Closed renovate[bot] closed 5 months ago
This PR contains the following updates:
5.0.11
5.0.12
Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.
server.fs.deny
This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.
Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17
Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.
picomatch
See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632
nocase
false
By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.
config.server.fs.deny
Setup
npm create vite@latest
npm run dev -- --host 0.0.0.0
custom.secret
production.pem
vite.config.js
export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }
Reproduction
curl -s http://20.12.242.81:5173/@​fs//
curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
Proof
Who
What
📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
5.0.11->5.0.12GitHub Vulnerability Alerts
CVE-2024-23331
Summary
Vite dev server option
server.fs.denycan be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.
Patches
Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17
Details
Since
picomatchdefaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.See
picomatchusage, wherenocaseis defaulted tofalse: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632By requesting raw filesystem paths using augmented casing, the matcher derived from
config.server.fs.denyfails to block access to sensitive files.PoC
Setup
npm create vite@lateston a Standard Azure hosted Windows 10 instance.npm run dev -- --host 0.0.0.0custom.secretandproduction.pemvite.config.jswithReproduction
curl -s http://20.12.242.81:5173/@​fs//curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.jscurl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReTProof
Impact
Who
What
server.fs.denyare both discoverable, and accessibleRelease Notes
vitejs/vite (vite)
### [`v5.0.12`](https://togithub.com/vitejs/vite/releases/tag/v5.0.12) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.0.11...v5.0.12) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.0.12/packages/vite/CHANGELOG.md) for details.Configuration
📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.