Skip to content

fix: prevent out-of-workspace-root access for open-in-editor and open-in-file#255

Merged
antfu merged 2 commits intovitejs:mainfrom
arashsheyda:fix/path-traversal-protection
Mar 25, 2026
Merged

fix: prevent out-of-workspace-root access for open-in-editor and open-in-file#255
antfu merged 2 commits intovitejs:mainfrom
arashsheyda:fix/path-traversal-protection

Conversation

@arashsheyda
Copy link
Copy Markdown
Contributor

@arashsheyda arashsheyda commented Mar 24, 2026

Description

this PR won't allow user to open files outside of project directory for better security

Linked Issues

closes #254

Additional context

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Mar 24, 2026
edited
Loading

Open in StackBlitz

@vitejs/devtools

npm i https://pkg.pr.new/@vitejs/devtools@255

@vitejs/devtools-kit

npm i https://pkg.pr.new/@vitejs/devtools-kit@255

@vitejs/devtools-rolldown

npm i https://pkg.pr.new/@vitejs/devtools-rolldown@255

@vitejs/devtools-rpc

npm i https://pkg.pr.new/@vitejs/devtools-rpc@255

@vitejs/devtools-self-inspect

npm i https://pkg.pr.new/@vitejs/devtools-self-inspect@255

commit: 399938e

antfu
antfu reviewed Mar 24, 2026
View reviewed changes
packages/core/src/node/rpc/public/open-in-editor.ts Outdated
return {
handler: async (path: string) => {
await import('launch-editor').then(r => r.default(path))
const resolved = resolve(context.cwd, path)
Copy link
Copy Markdown
Member

@antfu antfu Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's better to be the workspace root instead of cwd, as users might want to open files from the monorepo. Use Vite's findWorkspaceRoot API

@antfu antfu changed the title feat(rpc): implement path traversal protection fix: prevent out-of-workspace-root access for open-in-editor and open-in-file Mar 25, 2026
@antfu antfu merged commit e4b6d16 into vitejs:main Mar 25, 2026
6 checks passed
@arashsheyda arashsheyda deleted the fix/path-traversal-protection branch March 26, 2026 02:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@antfu antfu antfu left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') and External Control of File Name or Path in @vitejs/devtools rpc

2 participants

@arashsheyda @antfu