From 6820bb3b9a54334f3268fc5ee1e967d2e1c0db34 Mon Sep 17 00:00:00 2001
From: patak <583075+patak-dev@users.noreply.github.com>
Date: Mon, 16 Sep 2024 17:38:29 +0200
Subject: [PATCH] fix: fs raw query (#18112)
---
.../src/node/server/middlewares/static.ts | 2 +-
.../src/node/server/middlewares/transform.ts | 9 +++++++++
.../fs-serve/__tests__/fs-serve.spec.ts | 5 +++++
playground/fs-serve/root/src/index.html | 20 +++++++++++++++++++
4 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts
index dac16e071b8217..6cb8a0c383a77f 100644
--- a/packages/vite/src/node/server/middlewares/static.ts
+++ b/packages/vite/src/node/server/middlewares/static.ts
@@ -232,7 +232,7 @@ export function isFileServingAllowed(
return false
}
-function ensureServingAccess(
+export function ensureServingAccess(
url: string,
server: ViteDevServer,
res: ServerResponse,
diff --git a/packages/vite/src/node/server/middlewares/transform.ts b/packages/vite/src/node/server/middlewares/transform.ts
index 6df8ae25091c6d..b56ccb76ff9ef3 100644
--- a/packages/vite/src/node/server/middlewares/transform.ts
+++ b/packages/vite/src/node/server/middlewares/transform.ts
@@ -12,6 +12,7 @@ import {
isJSRequest,
normalizePath,
prettifyUrl,
+ rawRE,
removeImportQuery,
removeTimestampQuery,
urlRE,
@@ -35,6 +36,7 @@ import { ERR_CLOSED_SERVER } from '../pluginContainer'
import { getDepsOptimizer } from '../../optimizer'
import { cleanUrl, unwrapId, withTrailingSlash } from '../../../shared/utils'
import { NULL_BYTE_PLACEHOLDER } from '../../../shared/constants'
+import { ensureServingAccess } from './static'
const debugCache = createDebugger('vite:cache')
@@ -161,6 +163,13 @@ export function transformMiddleware(
warnAboutExplicitPublicPathInUrl(url)
}
+ if (
+ (rawRE.test(url) || urlRE.test(url)) &&
+ !ensureServingAccess(url, server, res, next)
+ ) {
+ return
+ }
+
if (
isJSRequest(url) ||
isImportRequest(url) ||
diff --git a/playground/fs-serve/__tests__/fs-serve.spec.ts b/playground/fs-serve/__tests__/fs-serve.spec.ts
index 9d9d4c6ec80e54..16ecc0b78dc295 100644
--- a/playground/fs-serve/__tests__/fs-serve.spec.ts
+++ b/playground/fs-serve/__tests__/fs-serve.spec.ts
@@ -77,6 +77,11 @@ describe.runIf(isServe)('main', () => {
expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403')
})
+ test('unsafe fs fetch', async () => {
+ expect(await page.textContent('.unsafe-fs-fetch-raw')).toBe('')
+ expect(await page.textContent('.unsafe-fs-fetch-raw-status')).toBe('403')
+ })
+
test('unsafe fs fetch with special characters (#8498)', async () => {
expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('')
expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('404')
diff --git a/playground/fs-serve/root/src/index.html b/playground/fs-serve/root/src/index.html
index 06bee3f8671949..fb1276d79fea22 100644
--- a/playground/fs-serve/root/src/index.html
+++ b/playground/fs-serve/root/src/index.html
@@ -35,6 +35,8 @@ Safe /@fs/ Fetch
Unsafe /@fs/ Fetch
+
+
@@ -188,6 +190,24 @@ Denied
console.error(e)
})
+ // not imported before, outside of root, treated as unsafe
+ fetch(
+ joinUrlSegments(
+ base,
+ joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw',
+ ),
+ )
+ .then((r) => {
+ text('.unsafe-fs-fetch-raw-status', r.status)
+ return r.json()
+ })
+ .then((data) => {
+ text('.unsafe-fs-fetch-raw', JSON.stringify(data))
+ })
+ .catch((e) => {
+ console.error(e)
+ })
+
// outside root with special characters #8498
fetch(
joinUrlSegments(