vite 2.9.16
Vite dev server option server.fs.deny can be bypassed when hosted on case-insensitive filesystem
>= 2.7.0, <= 2.9.16
Summary
Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.
This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.
Patches
Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17
Details
Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.
See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632
By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.
PoC
Setup
- Created vanilla Vite project using
npm create vite@lateston a Standard Azure hosted Windows 10 instance.npm run dev -- --host 0.0.0.0- Publicly accessible for the time being here: http://20.12.242.81:5173/
- Created dummy secret files, e.g.
custom.secretandproduction.pem - Populated
vite.config.jswith
export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }
Reproduction
curl -s http://20.12.242.81:5173/@fs//- Descriptive error page reveals absolute filesystem path to project root
curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js- Discoverable configuration file reveals locations of secrets
curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT- Secrets are directly accessible using case-augmented version of filename
Proof
Impact
Who
- Users with exposed dev servers on environments with case-insensitive filesystems
What
- Files protected by
server.fs.denyare both discoverable, and accessible
Vite's server.fs.deny did not deny requests for patterns with directories.
>= 2.7.0, <= 2.9.17
Summary
Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.
Impact
Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Patches
Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18
Details
server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.
Reproduction
Set fs.deny to ['**/.git/**'] and then curl for /.git/config.
- with
matchBase: true, you can get any file under.git/(config, HEAD, etc). - with
matchBase: false, you cannot get any file under.git/(config, HEAD, etc).
No license issues detected.
This package version has a license in the source code.
This package version is available.
This package version has not been yanked and is still available for usage.