From adb61c50c46fb789db43c4894ba0d0e8bb839b85 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=BF=A0=20/=20green?= Date: Fri, 8 Jul 2022 18:05:01 +0900 Subject: [PATCH] fix: backport #8979, re-encode url to prevent fs.allow bypass (fixes #8498) (#8990) --- .../fs-serve/__tests__/fs-serve.spec.ts | 12 ++++++++ .../playground/fs-serve/root/src/index.html | 29 +++++++++++++++++++ .../src/node/server/middlewares/static.ts | 4 +-- 3 files changed, 43 insertions(+), 2 deletions(-) diff --git a/packages/playground/fs-serve/__tests__/fs-serve.spec.ts b/packages/playground/fs-serve/__tests__/fs-serve.spec.ts index 77940b40b3aebd..699e6bc111b74b 100644 --- a/packages/playground/fs-serve/__tests__/fs-serve.spec.ts +++ b/packages/playground/fs-serve/__tests__/fs-serve.spec.ts @@ -44,6 +44,11 @@ describe('main', () => { expect(await page.textContent('.unsafe-fetch-8498-status')).toBe('403') }) + test('unsafe fetch with special characters 2 (#8498)', async () => { + expect(await page.textContent('.unsafe-fetch-8498-2')).toMatch('') + expect(await page.textContent('.unsafe-fetch-8498-2-status')).toBe('404') + }) + test('safe fs fetch', async () => { expect(await page.textContent('.safe-fs-fetch')).toBe(stringified) expect(await page.textContent('.safe-fs-fetch-status')).toBe('200') @@ -66,6 +71,13 @@ describe('main', () => { expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('403') }) + test('unsafe fs fetch with special characters 2 (#8498)', async () => { + expect(await page.textContent('.unsafe-fs-fetch-8498-2')).toBe('') + expect(await page.textContent('.unsafe-fs-fetch-8498-2-status')).toBe( + '404' + ) + }) + test('nested entry', async () => { expect(await page.textContent('.nested-entry')).toBe('foobar') }) diff --git a/packages/playground/fs-serve/root/src/index.html b/packages/playground/fs-serve/root/src/index.html index 6939e0f4b09ed9..68eed69810c7d4 100644 --- a/packages/playground/fs-serve/root/src/index.html +++ b/packages/playground/fs-serve/root/src/index.html @@ -19,6 +19,8 @@

Unsafe Fetch


 

 

+

+

 
 

Safe /@fs/ Fetch


@@ -31,6 +33,8 @@ 

Unsafe /@fs/ Fetch


 

 

+

+

 
 

Nested Entry


@@ -100,6 +104,19 @@ 

Denied

console.error(e) }) + // outside of allowed dir with special characters 2 #8498 + fetch('/src/%252e%252e%252funsafe%252etxt') + .then((r) => { + text('.unsafe-fetch-8498-2-status', r.status) + return r.text() + }) + .then((data) => { + text('.unsafe-fetch-8498-2', data) + }) + .catch((e) => { + console.error(e) + }) + // imported before, should be treated as safe fetch('/@fs/' + ROOT + '/safe.json') .then((r) => { @@ -133,6 +150,18 @@

Denied

text('.unsafe-fs-fetch-8498', JSON.stringify(data)) }) + // outside root with special characters 2 #8498 + fetch( + '/@fs/' + ROOT + '/root/src/%252e%252e%252f%252e%252e%252funsafe%252ejson' + ) + .then((r) => { + text('.unsafe-fs-fetch-8498-2-status', r.status) + return r.json() + }) + .then((data) => { + text('.unsafe-fs-fetch-8498-2', JSON.stringify(data)) + }) + // not imported before, inside root with special characters, treated as safe fetch( '/@fs/' + diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts index 659dfbae62ecfe..b30b1eeccea628 100644 --- a/packages/vite/src/node/server/middlewares/static.ts +++ b/packages/vite/src/node/server/middlewares/static.ts @@ -107,7 +107,7 @@ export function serveStaticMiddleware( } if (redirected) { - req.url = redirected + req.url = encodeURIComponent(redirected) } serve(req, res, next) @@ -142,7 +142,7 @@ export function serveRawFsMiddleware( url = url.slice(FS_PREFIX.length) if (isWindows) url = url.replace(/^[A-Z]:/i, '') - req.url = url + req.url = encodeURIComponent(url) serveFromRoot(req, res, next) } else { next()