Builder-Vite: Fix allowedHosts handling for custom hosts #30432
Conversation
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 file(s) reviewed, 1 comment(s)
Edit PR Review Bot Settings | Greptile
There was a problem hiding this comment.
LGTM
1 file(s) reviewed, no comment(s)
Edit PR Review Bot Settings | Greptile
|
View your CI Pipeline Execution ↗ for commit 2e7da03.
☁️ Nx Cloud last updated this comment at |
JSMike
force-pushed
the
issue-30338-vite-allowedHosts
branch
from
9645c02 to
a58dc85
Compare
There was a problem hiding this comment.
@JSMike Thanks so much for putting this together!!
A few questions:
- Have you tested with an older version of Vite? Will it just ignore the option in that case?
- In the fallback case of
allowedHosts = true, is that a security issue? Or it doesn't really apply because we're only running in dev?
shilman
added
maintenance
I confirmed with vite 4.0.4 (oldest version that was listed within the project), and setting
This setting only applies when running Storybook/Vite in server mode, and the vite config is being passed a 'devServer' instance from Storybook core-server/dev-server. This would have no impact on the built storybook application assets. Developers should be discouraged from using Storybook devServer in production. This PR defaults functionality back to how the devServer behaved prior to the addition of One additional note, in all of my testing of different combinations of
|
JSMike
force-pushed
the
issue-30338-vite-allowedHosts
branch
from
7d4b70c to
2e7da03
Compare
shilman
changed the title
shilman
changed the title
There was a problem hiding this comment.
24 file(s) reviewed, 2 comment(s)
Edit PR Review Bot Settings | Greptile
| @@ -29,6 +29,12 @@ export async function createViteServer(options: Options, devServer: Server) { | |||
| optimizeDeps: await getOptimizeDeps(commonCfg, options), | |||
| }; | |||
|
|
|||
| const ipRegex = /^(?:\d{1,3}\.){3}\d{1,3}$|^(?:[a-fA-F0-9]{1,4}:){7}[a-fA-F0-9]{1,4}$/; | |||
There was a problem hiding this comment.
style: Consider extracting this regex to a constant at module level since it's a static pattern that could be reused
| config.server.allowedHosts = | ||
| commonCfg.server?.allowedHosts ?? | ||
| (options.host && !ipRegex.test(options.host) ? [options.host.toLowerCase()] : true); |
There was a problem hiding this comment.
style: Consider adding a comment explaining the logic: true allows all hosts, array restricts to specific hosts
Builder-Vite: Fix allowedHosts handling for custom hosts (cherry picked from commit cfedafb)
@shilman Answering from me as well, as I found this PR and wanted to confirm that you know the impact of doing so. If you are ok with having your source code (and other contents served on the dev server) viewed by other people, it is fine. For example, if you have to make your source code secret, then setting If you are going to set |
|
@sapphi-red thanks so much for jumping in. it's a grey area since users should never run @JSMike i also agree with you that this is an easier change to make in a major release, and we are coming up on Storybook 9 in the next few months. so one option would be to attach I'll discuss with the team see if anybody has strong opinions one way or the other. |
|
@sapphi-red does this exploit expose |
I think this is the opposite. This vulnerability mainly affects when a web browser is used alongside the dev server. In production, you won't have a web browser running, so I think in most cases it doesn't affect in prod. |
No. This only exposes the files allowed by |
|
@shilman My personal suggestion would be to keep status-quo, add some documentation about this setting and print a warning message when |
@JSMike I agree that most developers with sensitive data aren’t / shouldn't binding to public ports on open networks. However, this attack described in the report is possible even if the dev server is only binding to the local port. It also does not require to know the IP address. The attacker needs to know the port number. But the default port number is normally used and the attacker can simply brute force the ports if needed, so the port number itself isn’t necessarily a barrier. |
Builder-Vite: Fix allowedHosts handling for custom hosts (cherry picked from commit cfedafb)
github-actions
bot
added
the
patch:done
|
@shilman Was this released in v8.5.4 intentionally? (no criticism, just confirming. I understand that prioritizing not to break things is a valid option.) If so, was the reason for doing so is because you assumed that most people would not care about this? I'm planning to post messages on social media to tell people that if they need to stop exposing the source code, they have to set |
|
@sapphi-red thanks so much for checking, and for your hard work on this issue. We didn't have a chance to discuss as a team, but our next release will be a semver major so we can do it properly if we choose. |
|
In my opinion you should release a patch that reverts this change and let users opt-in with explicit allowedHosts if they need it. Waiting for the next major is going to take time and not every user will be able to update immediately, leaving users of storybook@8 vulnerable by default, which should prompt someone to refile the vite security advisory against storybook. |
|
please also consider that we had multiple advisories against fs.deny bypasses in the past, so if there was another way to bypass that, this would lead to full fs access through |
|
Thanks @dominikg. I'll discuss with the team and follow up here. |
|
We've decided to partially revert this. #30523 |
Update yarn lock to use version of
vitethat hasallowedHostsinServerOptions.Add logic to pass forward
server.allowedHostsfrom user's vite config, otherwise check if server is bound to value that should defaultallowedHoststotrue, otherwise use setallowedHoststo contain specifiedhost.Closes #30338
What I did
Add logic to define
allowedHostseither by passing forward config from user's vite config, or setting default. This required updating some of the yarn lock to use a version that contained the type forallowedHosts, but remained in respected semver range. This change should have no impact on prior versions because theallowedHostsvalue will be ignored by vite.Checklist for Contributors
Testing
The changes in this PR are covered in the following automated tests:
Manual testing
This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!
yarn task --task sandbox --start-from auto --template lit-vite/default-tshostnameinstead oflocalhost, by default this should load as expected.{ server: { allowedHosts: ['localhost'] } }yarn run storybookfrom your sandboxhostnameas the URL and the preview should fail to load, as expected, since it is no longer an allowed hostname.localhostas the URL and the preview should load.Documentation
MIGRATION.MD
Checklist for Maintainers
When this PR is ready for testing, make sure to add
ci:normal,ci:mergedorci:dailyGH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found incode/lib/cli-storybook/src/sandbox-templates.tsMake sure this PR contains one of the labels below:
Available labels
bug: Internal changes that fixes incorrect behavior.maintenance: User-facing maintenance tasks.dependencies: Upgrading (sometimes downgrading) dependencies.build: Internal-facing build tooling & test updates. Will not show up in release changelog.cleanup: Minor cleanup style change. Will not show up in release changelog.documentation: Documentation only changes. Will not show up in release changelog.feature request: Introducing a new feature.BREAKING CHANGE: Changes that break compatibility in some way with current major version.other: Changes that don't fit in the above categories.🦋 Canary release
This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the
@storybookjs/coreteam here.core team members can create a canary release here or locally with
gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=<PR_NUMBER>Greptile Summary
Let me provide a clear and concise summary of this pull request:
This PR fixes an issue where Storybook was not accessible via local hostnames after upgrading to Vite 6. The key changes include:
allowedHostsconfiguration in Vite server setupallowedHostssettings from vite configallowedHosts: truefor common local addresses (::/0.0.0.0/127.0.0.1)allowedHostsarray when not using common local addressesKey files changed:
code/builders/builder-vite/src/vite-server.ts: Main implementation ofallowedHostshandlingCHANGELOG.md: Documents the fix for hostname accessibility issuesThe changes are focused and minimal, addressing issue #30338 where Storybook became inaccessible via local hostnames after the Vite 6 upgrade. The implementation properly handles backward compatibility and provides secure defaults for development environments.
💡 (1/5) You can manually trigger the bot by mentioning @greptileai in a comment!