JennaySDavis
commented
5 months ago #480 Acceptance Criteria
| Pass/Fail | Description |
|---|---|
| Pass | Smoke Testing of Training app. |
Comments/Additional Notes Performance score will increase when https://github.com/orgs/GSA/projects/43/views/1?pane=issue&itemId=46203471 is completed. A Link checker was completed on the app. No broken links were found.
| ADA Compliance (Automated scan via Chrome Lighthouse) | Criteria | Score |
|---|---|---|
| Performance | 95* | |
| Accessibility | 100 | |
| Best Practices | 100 |
*average several scans were completed.
Passed 02/2/2024 - JSD
LoraBradford
Summary Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably, this affects servers hosted on Windows.
This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.
Patches Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17
Details Since pico-match defaults to case-sensitive glob matching, but the file server doesn't discriminate, a blacklist bypass is possible.
See pico-match usage, where no case is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632.
By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.