You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vite appears to be serving files from the root directory regardless of how fs.allow is set. This would allow other users on the network to potentially steal .env files or other sensitive data in dev mode
Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to https://github.com/vuejs/vue-next instead.
Describe the bug
Vite appears to be serving files from the root directory regardless of how
fs.allow
is set. This would allow other users on the network to potentially steal.env
files or other sensitive data in dev modeI think the bug is on this line:
vite/packages/vite/src/node/server/index.ts
Line 528 in d1c85d1
At least for SvelteKit apps, there is no reason to serve anything outside of
static
, but we can't restrict the serving to that directoryNormally I wouldn't report a security vulnerability publicly, but this was already reported as sveltejs/kit#2627
Reproduction
Load http://localhost:3000/svelte.config.js in the browser
System Info
Used Package Manager
npm
Logs
No response
Validations
The text was updated successfully, but these errors were encountered: