Page MenuHomePhabricator
Create Task
Maniphest T294399

Path Traversal Vulnerabilities in Vite
Open, Needs TriagePublic
Actions

Description

These are from the reporting tool Snyk

From https://cwe.mitre.org/data/definitions/23.html
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

The following files are affected:
https://github.com/vitejs/vite/blob/v2.6.12/packages/vite/src/node/server/transformRequest.ts#L112
https://github.com/vitejs/vite/blob/v2.6.12/packages/vite/src/node/server/middlewares/indexHtml.ts#L175
https://github.com/vitejs/vite/blob/v2.6.12/packages/vite/src/node/server/pluginContainer.ts#L310

Suggested fix is to check the file path before traversal. The following examples might or might not work for the Vite code baseL
https://github.com/shime/livedown/commit/9862f810655d8e40f8e235a5ef47db332ad29be4?diff=split#diff-78c12f5adc1848d13b1c6f07055d996eL72
https://github.com/FredrikNoren/ungit/commit/51870548599790dd125f02916461e04f6d29c53f?diff=split#diff-71e7385fb3d187340c7741bf6d4f82ffL335

Related Objects
Search...

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits