Skip to content

fix: disable dotfiles serving via /@fs/ by default #3298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
antfu wants to merge 5 commits into from
Closed

fix: disable dotfiles serving via /@fs/ by default #3298

antfu wants to merge 5 commits into from

Conversation

@antfu
Copy link
Member

@antfu antfu commented May 7, 2021

Description

Continue from #2850, disable dotfiles serving by default to father enhance the security.

Additional context

What is the purpose of this pull request?

  • Bug fix
  • New Feature
  • Documentation update
  • Other

Before submitting the PR, please make sure you do the following

  • Read the Contributing Guidelines.
  • Read the Pull Request Guidelines and follow the Commit Convention.
  • Check that there isn't already a PR that solves the problem the same way to avoid creating a duplicate.
  • Provide a description in this PR that addresses what the PR is solving, or reference the issue that it solves (e.g. fixes #123).
  • Ideally, include relevant tests that fail without this PR but pass with it.

@antfu antfu changed the title fix: disabled /@fs/ serving for dotfiles by default fix: disable dotfiles serving via /@fs/ by default May 7, 2021
@antfu antfu requested review from Shinigami92 and patak-dev May 7, 2021 16:02
patak-dev
patak-dev previously approved these changes May 7, 2021
View reviewed changes
@patak-dev
Copy link
Member

patak-dev commented May 7, 2021
edited
Loading

Did you check what is the interaction with Vite's cache (node_modules/.vite)? I checked that this is also restricted, and I imagine that imported path rewrites are not going through /@fs/ when loading the optimized deps cache?
Also maybe worth checking, the .vitepress directory

Shinigami92
Shinigami92 reviewed May 7, 2021
View reviewed changes
Copy link
Member

@Shinigami92 Shinigami92 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some minot things

@antfu antfu requested a review from Shinigami92 May 7, 2021 17:16
@antfu
Copy link
Member Author

antfu commented May 7, 2021

Did you check what is the interaction with Vite's cache (node_modules/.vite)? I checked that this is also restricted, and I imagine that imported path rewrites are not going through /@fs/ when loading the optimized deps cache?
Also maybe worth checking, the .vitepress directory

Oh... Good catch. I will try to find a solution for that tmr

@antfu
Copy link
Member Author

antfu commented May 9, 2021

As discussions with the team, we decided to abandoned this PR for now, as #2977 and #2850 already covered major security issues. Anding this changes will affect accessing to .vite and .vitepress and other ecosystem usages, at this point, this is more harmful than it's actually trying to solve. We might explore more options to provide further serving controls if the community is asking for it. Close this for now.

@antfu antfu closed this May 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patak-dev patak-dev patak-dev left review comments

+1 more reviewer

@Shinigami92 Shinigami92 Shinigami92 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@antfu @patak-dev @Shinigami92