8498-status')).toBe('403')
})

test('safe fs fetch', async () => {
expect(await page.textContent('.safe-fs-fetch')).toBe(stringified)
expect(await page.textContent('.safe-fs-fetch-status')).toBe('200')
Expand All @@ -52,6 +59,11 @@ describe.runIf(isServe)('main', () => {
expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403')
})

test('unsafe fs fetch with special characters (#8498)', async () => {
expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('')
expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('403')
})

test('nested entry', async () => {
expect(await page.textContent('.nested-entry')).toBe('foobar')
})
Expand Down
27 changes: 27 additions & 0 deletions playground/fs-serve/root/src/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ <h2>Safe Fetch Subdirectory</h2>
<h2>Unsafe Fetch</h2>
<pre class="unsafe-fetch-status"></pre>
<pre class="unsafe-fetch"></pre>
<pre class="unsafe-fetch-8498-status"></pre>
<pre class="unsafe-fetch-8498"></pre>

<h2>Safe /@fs/ Fetch</h2>
<pre class="safe-fs-fetch-status"></pre>
Expand All @@ -27,6 +29,8 @@ <h2>Safe /@fs/ Fetch</h2>
<h2>Unsafe /@fs/ Fetch</h2>
<pre class="unsafe-fs-fetch-status"></pre>
<pre class="unsafe-fs-fetch"></pre>
<pre class="unsafe-fs-fetch-8498-status"></pre>
<pre class="unsafe-fs-fetch-8498"></pre>

<h2>Nested Entry</h2>
<pre class="nested-entry"></pre>
Expand Down Expand Up @@ -83,6 +87,19 @@ <h2>Denied</h2>
console.error(e)
})

// outside of allowed dir with special characters #8498
fetch('/src/%2e%2e%2funsafe%2etxt')
.then((r) => {
text('.unsafe-fetch-8498-status', r.status)
return r.text()
})
.then((data) => {
text('.unsafe-fetch-8498', data)
})
.catch((e) => {
console.error(e)
})

// imported before, should be treated as safe
fetch('/@fs/' + ROOT + '/safe.json')
.then((r) => {
Expand All @@ -106,6 +123,16 @@ <h2>Denied</h2>
console.error(e)
})

// outside root with special characters #8498
fetch('/@fs/' + ROOT + '/root/src/%2e%2e%2f%2e%2e%2funsafe%2ejson')
.then((r) => {
text('.unsafe-fs-fetch-8498-status', r.status)
return r.json()
})
.then((data) => {
text('.unsafe-fs-fetch-8498', JSON.stringify(data))
})

// not imported before, inside root with special characters, treated as safe
fetch(
'/@fs/' +
Expand Down