mirror of
https://github.com/vitejs/vite.git
synced 2024-11-21 22:59:10 +00:00
fix: fs raw query (#18112)
This commit is contained in:
parent
440783953a
commit
4573a6fd6f
@ -229,7 +229,7 @@ export function isFileServingAllowed(
|
|||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
function ensureServingAccess(
|
export function ensureServingAccess(
|
||||||
url: string,
|
url: string,
|
||||||
server: ViteDevServer,
|
server: ViteDevServer,
|
||||||
res: ServerResponse,
|
res: ServerResponse,
|
||||||
|
@ -12,6 +12,7 @@ import {
|
|||||||
isJSRequest,
|
isJSRequest,
|
||||||
normalizePath,
|
normalizePath,
|
||||||
prettifyUrl,
|
prettifyUrl,
|
||||||
|
rawRE,
|
||||||
removeImportQuery,
|
removeImportQuery,
|
||||||
removeTimestampQuery,
|
removeTimestampQuery,
|
||||||
urlRE,
|
urlRE,
|
||||||
@ -35,6 +36,7 @@ import { ERR_CLOSED_SERVER } from '../pluginContainer'
|
|||||||
import { getDepsOptimizer } from '../../optimizer'
|
import { getDepsOptimizer } from '../../optimizer'
|
||||||
import { cleanUrl, unwrapId, withTrailingSlash } from '../../../shared/utils'
|
import { cleanUrl, unwrapId, withTrailingSlash } from '../../../shared/utils'
|
||||||
import { NULL_BYTE_PLACEHOLDER } from '../../../shared/constants'
|
import { NULL_BYTE_PLACEHOLDER } from '../../../shared/constants'
|
||||||
|
import { ensureServingAccess } from './static'
|
||||||
|
|
||||||
const debugCache = createDebugger('vite:cache')
|
const debugCache = createDebugger('vite:cache')
|
||||||
|
|
||||||
@ -158,6 +160,13 @@ export function transformMiddleware(
|
|||||||
warnAboutExplicitPublicPathInUrl(url)
|
warnAboutExplicitPublicPathInUrl(url)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (
|
||||||
|
(rawRE.test(url) || urlRE.test(url)) &&
|
||||||
|
!ensureServingAccess(url, server, res, next)
|
||||||
|
) {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
if (
|
if (
|
||||||
isJSRequest(url) ||
|
isJSRequest(url) ||
|
||||||
isImportRequest(url) ||
|
isImportRequest(url) ||
|
||||||
|
@ -77,6 +77,11 @@ describe.runIf(isServe)('main', () => {
|
|||||||
expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403')
|
expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403')
|
||||||
})
|
})
|
||||||
|
|
||||||
|
test('unsafe fs fetch', async () => {
|
||||||
|
expect(await page.textContent('.unsafe-fs-fetch-raw')).toBe('')
|
||||||
|
expect(await page.textContent('.unsafe-fs-fetch-raw-status')).toBe('403')
|
||||||
|
})
|
||||||
|
|
||||||
test('unsafe fs fetch with special characters (#8498)', async () => {
|
test('unsafe fs fetch with special characters (#8498)', async () => {
|
||||||
expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('')
|
expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('')
|
||||||
expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('404')
|
expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('404')
|
||||||
|
@ -35,6 +35,8 @@
|
|||||||
<h2>Unsafe /@fs/ Fetch</h2>
|
<h2>Unsafe /@fs/ Fetch</h2>
|
||||||
<pre class="unsafe-fs-fetch-status"></pre>
|
<pre class="unsafe-fs-fetch-status"></pre>
|
||||||
<pre class="unsafe-fs-fetch"></pre>
|
<pre class="unsafe-fs-fetch"></pre>
|
||||||
|
<pre class="unsafe-fs-fetch-raw-status"></pre>
|
||||||
|
<pre class="unsafe-fs-fetch-raw"></pre>
|
||||||
<pre class="unsafe-fs-fetch-8498-status"></pre>
|
<pre class="unsafe-fs-fetch-8498-status"></pre>
|
||||||
<pre class="unsafe-fs-fetch-8498"></pre>
|
<pre class="unsafe-fs-fetch-8498"></pre>
|
||||||
<pre class="unsafe-fs-fetch-8498-2-status"></pre>
|
<pre class="unsafe-fs-fetch-8498-2-status"></pre>
|
||||||
@ -188,6 +190,24 @@
|
|||||||
console.error(e)
|
console.error(e)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
// not imported before, outside of root, treated as unsafe
|
||||||
|
fetch(
|
||||||
|
joinUrlSegments(
|
||||||
|
base,
|
||||||
|
joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw',
|
||||||
|
),
|
||||||
|
)
|
||||||
|
.then((r) => {
|
||||||
|
text('.unsafe-fs-fetch-raw-status', r.status)
|
||||||
|
return r.json()
|
||||||
|
})
|
||||||
|
.then((data) => {
|
||||||
|
text('.unsafe-fs-fetch-raw', JSON.stringify(data))
|
||||||
|
})
|
||||||
|
.catch((e) => {
|
||||||
|
console.error(e)
|
||||||
|
})
|
||||||
|
|
||||||
// outside root with special characters #8498
|
// outside root with special characters #8498
|
||||||
fetch(
|
fetch(
|
||||||
joinUrlSegments(
|
joinUrlSegments(
|
||||||
|
Loading…
Reference in New Issue
Block a user