Skip to content

Commit

Permalink
fix: fs raw query (#18112)
Browse files Browse the repository at this point in the history
  • Loading branch information
patak-dev committed Sep 16, 2024
1 parent 37881e7 commit 6820bb3
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 1 deletion.
2 changes: 1 addition & 1 deletion packages/vite/src/node/server/middlewares/static.ts
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,7 @@ export function isFileServingAllowed(
return false
}

function ensureServingAccess(
export function ensureServingAccess(
url: string,
server: ViteDevServer,
res: ServerResponse,
Expand Down
9 changes: 9 additions & 0 deletions packages/vite/src/node/server/middlewares/transform.ts
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import {
isJSRequest,
normalizePath,
prettifyUrl,
rawRE,
removeImportQuery,
removeTimestampQuery,
urlRE,
Expand All @@ -35,6 +36,7 @@ import { ERR_CLOSED_SERVER } from '../pluginContainer'
import { getDepsOptimizer } from '../../optimizer'
import { cleanUrl, unwrapId, withTrailingSlash } from '../../../shared/utils'
import { NULL_BYTE_PLACEHOLDER } from '../../../shared/constants'
import { ensureServingAccess } from './static'

const debugCache = createDebugger('vite:cache')

Expand Down Expand Up @@ -161,6 +163,13 @@ export function transformMiddleware(
warnAboutExplicitPublicPathInUrl(url)
}

if (
(rawRE.test(url) || urlRE.test(url)) &&
!ensureServingAccess(url, server, res, next)
) {
return
}

if (
isJSRequest(url) ||
isImportRequest(url) ||
Expand Down
5 changes: 5 additions & 0 deletions playground/fs-serve/__tests__/fs-serve.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,11 @@ describe.runIf(isServe)('main', () => {
expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403')
})

test('unsafe fs fetch', async () => {
expect(await page.textContent('.unsafe-fs-fetch-raw')).toBe('')
expect(await page.textContent('.unsafe-fs-fetch-raw-status')).toBe('403')
})

test('unsafe fs fetch with special characters (#8498)', async () => {
expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('')
expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('404')
Expand Down
20 changes: 20 additions & 0 deletions playground/fs-serve/root/src/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ <h2>Safe /@fs/ Fetch</h2>
<h2>Unsafe /@fs/ Fetch</h2>
<pre class="unsafe-fs-fetch-status"></pre>
<pre class="unsafe-fs-fetch"></pre>
<pre class="unsafe-fs-fetch-raw-status"></pre>
<pre class="unsafe-fs-fetch-raw"></pre>
<pre class="unsafe-fs-fetch-8498-status"></pre>
<pre class="unsafe-fs-fetch-8498"></pre>
<pre class="unsafe-fs-fetch-8498-2-status"></pre>
Expand Down Expand Up @@ -188,6 +190,24 @@ <h2>Denied</h2>
console.error(e)
})

// not imported before, outside of root, treated as unsafe
fetch(
joinUrlSegments(
base,
joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw',
),
)
.then((r) => {
text('.unsafe-fs-fetch-raw-status', r.status)
return r.json()
})
.then((data) => {
text('.unsafe-fs-fetch-raw', JSON.stringify(data))
})
.catch((e) => {
console.error(e)
})

// outside root with special characters #8498
fetch(
joinUrlSegments(
Expand Down

0 comments on commit 6820bb3

Please sign in to comment.