fix: fs raw query (#18112)

This commit is contained in:
patak 2024-09-16 17:38:29 +02:00
parent 440783953a
commit 4573a6fd6f
4 changed files with 35 additions and 1 deletions

View File

@ -229,7 +229,7 @@ export function isFileServingAllowed(
return false return false
} }
function ensureServingAccess( export function ensureServingAccess(
url: string, url: string,
server: ViteDevServer, server: ViteDevServer,
res: ServerResponse, res: ServerResponse,

View File

@ -12,6 +12,7 @@ import {
isJSRequest, isJSRequest,
normalizePath, normalizePath,
prettifyUrl, prettifyUrl,
rawRE,
removeImportQuery, removeImportQuery,
removeTimestampQuery, removeTimestampQuery,
urlRE, urlRE,
@ -35,6 +36,7 @@ import { ERR_CLOSED_SERVER } from '../pluginContainer'
import { getDepsOptimizer } from '../../optimizer' import { getDepsOptimizer } from '../../optimizer'
import { cleanUrl, unwrapId, withTrailingSlash } from '../../../shared/utils' import { cleanUrl, unwrapId, withTrailingSlash } from '../../../shared/utils'
import { NULL_BYTE_PLACEHOLDER } from '../../../shared/constants' import { NULL_BYTE_PLACEHOLDER } from '../../../shared/constants'
import { ensureServingAccess } from './static'
const debugCache = createDebugger('vite:cache') const debugCache = createDebugger('vite:cache')
@ -158,6 +160,13 @@ export function transformMiddleware(
warnAboutExplicitPublicPathInUrl(url) warnAboutExplicitPublicPathInUrl(url)
} }
if (
(rawRE.test(url) || urlRE.test(url)) &&
!ensureServingAccess(url, server, res, next)
) {
return
}
if ( if (
isJSRequest(url) || isJSRequest(url) ||
isImportRequest(url) || isImportRequest(url) ||

View File

@ -77,6 +77,11 @@ describe.runIf(isServe)('main', () => {
expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403') expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403')
}) })
test('unsafe fs fetch', async () => {
expect(await page.textContent('.unsafe-fs-fetch-raw')).toBe('')
expect(await page.textContent('.unsafe-fs-fetch-raw-status')).toBe('403')
})
test('unsafe fs fetch with special characters (#8498)', async () => { test('unsafe fs fetch with special characters (#8498)', async () => {
expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('') expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('')
expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('404') expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('404')

View File

@ -35,6 +35,8 @@
<h2>Unsafe /@fs/ Fetch</h2> <h2>Unsafe /@fs/ Fetch</h2>
<pre class="unsafe-fs-fetch-status"></pre> <pre class="unsafe-fs-fetch-status"></pre>
<pre class="unsafe-fs-fetch"></pre> <pre class="unsafe-fs-fetch"></pre>
<pre class="unsafe-fs-fetch-raw-status"></pre>
<pre class="unsafe-fs-fetch-raw"></pre>
<pre class="unsafe-fs-fetch-8498-status"></pre> <pre class="unsafe-fs-fetch-8498-status"></pre>
<pre class="unsafe-fs-fetch-8498"></pre> <pre class="unsafe-fs-fetch-8498"></pre>
<pre class="unsafe-fs-fetch-8498-2-status"></pre> <pre class="unsafe-fs-fetch-8498-2-status"></pre>
@ -188,6 +190,24 @@
console.error(e) console.error(e)
}) })
// not imported before, outside of root, treated as unsafe
fetch(
joinUrlSegments(
base,
joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw',
),
)
.then((r) => {
text('.unsafe-fs-fetch-raw-status', r.status)
return r.json()
})
.then((data) => {
text('.unsafe-fs-fetch-raw', JSON.stringify(data))
})
.catch((e) => {
console.error(e)
})
// outside root with special characters #8498 // outside root with special characters #8498
fetch( fetch(
joinUrlSegments( joinUrlSegments(