From 19dae997f91607424af2d0e159ae2570463bbcb3 Mon Sep 17 00:00:00 2001 From: patak Date: Mon, 17 May 2021 08:32:45 +0200 Subject: [PATCH] fix: skip fs fallback for out of root urls, fix #3364 (#3431) --- .../src/node/server/middlewares/static.ts | 14 ++++++++++--- .../vite/src/node/server/transformRequest.ts | 21 ++++++++++--------- 2 files changed, 22 insertions(+), 13 deletions(-) diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts index e243957618e75b..5801b7d15bbd17 100644 --- a/packages/vite/src/node/server/middlewares/static.ts +++ b/packages/vite/src/node/server/middlewares/static.ts @@ -109,16 +109,24 @@ export function serveRawFsMiddleware( } } +export function isFileAccessAllowed( + url: string, + { root, strict }: Required +): boolean { + return !strict || normalizePath(url).startsWith(root + path.posix.sep) +} + export function ensureServingAccess( url: string, - { root, strict }: Required, + serveOptions: Required, logger: Logger ): void { + const { strict, root } = serveOptions // TODO: early return, should remove once we polished the restriction logic if (!strict) return - const normalizedUrl = normalizePath(url) - if (!normalizedUrl.startsWith(root + path.posix.sep)) { + if (!isFileAccessAllowed(url, serveOptions)) { + const normalizedUrl = normalizePath(url) if (strict) { throw new AccessRestrictedError( `The request url "${normalizedUrl}" is outside of vite dev server root "${root}". diff --git a/packages/vite/src/node/server/transformRequest.ts b/packages/vite/src/node/server/transformRequest.ts index 8138a0ca306ce6..5e506bd36299bb 100644 --- a/packages/vite/src/node/server/transformRequest.ts +++ b/packages/vite/src/node/server/transformRequest.ts @@ -16,7 +16,7 @@ import { import { checkPublicFile } from '../plugins/asset' import { ssrTransform } from '../ssr/ssrTransform' import { injectSourcesContent } from './sourcemap' -import { ensureServingAccess } from './middlewares/static' +import { isFileAccessAllowed } from './middlewares/static' const debugLoad = createDebugger('vite:load') const debugTransform = createDebugger('vite:transform') @@ -73,15 +73,16 @@ export async function transformRequest( // try fallback loading it from fs as string // if the file is a binary, there should be a plugin that already loaded it // as string - try { - if (!options.ssr) { - ensureServingAccess(file, config.server.fsServe, config.logger) - } - code = await fs.readFile(file, 'utf-8') - isDebug && debugLoad(`${timeFrom(loadStart)} [fs] ${prettyUrl}`) - } catch (e) { - if (e.code !== 'ENOENT') { - throw e + // only try the fallback if access is allowed, skip for out of root url + // like /service-worker.js or /api/users + if (options.ssr || isFileAccessAllowed(file, config.server.fsServe)) { + try { + code = await fs.readFile(file, 'utf-8') + isDebug && debugLoad(`${timeFrom(loadStart)} [fs] ${prettyUrl}`) + } catch (e) { + if (e.code !== 'ENOENT') { + throw e + } } } if (code) {