Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: fs.deny with leading double slash #13348

Merged
merged 1 commit into from
May 26, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions packages/vite/src/node/server/middlewares/static.ts
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ export function serveStaticMiddleware(
return next()
}

const url = new URL(req.url!, 'http://example.com')
const url = new URL(req.url!.replace(/^\/+/, '/'), 'http://example.com')
const pathname = decodeURIComponent(url.pathname)

// apply aliases to static requests as well
Expand Down Expand Up @@ -153,7 +153,7 @@ export function serveRawFsMiddleware(

// Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
return function viteServeRawFsMiddleware(req, res, next) {
const url = new URL(req.url!, 'http://example.com')
const url = new URL(req.url!.replace(/^\/+/, '/'), 'http://example.com')
// In some cases (e.g. linked monorepos) files outside of root will
// reference assets that are also out of served root. In such cases
// the paths are rewritten to `/@fs/` prefixed paths and must be served by
Expand Down
1 change: 1 addition & 0 deletions playground/assets-sanitize/.env
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
KEY=unsafe
5 changes: 5 additions & 0 deletions playground/assets-sanitize/__tests__/assets-sanitize.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,8 @@ if (!isBuild) {
expect(Object.keys(manifest).length).toBe(3) // 2 svg, 1 index.js
})
}

test.runIf(!isBuild)('denied .env', async () => {
expect(await page.textContent('.unsafe-dotenv')).toBe('403')
expect(await page.textContent('.unsafe-dotenv-double-slash')).toBe('403')
})
31 changes: 30 additions & 1 deletion playground/assets-sanitize/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,35 @@
margin-bottom: 1rem;
}
</style>
<h1>test elements below should show circles and their url</h1>
<h3>test elements below should show circles and their url</h3>
<div class="test-el plus-circle"></div>
<div class="test-el underscore-circle"></div>

<h3>Denied .env</h3>
<div class="unsafe-dotenv"></div>
<div class="unsafe-dotenv-double-slash"></div>

<script type="module">
// .env, denied by default. See fs-serve playground for other fs tests
// these checks ensure that a project without a custom root respects fs.deny

fetch('/.env')
.then((r) => {
text('.unsafe-dotenv', r.status)
})
.catch((e) => {
console.error(e)
})

fetch(window.location + '/.env')
.then((r) => {
text('.unsafe-dotenv-double-slash', r.status)
})
.catch((e) => {
console.error(e)
})

function text(el, text) {
document.querySelector(el).textContent = text
}
</script>