chore(deps): update dependency vite [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	5.4.0 -> 5.4.6
vite (source)	5.4.0 -> 3.2.10
vite (source)	5.4.0 -> 4.5.3

GitHub Vulnerability Alerts

CVE-2024-45811

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

CVE-2023-34092

The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (//). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.

Steps to Fix. Update Vite: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n2. Secure the server configuration: In your vite.config.js file, review and update the server configuration options to restrict access to unauthorized requests or directories.

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or the server.host config option) are affected and only files in the immediate Vite project root folder could be exposed.\n\n### Patches\nFixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5 and in the latest minors of the previous two majors, vite@3.2.7 and vite@2.9.16.

Details

Vite serves the application with under the root-path of the project while running on the dev mode. By default, Vite uses the server option fs.deny to protect sensitive files. But using a simple double forward-slash, we can bypass this restriction. \n\n### PoC\n1. Create a new latest project of Vite using any package manager. (here I'm using react and vue templates and pnpm for testing)\n2. Serve the application on dev mode using pnpm run dev.\n3. Directly access the file via url using double forward-slash (//) (e.g: //.env, //.env.local)\n4. The server option fs.deny was successfully bypassed.

Proof Images: \n

CVE-2024-23331

Summary

Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.

This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.

Patches

Fixed in [email protected], [email protected], [email protected], [email protected]

Details

Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.

See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632

By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.

PoC

Setup

1. Created vanilla Vite project using npm create vite@latest on a Standard Azure hosted Windows 10 instance.
   • npm run dev -- --host 0.0.0.0
   • Publicly accessible for the time being here: http://20.12.242.81:5173/
2. Created dummy secret files, e.g. custom.secret and production.pem
3. Populated vite.config.js with

export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }

Reproduction

1. curl -s http://20.12.242.81:5173/@​fs//
   • Descriptive error page reveals absolute filesystem path to project root
2. curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
   • Discoverable configuration file reveals locations of secrets
3. curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
   • Secrets are directly accessible using case-augmented version of filename

Proof

Impact

Who

• Users with exposed dev servers on environments with case-insensitive filesystems

What

• Files protected by server.fs.deny are both discoverable, and accessible

CVE-2024-31207

Summary

Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.

Impact

Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Patches

Fixed in [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]

Details

server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.

Reproduction

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

• with matchBase: true, you can get any file under .git/ (config, HEAD, etc).
• with matchBase: false, you cannot get any file under .git/ (config, HEAD, etc).

---

Release Notes

vitejs/vite (vite)

v5.4.6

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.5

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.4

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.3

Compare Source

• fix: allow getting URL of JS files in publicDir (#​17915) (943ece1), closes #​17915
• fix: cjs warning respect the logLevel flag (#​17993) (dc3c14f), closes #​17993
• fix: improve CJS warning trace information (#​17926) (5c5f82c), closes #​17926
• fix: only remove entry assets handled by Vite core (#​17916) (ebfaa7e), closes #​17916
• fix: waitForRequestIdle locked (#​17982) (ad13760), closes #​17982
• fix(css): fix directory index import in sass modern api (#​17960) (9b001ba), closes #​17960
• fix(css): fix sass file:// reference (#​17909) (561b940), closes #​17909
• fix(css): fix sass modern source map (#​17938) (d428e7e), closes #​17938
• fix(deps): bump tsconfck (#​17990) (8c661b2), closes #​17990
• fix(html): rewrite assets url in (#​17988) (413c86a), closes #​17988
• fix(preload): add crossorigin attribute in CSS link tags (#​17930) (15871c7), closes #​17930
• chore: reduce diffs with v6 branch (#​17942) (bf9065a), closes #​17942
• chore(deps): update all non-major dependencies (#​17945) (cfb621e), closes #​17945
• chore(deps): update all non-major dependencies (#​17991) (0ca53cf), closes #​17991

v5.4.2

Compare Source

• chore: remove stale TODOs (#​17866) (e012f29), closes #​17866
• refactor: remove redundant prepend/strip base (#​17887) (3b8f03d), closes #​17887
• fix: resolve relative URL generated by renderBuiltUrl passed to module preload (#​16084) (fac3a8e), closes #​16084
• feat: support originalFilename (#​17867) (7d8c0e2), closes #​17867

v5.4.1

Compare Source

• fix: build.modulePreload.resolveDependencies is optimizable (#​16083) (e961b31), closes #​16083
• fix: align CorsOptions.origin type with @​types/cors (#​17836) (1bda847), closes #​17836
• fix: typings for vite:preloadError (#​17868) (6700594), closes #​17868
• fix(build): avoid re-define __vite_import_meta_env__ (#​17876) (e686d74), closes #​17876
• fix(deps): update all non-major dependencies (#​17869) (d11711c), closes #​17869
• fix(lightningcss): search for assets with correct base path (#​17856) (4e5ce3c), closes #​17856
• fix(worker): handle self reference url worker in dependency for build (#​17846) (391bb49), closes #​17846
• chore: fix picocolors import for local dev (#​17884) (9018255), closes #​17884
• refactor: remove handleHotUpdate from watch-package-data plugin (#​17865) (e16bf1f), closes #​17865

---

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: ddc439d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
panda-docs	✅ Ready (Inspect)	Visit Preview	Sep 17, 2024 7:07pm
panda-playground	✅ Ready (Inspect)	Visit Preview	Sep 17, 2024 7:07pm
panda-studio	✅ Ready (Inspect)	Visit Preview	Sep 17, 2024 7:07pm