GHSA-8jhw-289h-jh2g: Vite's `server.fs.deny` did not deny requests for patterns with directories.

Summary

Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/*/.

Impact

Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Patches

Fixed in [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]

Details

server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (micromatch/picomatch#89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.

Reproduction

Set fs.deny to ['/.git/'] and then curl for /.git/config.

• with matchBase: true, you can get any file under .git/ (config, HEAD, etc).
• with matchBase: false, you cannot get any file under .git/ (config, HEAD, etc).

References

• GHSA-8jhw-289h-jh2g
• vitejs/vite@011bbca
• vitejs/vite@5a056dd
• vitejs/vite@89c7c64
• vitejs/vite@96a7f3a
• vitejs/vite@ba5269c
• vitejs/vite@d2db33f