npm run dev serves entire project directory
#919
Labels
Comments
|
This could also be a security issue |
|
I believe this is caused by vitejs/vite#2820 and will need to be fixed there |
|
What about leaving this open as I think you would also need to change some configuration here then? And also this should probably be fixed before a 1.0 release so nobody forgets about it? |
|
Nothing would be changed here. User projects would need to be upgraded |
|
Getting this issue as well. This seems like a severe vunerability @benmccann @Rich-Harris |
|
@AlbertMarashi are you on the latest? This should not be happening unless you're on a very old version: kit/packages/kit/src/core/dev/index.js Line 104 in 9f600c2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
When I run
npm run dev, the entire project directory is included and served as static assets. For instance, I can go to http://localhost:3000/README.md and get a prompt to download this file. (The regular static assets are routed and served correctly -- this is something extra on top of that.)To Reproduce
npm init svelte@nextnpm run devExpected behavior
The project root is not served as static assets.
Information about your SvelteKit Installation:
Diagnostics
The output of
npx envinfo --system --npmPackages svelte,@sveltejs/kit,vite --binaries --browsersSystem:
OS: Linux 4.19 Ubuntu 20.04.2 LTS (Focal Fossa)
CPU: (4) x64 Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz
Memory: 4.17 GB / 6.12 GB
Container: Yes
Shell: 5.0.17 - /bin/bash
Binaries:
Node: 14.7.0 - ~/.nvm/versions/node/v14.7.0/bin/node
npm: 7.6.3 - ~/.nvm/versions/node/v14.7.0/bin/npm
npmPackages:
@sveltejs/kit: next => 1.0.0-next.71
svelte: ^3.29.0 => 3.37.0
vite: ^2.1.0 => 2.1.5
Your adapter (e.g. Node, static, Vercel, Begin, etc...)
Node
Severity
Fairly severe -- it makes it impossible to write routes that overlap with the project directory structure (e.g., a
/data/[filename].jsonroute that corresponds to adata/directory of JSON files in the project root that I add additional information to before serving). I discovered it because I was trying to set up a route with parameters that corresponded to a folder structure in my project directory, and spent a while thinking it had to be stale service workers or cache issues before realizing that the files from the project folder itself, rather than juststatic/, were being served as static assets.The text was updated successfully, but these errors were encountered: