Skip to content

Commit

Permalink
fix: /@fs/ dir traversal with escaped chars (fixes #8498) (#8804)
Browse files Browse the repository at this point in the history
  • Loading branch information
sapphi-red committed Jun 27, 2022
1 parent e53c029 commit 6851009
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 2 deletions.
4 changes: 2 additions & 2 deletions packages/vite/src/node/server/middlewares/static.ts
Expand Up @@ -80,7 +80,7 @@ export function serveStaticMiddleware(
return next()
}

const url = decodeURI(req.url!)
const url = decodeURIComponent(req.url!)

// apply aliases to static requests as well
let redirected: string | undefined
Expand Down Expand Up @@ -123,7 +123,7 @@ export function serveRawFsMiddleware(

// Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
return function viteServeRawFsMiddleware(req, res, next) {
let url = decodeURI(req.url!)
let url = decodeURIComponent(req.url!)
// In some cases (e.g. linked monorepos) files outside of root will
// reference assets that are also out of served root. In such cases
// the paths are rewritten to `/@fs/` prefixed paths and must be served by
Expand Down
12 changes: 12 additions & 0 deletions playground/fs-serve/__tests__/fs-serve.spec.ts
Expand Up @@ -35,6 +35,13 @@ describe.runIf(isServe)('main', () => {
expect(await page.textContent('.unsafe-fetch-status')).toBe('403')
})

test('unsafe fetch with special characters (#8498)', async () => {
expect(await page.textContent('.unsafe-fetch-8498')).toMatch(
'403 Restricted'
)
expect(await page.textContent('.unsafe-fetch-8498-status')).toBe('403')
})

test('safe fs fetch', async () => {
expect(await page.textContent('.safe-fs-fetch')).toBe(stringified)
expect(await page.textContent('.safe-fs-fetch-status')).toBe('200')
Expand All @@ -52,6 +59,11 @@ describe.runIf(isServe)('main', () => {
expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403')
})

test('unsafe fs fetch with special characters (#8498)', async () => {
expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('')
expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('403')
})

test('nested entry', async () => {
expect(await page.textContent('.nested-entry')).toBe('foobar')
})
Expand Down
27 changes: 27 additions & 0 deletions playground/fs-serve/root/src/index.html
Expand Up @@ -17,6 +17,8 @@ <h2>Safe Fetch Subdirectory</h2>
<h2>Unsafe Fetch</h2>
<pre class="unsafe-fetch-status"></pre>
<pre class="unsafe-fetch"></pre>
<pre class="unsafe-fetch-8498-status"></pre>
<pre class="unsafe-fetch-8498"></pre>

<h2>Safe /@fs/ Fetch</h2>
<pre class="safe-fs-fetch-status"></pre>
Expand All @@ -27,6 +29,8 @@ <h2>Safe /@fs/ Fetch</h2>
<h2>Unsafe /@fs/ Fetch</h2>
<pre class="unsafe-fs-fetch-status"></pre>
<pre class="unsafe-fs-fetch"></pre>
<pre class="unsafe-fs-fetch-8498-status"></pre>
<pre class="unsafe-fs-fetch-8498"></pre>

<h2>Nested Entry</h2>
<pre class="nested-entry"></pre>
Expand Down Expand Up @@ -83,6 +87,19 @@ <h2>Denied</h2>
console.error(e)
})

// outside of allowed dir with special characters #8498
fetch('/src/%2e%2e%2funsafe%2etxt')
.then((r) => {
text('.unsafe-fetch-8498-status', r.status)
return r.text()
})
.then((data) => {
text('.unsafe-fetch-8498', data)
})
.catch((e) => {
console.error(e)
})

// imported before, should be treated as safe
fetch('/@fs/' + ROOT + '/safe.json')
.then((r) => {
Expand All @@ -106,6 +123,16 @@ <h2>Denied</h2>
console.error(e)
})

// outside root with special characters #8498
fetch('/@fs/' + ROOT + '/root/src/%2e%2e%2f%2e%2e%2funsafe%2ejson')
.then((r) => {
text('.unsafe-fs-fetch-8498-status', r.status)
return r.json()
})
.then((data) => {
text('.unsafe-fs-fetch-8498', JSON.stringify(data))
})

// not imported before, inside root with special characters, treated as safe
fetch(
'/@fs/' +
Expand Down

0 comments on commit 6851009

Please sign in to comment.