Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Absolute paths of development environment are leaked to unminified production code #2623

Closed
2 of 3 tasks
Timsonrobl opened this issue Mar 21, 2021 · 8 comments
Closed
2 of 3 tasks

Absolute paths of development environment are leaked to unminified production code #2623

Timsonrobl opened this issue Mar 21, 2021 · 8 comments
Labels
bug: upstream Bug in a dependency of Vite security windows only

Comments

@Timsonrobl
Copy link
Contributor

Timsonrobl commented Mar 21, 2021
edited

⚠️ IMPORTANT ⚠️ Please do not ignore this template. If you do, your issue will be closed immediately.

Describe the bug

"vite build" are currently leaking full paths from development environment if set to minify: false.
For example if project code is located on C:\users\sensitive-info-like-user-real-names\projects\myproject\source vite would add variable names like var C__users_sensitiveInfoLikeUserRealNames_projects_myproject_source_node_modules_objectInspect into production code generated by vite build.
I understand that not minifying code for production is not common, however code minification is not a security procedure and should not affect security matters in my opinion.

Reproduction

I'm pretty sure this behavior is universal for any vite project.

System Info

  • vite version: 2.1.2
  • Operating System: Windows 10
  • Node version: 15.9.0
  • Package manager (npm/yarn/pnpm) and version: yarn 1.22.5

Logs (Optional if provided reproduction)

  1. Run vite or vite build with the --debug flag.
  2. Provide the error log here.
@sodatea
Copy link
Member

sodatea commented Apr 12, 2021

I can't reproduce this issue with the vue project template.
So could you please provide a reproduction repo?

@github-actions
Copy link

Hello @Timsonrobl. Please provide a online reproduction by codesandbox or a minimal GitHub repository. Issues labeled by need reproduction will be closed if no activities in 3 days.

@Timsonrobl
Copy link
Contributor Author

I can't reproduce this issue with the vue project template.
So could you please provide a reproduction repo?

Sure, here it is: https://github.com/Timsonrobl/vitejs-leak-minrepo
You need to import any package from node-modules and make sure it's not tree-shaken for leak to appear. For some reason it's not reproducible with just vue createApp import

@sodatea
Copy link
Member

sodatea commented Apr 12, 2021

Got it.

Seems only reproducible in Windows.

@AlttiRi AlttiRi mentioned this issue Apr 13, 2021
Closed
6 tasks
@pastelmind pastelmind mentioned this issue Jun 25, 2021
Closed
@pastelmind
Copy link
Contributor

I can attest that this is reproducible only on Windows. I scaffolded a Vite project using the react template, and the vendor.*.js contains the following line on Windows 10:

var C__Users_Phil_Documents_GitHub_viteReproJs_node_modules_react = { exports: {} };

...while on Ubuntu 20.04 (WSL 2/Windows 10):

var react = { exports: {} };

I'm having problem with Vite where build artifacts generated on Windows and Linux are different, and I suspect this is the root cause.

@pastelmind
Copy link
Contributor

pastelmind commented Jul 3, 2021
edited

It seems the problem originates from @rollup/plugin-commonjs:

export function getName(id) {
  const name = makeLegalIdentifier(basename(id, extname(id)));
  if (name !== 'index') {
    return name;
  }
  const segments = dirname(id).split(sep);
  return makeLegalIdentifier(segments[segments.length - 1]);
}

This function is used to extract a module's base name from the module ID. For example, getName("C:\\Users\\Phil\\Documents\\GitHub\\test-vite-app\\node_modules\\react\\index.js") returns "react".

The problem is that Vite.js normalizes all module IDs to use forward slashes (/). This confuses getName(), which uses path.sep to split paths. Since path.sep is a backslash (\) on Windows, this doesn't split anything. Thus, getName("C:/Users/Phil/Documents/GitHub/test-vite-app/node_modules/react/index.js") returns something like "C__Users_Phil_Documents_GitHub_testViteApp_node_modules_react".

I see two possible ways of fixing this.

  1. Use backslashes for module IDs on Windows: This may have huge implications and probably won't solve the reproducible build problem.
  2. Fix @rollup/plugin-commonjs. An easy hack is to replace 
    const segments = dirname(id).split(sep);
return makeLegalIdentifier(segments[segments.length - 1]);
    with 
    return makeLegalIdentifier(basename(dirname(id)));

@pastelmind pastelmind mentioned this issue Jul 3, 2021
Closed
pastelmind added a commit to Loathing-Associates-Scripting-Society/philter that referenced this issue Jul 3, 2021
@pastelmind
fix(manager): Create reproducible builds
4b2e15f 
Vite currently has a bug that causes it to generate different bundles on
Windows and Linux. This is caused by a fault in @rollup/plugin-commonjs
which is bundled into Vite.

We directly fix the fault in our `node_modules/` using patch-package.
Let's hope the Rollup devs accept my PR and the fix is integrated into
Vite.

More links:

- Bug reports:
    - vitejs/vite#2623
    - rollup/plugins#923
- Related pull requests:
    - rollup/plugins#924
This was referenced Jul 3, 2021
Merged
Open
pastelmind added a commit to Loathing-Associates-Scripting-Society/philter that referenced this issue Jul 4, 2021
@pastelmind
fix(manager): Create reproducible builds
551ebe0 
Vite currently has a bug that causes it to generate different bundles on
Windows and Linux. This is caused by a fault in @rollup/plugin-commonjs
which is bundled into Vite.

We directly fix the fault in our `node_modules/` using patch-package.
Let's hope the Rollup devs accept my PR and the fix is integrated into
Vite.

More links:

- Bug reports:
    - vitejs/vite#2623
    - rollup/plugins#923
- Related pull requests:
    - rollup/plugins#924
@sodatea sodatea added the bug: upstream Bug in a dependency of Vite label Jul 14, 2021
@pastelmind
Copy link
Contributor

pastelmind commented Jul 30, 2021
edited

@rollup/plugin-commonjs v20.0.0 fixes the bug (see rollup/plugins#924). Once we update our dependencies, this issue should be resolved.

Note: I marked the PR for @rollup/plugin-commonjs as a breaking change (and a major version bump) since it alters how variables are emitted. However, this should be a patch version bump for Vite since it doesn't affect its core functionality.

Edit: Should I make a PR for this? Or does the Vite team have an established process for bumping major versions of dependencies?

@patak-dev
Copy link
Member

Thanks a lot @pastelmind,

Edit: Should I make a PR for this? Or does the Vite team have an established process for bumping major versions of dependencies?

We have renovate bot in the repo, at one point it will generate a PR for this. But if you would like to do a PR, I think it is a good idea so this issue is referenced as the reason for the update.

@github-actions github-actions bot locked and limited conversation to collaborators Aug 17, 2021
aleclarson pushed a commit to aleclarson/vite that referenced this issue Nov 8, 2021
@renovate @aleclarson
fix: update dependency @rollup/plugin-commonjs to v20, fix vitejs#2623 (
fa038a7 
vitejs#4469)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug: upstream Bug in a dependency of Vite security windows only
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@patak-dev @sodatea @Timsonrobl @pastelmind