[vulnerability] Vite serves files ignoring fs.allow setting

[benmccann]

Describe the bug

Vite appears to be serving files from the root directory regardless of how fs.allow is set. This would allow other users on the network to potentially steal .env files or other sensitive data in dev mode

I think the bug is on this line:

vite/packages/vite/src/node/server/index.ts

Line 528 in d1c85d1

middlewares.use(serveStaticMiddleware(root, config))

At least for SvelteKit apps, there is no reason to serve anything outside of static, but we can't restrict the serving to that directory

Normally I wouldn't report a security vulnerability publicly, but this was already reported as sveltejs/kit#2627

Reproduction

npm init svelte@next sveltekit
cd sveltekit
npm run dev

Load http://localhost:3000/svelte.config.js in the browser

System Info

Vite 2.6.10

Used Package Manager

npm

Logs

No response

Validations

• Follow our Code of Conduct
• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to https://github.com/vuejs/vue-next instead.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
• The provided reproduction is a minimal reproducible example of the bug.