diff --git a/packages/vite/src/node/build.ts b/packages/vite/src/node/build.ts index b093ecfb5e213a..ca8025a386dd71 100644 --- a/packages/vite/src/node/build.ts +++ b/packages/vite/src/node/build.ts @@ -1094,7 +1094,7 @@ const getRelativeUrlFromDocument = (relativePath: string, umd = false) => getResolveUrl( `'${escapeId(relativePath)}', ${ umd ? `typeof document === 'undefined' ? location.href : ` : '' - }document.currentScript && document.currentScript.src || document.baseURI`, + }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`, ) const getFileUrlFromFullPath = (path: string) => diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts index d706b3fa926fee..11c0543e336d7a 100644 --- a/packages/vite/src/node/server/middlewares/static.ts +++ b/packages/vite/src/node/server/middlewares/static.ts @@ -229,7 +229,7 @@ export function isFileServingAllowed( return false } -function ensureServingAccess( +export function ensureServingAccess( url: string, server: ViteDevServer, res: ServerResponse, diff --git a/packages/vite/src/node/server/middlewares/transform.ts b/packages/vite/src/node/server/middlewares/transform.ts index a0239aab7fcb4e..d880b6c03ec5f2 100644 --- a/packages/vite/src/node/server/middlewares/transform.ts +++ b/packages/vite/src/node/server/middlewares/transform.ts @@ -12,6 +12,7 @@ import { isJSRequest, normalizePath, prettifyUrl, + rawRE, removeImportQuery, removeTimestampQuery, urlRE, @@ -34,6 +35,7 @@ import { ERR_CLOSED_SERVER } from '../pluginContainer' import { getDepsOptimizer } from '../../optimizer' import { cleanUrl, unwrapId, withTrailingSlash } from '../../../shared/utils' import { NULL_BYTE_PLACEHOLDER } from '../../../shared/constants' +import { ensureServingAccess } from './static' const debugCache = createDebugger('vite:cache') @@ -157,6 +159,13 @@ export function transformMiddleware( warnAboutExplicitPublicPathInUrl(url) } + if ( + (rawRE.test(url) || urlRE.test(url)) && + !ensureServingAccess(url, server, res, next) + ) { + return + } + if ( isJSRequest(url) || isImportRequest(url) || diff --git a/playground/fs-serve/__tests__/fs-serve.spec.ts b/playground/fs-serve/__tests__/fs-serve.spec.ts index 9d9d4c6ec80e54..16ecc0b78dc295 100644 --- a/playground/fs-serve/__tests__/fs-serve.spec.ts +++ b/playground/fs-serve/__tests__/fs-serve.spec.ts @@ -77,6 +77,11 @@ describe.runIf(isServe)('main', () => { expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403') }) + test('unsafe fs fetch', async () => { + expect(await page.textContent('.unsafe-fs-fetch-raw')).toBe('') + expect(await page.textContent('.unsafe-fs-fetch-raw-status')).toBe('403') + }) + test('unsafe fs fetch with special characters (#8498)', async () => { expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('') expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('404') diff --git a/playground/fs-serve/root/src/index.html b/playground/fs-serve/root/src/index.html index 06bee3f8671949..fb1276d79fea22 100644 --- a/playground/fs-serve/root/src/index.html +++ b/playground/fs-serve/root/src/index.html @@ -35,6 +35,8 @@

Safe /@fs/ Fetch

Unsafe /@fs/ Fetch


 

+

+

 

 

 

@@ -188,6 +190,24 @@ 

Denied

console.error(e) }) + // not imported before, outside of root, treated as unsafe + fetch( + joinUrlSegments( + base, + joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw', + ), + ) + .then((r) => { + text('.unsafe-fs-fetch-raw-status', r.status) + return r.json() + }) + .then((data) => { + text('.unsafe-fs-fetch-raw', JSON.stringify(data)) + }) + .catch((e) => { + console.error(e) + }) + // outside root with special characters #8498 fetch( joinUrlSegments(