Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: backport #18112 and #18115 to v5.1 #18147

Merged
merged 2 commits into from
Sep 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/vite/src/node/build.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1094,7 +1094,7 @@ const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
getResolveUrl(
`'${escapeId(relativePath)}', ${
umd ? `typeof document === 'undefined' ? location.href : ` : ''
}document.currentScript && document.currentScript.src || document.baseURI`,
}document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`,
)

const getFileUrlFromFullPath = (path: string) =>
Expand Down
2 changes: 1 addition & 1 deletion packages/vite/src/node/server/middlewares/static.ts
Original file line number Diff line number Diff line change
Expand Up @@ -229,7 +229,7 @@ export function isFileServingAllowed(
return false
}

function ensureServingAccess(
export function ensureServingAccess(
url: string,
server: ViteDevServer,
res: ServerResponse,
Expand Down
9 changes: 9 additions & 0 deletions packages/vite/src/node/server/middlewares/transform.ts
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import {
isJSRequest,
normalizePath,
prettifyUrl,
rawRE,
removeImportQuery,
removeTimestampQuery,
urlRE,
Expand All @@ -34,6 +35,7 @@ import { ERR_CLOSED_SERVER } from '../pluginContainer'
import { getDepsOptimizer } from '../../optimizer'
import { cleanUrl, unwrapId, withTrailingSlash } from '../../../shared/utils'
import { NULL_BYTE_PLACEHOLDER } from '../../../shared/constants'
import { ensureServingAccess } from './static'

const debugCache = createDebugger('vite:cache')

Expand Down Expand Up @@ -157,6 +159,13 @@ export function transformMiddleware(
warnAboutExplicitPublicPathInUrl(url)
}

if (
(rawRE.test(url) || urlRE.test(url)) &&
!ensureServingAccess(url, server, res, next)
) {
return
}

if (
isJSRequest(url) ||
isImportRequest(url) ||
Expand Down
5 changes: 5 additions & 0 deletions playground/fs-serve/__tests__/fs-serve.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,11 @@ describe.runIf(isServe)('main', () => {
expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403')
})

test('unsafe fs fetch', async () => {
expect(await page.textContent('.unsafe-fs-fetch-raw')).toBe('')
expect(await page.textContent('.unsafe-fs-fetch-raw-status')).toBe('403')
})

test('unsafe fs fetch with special characters (#8498)', async () => {
expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('')
expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('404')
Expand Down
20 changes: 20 additions & 0 deletions playground/fs-serve/root/src/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ <h2>Safe /@fs/ Fetch</h2>
<h2>Unsafe /@fs/ Fetch</h2>
<pre class="unsafe-fs-fetch-status"></pre>
<pre class="unsafe-fs-fetch"></pre>
<pre class="unsafe-fs-fetch-raw-status"></pre>
<pre class="unsafe-fs-fetch-raw"></pre>
<pre class="unsafe-fs-fetch-8498-status"></pre>
<pre class="unsafe-fs-fetch-8498"></pre>
<pre class="unsafe-fs-fetch-8498-2-status"></pre>
Expand Down Expand Up @@ -188,6 +190,24 @@ <h2>Denied</h2>
console.error(e)
})

// not imported before, outside of root, treated as unsafe
fetch(
joinUrlSegments(
base,
joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw',
),
)
.then((r) => {
text('.unsafe-fs-fetch-raw-status', r.status)
return r.json()
})
.then((data) => {
text('.unsafe-fs-fetch-raw', JSON.stringify(data))
})
.catch((e) => {
console.error(e)
})

// outside root with special characters #8498
fetch(
joinUrlSegments(
Expand Down
Loading