fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts

Author: sapphi-red

docs/config/preview-options.md

@@ -17,6 +17,15 @@ See [`server.host`](./server-options#server-host) for more details.
 
 :::
 
+## preview.allowedHosts
+
+- **Type:** `string | true`
+- **Default:** [`server.allowedHosts`](./server-options#server-allowedhosts)
+
+The hostnames that Vite is allowed to respond to.
+
+See [`server.allowedHosts`](./server-options#server-allowedhosts) for more details.
+
 ## preview.port
 
 - **Type:** `number`

docs/config/server-options.md

@@ -41,6 +41,20 @@ See [the WSL document](https://learn.microsoft.com/en-us/windows/wsl/networking#
 
 :::
 
+## server.allowedHosts
+
+- **Type:** `string[] | true`
+- **Default:** `[]`
+
+The hostnames that Vite is allowed to respond to.
+`localhost` and domains under `.localhost` and all IP addresses are allowed by default.
+When using HTTPS, this check is skipped.
+
+If a string starts with `.`, it will allow that hostname without the `.` and all subdomains under the hostname. For example, `.example.com` will allow `example.com`, `foo.example.com`, and `foo.bar.example.com`.
+
+If set to `true`, the server is allowed to respond to requests for any hosts.
+This is not recommended as it will be vulnerable to DNS rebinding attacks.
+
 ## server.port
 
 - **Type:** `number`

packages/vite/src/node/config.ts

@@ -73,6 +73,7 @@ import { findNearestPackageData } from './packages'
 import { loadEnv, resolveEnvPrefix } from './env'
 import type { ResolvedSSROptions, SSROptions } from './ssr'
 import { resolveSSROptions } from './ssr'
+import { getAdditionalAllowedHosts } from './server/middlewares/hostCheck'
 
 const debug = createDebugger('vite:config')
 const promisifiedRealpath = promisify(fs.realpath)
@@ -424,6 +425,8 @@ export type ResolvedConfig = Readonly<
      * @deprecated
      */
     webSocketToken: string
+    /** @internal */
+    additionalAllowedHosts: string[]
   } & PluginHookUtils
 >
 
@@ -791,6 +794,8 @@ export async function resolveConfig(
 
   const base = withTrailingSlash(resolvedBase)
 
+  const preview = resolvePreviewOptions(config.preview, server)
+
   resolved = {
     configFile: configFile ? normalizePath(configFile) : undefined,
     configFileDependencies: configFileDependencies.map((name) =>
@@ -822,7 +827,7 @@ export async function resolveConfig(
           },
     server,
     build: resolvedBuildOptions,
-    preview: resolvePreviewOptions(config.preview, server),
+    preview,
     envDir,
     env: {
       ...userEnv,
@@ -858,6 +863,7 @@ export async function resolveConfig(
     webSocketToken: Buffer.from(
       crypto.getRandomValues(new Uint8Array(9)),
     ).toString('base64url'),
+    additionalAllowedHosts: getAdditionalAllowedHosts(server, preview),
     getSortedPlugins: undefined!,
     getSortedPluginHooks: undefined!,
   }

packages/vite/src/node/http.ts

@@ -24,6 +24,18 @@ export interface CommonServerOptions {
    * Set to 0.0.0.0 to listen on all addresses, including LAN and public addresses.
    */
   host?: string | boolean
+  /**
+   * The hostnames that Vite is allowed to respond to.
+   * `localhost` and subdomains under `.localhost` and all IP addresses are allowed by default.
+   * When using HTTPS, this check is skipped.
+   *
+   * If a string starts with `.`, it will allow that hostname without the `.` and all subdomains under the hostname.
+   * For example, `.example.com` will allow `example.com`, `foo.example.com`, and `foo.bar.example.com`.
+   *
+   * If set to `true`, the server is allowed to respond to requests for any hosts.
+   * This is not recommended as it will be vulnerable to DNS rebinding attacks.
+   */
+  allowedHosts?: string[] | true
   /**
    * Enable TLS + HTTP/2.
    * Note: this downgrades to TLS only when the proxy option is also used.

packages/vite/src/node/preview.ts

@@ -37,6 +37,7 @@ import { bindCLIShortcuts } from './shortcuts'
 import type { BindCLIShortcutsOptions } from './shortcuts'
 import { resolveConfig } from './config'
 import type { InlineConfig, ResolvedConfig } from './config'
+import { hostCheckMiddleware } from './server/middlewares/hostCheck'
 
 export interface PreviewOptions extends CommonServerOptions {}
 
@@ -53,6 +54,7 @@ export function resolvePreviewOptions(
     port: preview?.port,
     strictPort: preview?.strictPort ?? server.strictPort,
     host: preview?.host ?? server.host,
+    allowedHosts: preview?.allowedHosts ?? server.allowedHosts,
     https: preview?.https ?? server.https,
     open: preview?.open ?? server.open,
     proxy: preview?.proxy ?? server.proxy,
@@ -188,6 +190,13 @@ export async function preview(
     app.use(corsMiddleware(typeof cors === 'boolean' ? {} : cors))
   }
 
+  // host check (to prevent DNS rebinding attacks)
+  const { allowedHosts } = config.preview
+  // no need to check for HTTPS as HTTPS is not vulnerable to DNS rebinding attacks
+  if (allowedHosts !== true && !config.preview.https) {
+    app.use(hostCheckMiddleware(config))
+  }
+
   // proxy
   const { proxy } = config.preview
   if (proxy) {

packages/vite/src/node/server/index.ts

@@ -97,6 +97,7 @@ import type { TransformOptions, TransformResult } from './transformRequest'
 import { transformRequest } from './transformRequest'
 import { searchForWorkspaceRoot } from './searchRoot'
 import { warmupFiles } from './warmup'
+import { hostCheckMiddleware } from './middlewares/hostCheck'
 
 export interface ServerOptions extends CommonServerOptions {
   /**
@@ -853,6 +854,13 @@ export async function _createServer(
     middlewares.use(corsMiddleware(typeof cors === 'boolean' ? {} : cors))
   }
 
+  // host check (to prevent DNS rebinding attacks)
+  const { allowedHosts } = serverConfig
+  // no need to check for HTTPS as HTTPS is not vulnerable to DNS rebinding attacks
+  if (allowedHosts !== true && !serverConfig.https) {
+    middlewares.use(hostCheckMiddleware(config))
+  }
+
   middlewares.use(cachedTransformMiddleware(server))
 
   // proxy

packages/vite/src/node/server/middlewares/__tests__/hostCheck.spec.ts

@@ -0,0 +1,112 @@
+import { describe, expect, test } from 'vitest'
+import {
+  getAdditionalAllowedHosts,
+  isHostAllowedWithoutCache,
+} from '../hostCheck'
+
+test('getAdditionalAllowedHosts', async () => {
+  const actual = getAdditionalAllowedHosts(
+    {
+      host: 'vite.host.example.com',
+      hmr: {
+        host: 'vite.hmr-host.example.com',
+      },
+      origin: 'http://vite.origin.example.com:5173',
+    },
+    {
+      host: 'vite.preview-host.example.com',
+    },
+  ).sort()
+  expect(actual).toStrictEqual(
+    [
+      'vite.host.example.com',
+      'vite.hmr-host.example.com',
+      'vite.origin.example.com',
+      'vite.preview-host.example.com',
+    ].sort(),
+  )
+})
+
+describe('isHostAllowedWithoutCache', () => {
+  const allowCases = {
+    'IP address': [
+      '192.168.0.0',
+      '[::1]',
+      '127.0.0.1:5173',
+      '[2001:db8:0:0:1:0:0:1]:5173',
+    ],
+    localhost: [
+      'localhost',
+      'localhost:5173',
+      'foo.localhost',
+      'foo.bar.localhost',
+    ],
+    specialProtocols: [
+      // for electron browser window (https://github.com/webpack/webpack-dev-server/issues/3821)
+      'file:///path/to/file.html',
+      // for browser extensions (https://github.com/webpack/webpack-dev-server/issues/3807)
+      'chrome-extension://foo',
+    ],
+  }
+
+  const disallowCases = {
+    'IP address': ['255.255.255.256', '[:', '[::z]'],
+    localhost: ['localhos', 'localhost.foo'],
+    specialProtocols: ['mailto:[email protected]'],
+    others: [''],
+  }
+
+  for (const [name, inputList] of Object.entries(allowCases)) {
+    test.each(inputList)(`allows ${name} (%s)`, (input) => {
+      const actual = isHostAllowedWithoutCache([], [], input)
+      expect(actual).toBe(true)
+    })
+  }
+
+  for (const [name, inputList] of Object.entries(disallowCases)) {
+    test.each(inputList)(`disallows ${name} (%s)`, (input) => {
+      const actual = isHostAllowedWithoutCache([], [], input)
+      expect(actual).toBe(false)
+    })
+  }
+
+  test('allows additionalAlloweHosts option', () => {
+    const additionalAllowedHosts = ['vite.example.com']
+    const actual = isHostAllowedWithoutCache(
+      [],
+      additionalAllowedHosts,
+      'vite.example.com',
+    )
+    expect(actual).toBe(true)
+  })
+
+  test('allows single allowedHosts', () => {
+    const cases = {
+      allowed: ['example.com'],
+      disallowed: ['vite.dev'],
+    }
+    for (const c of cases.allowed) {
+      const actual = isHostAllowedWithoutCache(['example.com'], [], c)
+      expect(actual, c).toBe(true)
+    }
+    for (const c of cases.disallowed) {
+      const actual = isHostAllowedWithoutCache(['example.com'], [], c)
+      expect(actual, c).toBe(false)
+    }
+  })
+
+  test('allows all subdomain allowedHosts', () => {
+    const cases = {
+      allowed: ['example.com', 'foo.example.com', 'foo.bar.example.com'],
+      disallowed: ['vite.dev'],
+    }
+    for (const c of cases.allowed) {
+      const actual = isHostAllowedWithoutCache(['.example.com'], [], c)
+      expect(actual, c).toBe(true)
+    }
+    for (const c of cases.disallowed) {
+      const actual = isHostAllowedWithoutCache(['.example.com'], [], c)
+      expect(actual, c).toBe(false)
+    }
+  })
+})