Skip to content

Comments

fix: re-encode url to prevent fs.allow bypass (fixes #8498)#8979

Merged
patak-dev merged 2 commits intovitejs:mainfrom
sapphi-red:fix/reencode-url
Jul 8, 2022
Merged

fix: re-encode url to prevent fs.allow bypass (fixes #8498)#8979
patak-dev merged 2 commits intovitejs:mainfrom
sapphi-red:fix/reencode-url

Conversation

@sapphi-red
Copy link
Member

@sapphi-red sapphi-red commented Jul 7, 2022
edited
Loading

Description

I think this fix is not the ideal way but at least it works.

The reason why #8498 (comment) was happening is:

  1. Vite decodes URL (%252ffoo.txt => %2ffoo.txt)
  2. Vite filters URL (%2ffoo.txt)
  3. sirv decodes URL (%2ffoo.txt => /foo.txt)
  4. sirv reponses (/foo.txt)

The file path mapped from URL is different between 2 and 4.

This PR adds encode after 2. (%2ffoo.txt => %252ffoo.txt)

fixes #8498
refs #8804
refs lukeed/sirv#139

Additional context

What is the purpose of this pull request?

  • Bug fix
  • New Feature
  • Documentation update
  • Other

Before submitting the PR, please make sure you do the following

  • Read the Contributing Guidelines.
  • Read the Pull Request Guidelines and follow the Commit Convention.
  • Check that there isn't already a PR that solves the problem the same way to avoid creating a duplicate.
  • Provide a description in this PR that addresses what the PR is solving, or reference the issue that it solves (e.g. fixes #123).
  • Ideally, include relevant tests that fail without this PR but pass with it.

@sapphi-red sapphi-red added bug p5-urgent Fix build-breaking bugs affecting most users, should be released ASAP (priority) security labels Jul 7, 2022
@netlify
Copy link

netlify bot commented Jul 7, 2022
edited
Loading

Deploy Preview for vite-docs-main canceled.

Name Link
🔨 Latest commit 5cc05bf
🔍 Latest deploy log https://app.netlify.com/sites/vite-docs-main/deploys/62c7b182d5c6ff000868525c

patak-dev
patak-dev reviewed Jul 7, 2022
View reviewed changes
@sapphi-red sapphi-red closed this Jul 8, 2022
@sapphi-red sapphi-red deleted the fix/reencode-url branch July 8, 2022 03:56
@sapphi-red sapphi-red restored the fix/reencode-url branch July 8, 2022 03:56
@sapphi-red sapphi-red reopened this Jul 8, 2022
@patak-dev patak-dev merged commit b835699 into vitejs:main Jul 8, 2022
@sapphi-red sapphi-red deleted the fix/reencode-url branch July 8, 2022 07:54
sapphi-red added a commit to sapphi-red/vite that referenced this pull request Jul 8, 2022
@sapphi-red
fix: backport vitejs#8979, re-encode url to prevent fs.allow bypass
0770fd0
@sapphi-red sapphi-red mentioned this pull request Jul 8, 2022
Merged
9 tasks
patak-dev pushed a commit that referenced this pull request Jul 8, 2022
@sapphi-red
fix: backport #8979, re-encode url to prevent fs.allow bypass (fixes #…
adb61c5 
…8498) (#8990)
@candy-Tong candy-Tong mentioned this pull request Jul 27, 2022
Closed
7 tasks
@sapphi-red sapphi-red mentioned this pull request Apr 30, 2023
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patak-dev patak-dev patak-dev approved these changes

@bluwy bluwy bluwy approved these changes

Assignees

No one assigned

Labels

p5-urgent Fix build-breaking bugs affecting most users, should be released ASAP (priority) security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unrestricted directory traversal with @fs (Bypass)

3 participants

@sapphi-red @patak-dev @bluwy