Skip to content

build: fix dev-server running in snippet mode #18679

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 4, 2020
Merged

build: fix dev-server running in snippet mode #18679

merged 1 commit into from
Mar 4, 2020

Conversation

devversion
Copy link
Member

Browsersync has 3 possible modes. snippet, proxy and server. We
currently run with snippet even though we actually want to serve with
the live-reloading script being injected automatically.

In order to ensure that Browsersync runs in the server mode and
properly prints the URL to the http server, we re-enable the
server option that has been disabled in the past for security reasons.
The logic to prevent directory traversal still remains, and we also
explicitly disable directory listing (even though we have manual request
interception).

@jelbourn I verified that your directory traversal logic still works:

curl --path-as-is http://localhost:4200/../../../../../../../../../../Desktop/test.ts
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    73  100    73    0     0  73000      0 --:--:-- --:--:-- --:--:-- 73000
TEST FILE CONTENT
curl --path-as-is http://localhost:4200/../../../../../../../../../../Desktop/test.ts
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    35  100    35    0     0   2187      0 --:--:-- --:--:-- --:--:--  2187
Error: Detected directory traversal

@devversion
build: fix dev-server running in snippet mode
0b8970a 
Browsersync has 3 possible modes. `snippet`, `proxy` and `server`. We
currently run with `snippet` even though we actually want to serve with
the live-reloading script being injected automatically.

In order to ensure that Browsersync runs in the `server` mode and
properly prints the URL to the http server, we re-enable the
`server` option that has been disabled in the past for security reasons.
The logic to prevent directory traversal still remains, and we also
explicitly disable directory listing (even though we have manual request
interception).
@devversion devversion added pr: merge safe target: patch This PR is targeted for the next patch release labels Mar 2, 2020
@devversion devversion requested a review from a team as a code owner March 2, 2020 21:11
@googlebot googlebot added the cla: yes PR author has agreed to Google's Contributor License Agreement label Mar 2, 2020
@devversion devversion changed the title build: fix dev-server running in snippiet mode build: fix dev-server running in snippet mode Mar 2, 2020
josephperrott
josephperrott approved these changes Mar 3, 2020
View reviewed changes
Copy link
Member

@josephperrott josephperrott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@josephperrott josephperrott added pr: lgtm action: merge The PR is ready for merge by the caretaker labels Mar 3, 2020
jelbourn
jelbourn approved these changes Mar 3, 2020
View reviewed changes
Copy link
Member

@jelbourn jelbourn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mmalerba mmalerba merged commit 2428651 into angular:master Mar 4, 2020
mmalerba added a commit that referenced this pull request Mar 6, 2020
@mmalerba
build: fix dev-server running in snippet mode (#18679)
17957ff 
Browsersync has 3 possible modes. `snippet`, `proxy` and `server`. We
currently run with `snippet` even though we actually want to serve with
the live-reloading script being injected automatically.

In order to ensure that Browsersync runs in the `server` mode and
properly prints the URL to the http server, we re-enable the
`server` option that has been disabled in the past for security reasons.
The logic to prevent directory traversal still remains, and we also
explicitly disable directory listing (even though we have manual request
interception).
@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Apr 4, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jelbourn jelbourn jelbourn approved these changes

@josephperrott josephperrott josephperrott approved these changes

Assignees

@jelbourn jelbourn

Labels
action: merge The PR is ready for merge by the caretaker cla: yes PR author has agreed to Google's Contributor License Agreement target: patch This PR is targeted for the next patch release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@devversion @jelbourn @josephperrott @googlebot @mmalerba