From c59a76a01514431536b935b06ddb457456d3e43d Mon Sep 17 00:00:00 2001 From: sapphi-red Date: Fri, 8 Jul 2022 03:24:01 +0900 Subject: [PATCH 1/2] fix: re-encode url to prevent fs.allow bypass --- .../src/node/server/middlewares/static.ts | 9 ++++-- .../fs-serve/__tests__/fs-serve.spec.ts | 10 +++++++ playground/fs-serve/root/src/index.html | 29 +++++++++++++++++++ 3 files changed, 46 insertions(+), 2 deletions(-) diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts index 9f18b6391face0..6733e317217f23 100644 --- a/packages/vite/src/node/server/middlewares/static.ts +++ b/packages/vite/src/node/server/middlewares/static.ts @@ -109,13 +109,18 @@ export function serveStaticMiddleware( } if (redirected) { - req.url = redirected + req.url = encodePercent(redirected) } serve(req, res, next) } } +const percentRe = /%/g +function encodePercent(url: string) { + return url.includes('%') ? url.replace(percentRe, '%25') : url +} + export function serveRawFsMiddleware( server: ViteDevServer ): Connect.NextHandleFunction { @@ -144,7 +149,7 @@ export function serveRawFsMiddleware( url = url.slice(FS_PREFIX.length) if (isWindows) url = url.replace(/^[A-Z]:/i, '') - req.url = url + req.url = encodePercent(url) serveFromRoot(req, res, next) } else { next() diff --git a/playground/fs-serve/__tests__/fs-serve.spec.ts b/playground/fs-serve/__tests__/fs-serve.spec.ts index 2111cac80cc4e7..d65ccdea7368cf 100644 --- a/playground/fs-serve/__tests__/fs-serve.spec.ts +++ b/playground/fs-serve/__tests__/fs-serve.spec.ts @@ -42,6 +42,11 @@ describe.runIf(isServe)('main', () => { expect(await page.textContent('.unsafe-fetch-8498-status')).toBe('403') }) + test('unsafe fetch with special characters 2 (#8498)', async () => { + expect(await page.textContent('.unsafe-fetch-8498-2')).toMatch('') + expect(await page.textContent('.unsafe-fetch-8498-2-status')).toBe('404') + }) + test('safe fs fetch', async () => { expect(await page.textContent('.safe-fs-fetch')).toBe(stringified) expect(await page.textContent('.safe-fs-fetch-status')).toBe('200') @@ -64,6 +69,11 @@ describe.runIf(isServe)('main', () => { expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('403') }) + test('unsafe fs fetch with special characters 2 (#8498)', async () => { + expect(await page.textContent('.unsafe-fs-fetch-8498-2')).toBe('') + expect(await page.textContent('.unsafe-fs-fetch-8498-2-status')).toBe('404') + }) + test('nested entry', async () => { expect(await page.textContent('.nested-entry')).toBe('foobar') }) diff --git a/playground/fs-serve/root/src/index.html b/playground/fs-serve/root/src/index.html index 6939e0f4b09ed9..68eed69810c7d4 100644 --- a/playground/fs-serve/root/src/index.html +++ b/playground/fs-serve/root/src/index.html @@ -19,6 +19,8 @@

Unsafe Fetch


 

 

+

+

 
 

Safe /@fs/ Fetch


@@ -31,6 +33,8 @@ 

Unsafe /@fs/ Fetch


 

 

+

+

 
 

Nested Entry


@@ -100,6 +104,19 @@ 

Denied

console.error(e) }) + // outside of allowed dir with special characters 2 #8498 + fetch('/src/%252e%252e%252funsafe%252etxt') + .then((r) => { + text('.unsafe-fetch-8498-2-status', r.status) + return r.text() + }) + .then((data) => { + text('.unsafe-fetch-8498-2', data) + }) + .catch((e) => { + console.error(e) + }) + // imported before, should be treated as safe fetch('/@fs/' + ROOT + '/safe.json') .then((r) => { @@ -133,6 +150,18 @@

Denied

text('.unsafe-fs-fetch-8498', JSON.stringify(data)) }) + // outside root with special characters 2 #8498 + fetch( + '/@fs/' + ROOT + '/root/src/%252e%252e%252f%252e%252e%252funsafe%252ejson' + ) + .then((r) => { + text('.unsafe-fs-fetch-8498-2-status', r.status) + return r.json() + }) + .then((data) => { + text('.unsafe-fs-fetch-8498-2', JSON.stringify(data)) + }) + // not imported before, inside root with special characters, treated as safe fetch( '/@fs/' + From 5cc05bf0d922171ecd9fe37b02d1177c83762057 Mon Sep 17 00:00:00 2001 From: sapphi-red Date: Fri, 8 Jul 2022 13:24:18 +0900 Subject: [PATCH 2/2] refactor: encodeURIComponent --- packages/vite/src/node/server/middlewares/static.ts | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts index 6733e317217f23..3b482068bd6138 100644 --- a/packages/vite/src/node/server/middlewares/static.ts +++ b/packages/vite/src/node/server/middlewares/static.ts @@ -109,18 +109,13 @@ export function serveStaticMiddleware( } if (redirected) { - req.url = encodePercent(redirected) + req.url = encodeURIComponent(redirected) } serve(req, res, next) } } -const percentRe = /%/g -function encodePercent(url: string) { - return url.includes('%') ? url.replace(percentRe, '%25') : url -} - export function serveRawFsMiddleware( server: ViteDevServer ): Connect.NextHandleFunction { @@ -149,7 +144,7 @@ export function serveRawFsMiddleware( url = url.slice(FS_PREFIX.length) if (isWindows) url = url.replace(/^[A-Z]:/i, '') - req.url = encodePercent(url) + req.url = encodeURIComponent(url) serveFromRoot(req, res, next) } else { next()