From 813ddd6155c3d54801e264ba832d8347f6f66b32 Mon Sep 17 00:00:00 2001 From: patak Date: Fri, 26 May 2023 12:17:52 +0200 Subject: [PATCH] fix: fs.deny with leading double slash (#13348) --- .../src/node/server/middlewares/static.ts | 4 +-- playground/assets-sanitize/.env | 1 + .../__tests__/assets-sanitize.spec.ts | 5 +++ playground/assets-sanitize/index.html | 31 ++++++++++++++++++- 4 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 playground/assets-sanitize/.env diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts index 13904ce04922a4..42aa48a124c52b 100644 --- a/packages/vite/src/node/server/middlewares/static.ts +++ b/packages/vite/src/node/server/middlewares/static.ts @@ -100,7 +100,7 @@ export function serveStaticMiddleware( return next() } - const url = new URL(req.url!, 'http://example.com') + const url = new URL(req.url!.replace(/^\/+/, '/'), 'http://example.com') const pathname = decodeURIComponent(url.pathname) // apply aliases to static requests as well @@ -153,7 +153,7 @@ export function serveRawFsMiddleware( // Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...` return function viteServeRawFsMiddleware(req, res, next) { - const url = new URL(req.url!, 'http://example.com') + const url = new URL(req.url!.replace(/^\/+/, '/'), 'http://example.com') // In some cases (e.g. linked monorepos) files outside of root will // reference assets that are also out of served root. In such cases // the paths are rewritten to `/@fs/` prefixed paths and must be served by diff --git a/playground/assets-sanitize/.env b/playground/assets-sanitize/.env new file mode 100644 index 00000000000000..d0e0cfd28cbe57 --- /dev/null +++ b/playground/assets-sanitize/.env @@ -0,0 +1 @@ +KEY=unsafe diff --git a/playground/assets-sanitize/__tests__/assets-sanitize.spec.ts b/playground/assets-sanitize/__tests__/assets-sanitize.spec.ts index 9fd8b1e988b089..f4a25aa1ef6264 100644 --- a/playground/assets-sanitize/__tests__/assets-sanitize.spec.ts +++ b/playground/assets-sanitize/__tests__/assets-sanitize.spec.ts @@ -25,3 +25,8 @@ if (!isBuild) { expect(Object.keys(manifest).length).toBe(3) // 2 svg, 1 index.js }) } + +test.runIf(!isBuild)('denied .env', async () => { + expect(await page.textContent('.unsafe-dotenv')).toBe('403') + expect(await page.textContent('.unsafe-dotenv-double-slash')).toBe('403') +}) diff --git a/playground/assets-sanitize/index.html b/playground/assets-sanitize/index.html index e4b4913ca7142c..0e634695c584fb 100644 --- a/playground/assets-sanitize/index.html +++ b/playground/assets-sanitize/index.html @@ -6,6 +6,35 @@ margin-bottom: 1rem; } -

test elements below should show circles and their url

+

test elements below should show circles and their url

+ +

Denied .env

+
+
+ +