Vue/vite
1
0
Fork 0
mirror of https://github.com/vitejs/vite.git synced 2024-11-21 14:48:41 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

fix: fs.deny with leading double slash (#13348)

Browse Source
This commit is contained in:
patak 2023-05-26 12:17:52 +02:00 committed by GitHub
parent 28923fb1d4
commit 813ddd6155
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 38 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
packages/vite/src/node/server/middlewares/static.ts
View File

@ -100,7 +100,7 @@ export function serveStaticMiddleware(
return next() return next()
} }
const url = new URL(req.url!, 'http://example.com') const url = new URL(req.url!.replace(/^\/+/, '/'), 'http://example.com')
const pathname = decodeURIComponent(url.pathname) const pathname = decodeURIComponent(url.pathname)
// apply aliases to static requests as well // apply aliases to static requests as well
@ -153,7 +153,7 @@ export function serveRawFsMiddleware(
// Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...` // Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
return function viteServeRawFsMiddleware(req, res, next) { return function viteServeRawFsMiddleware(req, res, next) {
const url = new URL(req.url!, 'http://example.com') const url = new URL(req.url!.replace(/^\/+/, '/'), 'http://example.com')
// In some cases (e.g. linked monorepos) files outside of root will // In some cases (e.g. linked monorepos) files outside of root will
// reference assets that are also out of served root. In such cases // reference assets that are also out of served root. In such cases
// the paths are rewritten to `/@fs/` prefixed paths and must be served by // the paths are rewritten to `/@fs/` prefixed paths and must be served by

1
playground/assets-sanitize/.env Normal file
View File

@ -0,0 +1 @@
KEY=unsafe

5
playground/assets-sanitize/__tests__/assets-sanitize.spec.ts
View File

@ -25,3 +25,8 @@ if (!isBuild) {
expect(Object.keys(manifest).length).toBe(3) // 2 svg, 1 index.js expect(Object.keys(manifest).length).toBe(3) // 2 svg, 1 index.js
}) })
} }
test.runIf(!isBuild)('denied .env', async () => {
expect(await page.textContent('.unsafe-dotenv')).toBe('403')
expect(await page.textContent('.unsafe-dotenv-double-slash')).toBe('403')
})

31
playground/assets-sanitize/index.html
View File

@ -6,6 +6,35 @@
margin-bottom: 1rem; margin-bottom: 1rem;
} }
</style> </style>
<h1>test elements below should show circles and their url</h1> <h3>test elements below should show circles and their url</h3>
<div class="test-el plus-circle"></div> <div class="test-el plus-circle"></div>
<div class="test-el underscore-circle"></div> <div class="test-el underscore-circle"></div>
<h3>Denied .env</h3>
<div class="unsafe-dotenv"></div>
<div class="unsafe-dotenv-double-slash"></div>
<script type="module">
// .env, denied by default. See fs-serve playground for other fs tests
// these checks ensure that a project without a custom root respects fs.deny
fetch('/.env')
.then((r) => {
text('.unsafe-dotenv', r.status)
})
.catch((e) => {
console.error(e)
})
fetch(window.location + '/.env')
.then((r) => {
text('.unsafe-dotenv-double-slash', r.status)
})
.catch((e) => {
console.error(e)
})
function text(el, text) {
document.querySelector(el).textContent = text
}
</script>