🚨 Vite allows server.fs.deny to be bypassed with .svg or relative paths

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected..

Details

.svg

Requests ending with .svg are loaded at this line.

vite/packages/vite/src/node/plugins/asset.ts

Lines 285 to 290 in 037f801

    <tbody>

    <tr class="border-0">
      <td id="L286" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="286"></td>
      <td id="LC286" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-k">const</span> <span class="pl-s1">file</span> <span class="pl-c1">=</span> <span class="pl-s1">publicFile</span> <span class="pl-c1">||</span> <span class="pl-en">cleanUrl</span><span class="pl-kos">(</span><span class="pl-s1">id</span><span class="pl-kos">)</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L287" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="287"></td>
      <td id="LC287" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-k">const</span> <span class="pl-s1">content</span> <span class="pl-c1">=</span> <span class="pl-k">await</span> <span class="pl-s1">fsp</span><span class="pl-kos">.</span><span class="pl-en">readFile</span><span class="pl-kos">(</span><span class="pl-s1">file</span><span class="pl-kos">)</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L288" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="288"></td>
      <td id="LC288" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-en">shouldInline</span><span class="pl-kos">(</span><span class="pl-s1">environment</span><span class="pl-kos">,</span> <span class="pl-s1">file</span><span class="pl-kos">,</span> <span class="pl-s1">id</span><span class="pl-kos">,</span> <span class="pl-s1">content</span><span class="pl-kos">,</span> <span class="pl-c1">undefined</span><span class="pl-kos">,</span> <span class="pl-c1">undefined</span><span class="pl-kos">)</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L289" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="289"></td>
      <td id="LC289" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">     <span class="pl-k">return</span> <span class="pl-en">assetToDataURL</span><span class="pl-kos">(</span><span class="pl-s1">environment</span><span class="pl-kos">,</span> <span class="pl-s1">file</span><span class="pl-kos">,</span> <span class="pl-s1">content</span><span class="pl-kos">)</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L290" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="290"></td>
      <td id="LC290" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-kos">}</span> </td>
    </tr>
</tbody>

if (svgExtRE.test(id)) {

By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'

curl 'http://127.0.0.1:5173/@fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

5.4.17

Please refer to CHANGELOG.md for details.

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 2 commits:

• release: v5.4.17
• fix: backport #19782, fs check with svg and relative paths (#19784)

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)