mirror of
https://github.com/vitejs/vite.git
synced 2024-11-21 14:48:41 +00:00
fix: fs raw query (#18112)
This commit is contained in:
parent
51bf7ea7d1
commit
8339d74086
@ -229,7 +229,7 @@ export function isFileServingAllowed(
|
||||
return false
|
||||
}
|
||||
|
||||
function ensureServingAccess(
|
||||
export function ensureServingAccess(
|
||||
url: string,
|
||||
server: ViteDevServer,
|
||||
res: ServerResponse,
|
||||
|
@ -12,6 +12,7 @@ import {
|
||||
isJSRequest,
|
||||
normalizePath,
|
||||
prettifyUrl,
|
||||
rawRE,
|
||||
removeImportQuery,
|
||||
removeTimestampQuery,
|
||||
urlRE,
|
||||
@ -35,6 +36,7 @@ import { ERR_CLOSED_SERVER } from '../pluginContainer'
|
||||
import { getDepsOptimizer } from '../../optimizer'
|
||||
import { cleanUrl, unwrapId, withTrailingSlash } from '../../../shared/utils'
|
||||
import { NULL_BYTE_PLACEHOLDER } from '../../../shared/constants'
|
||||
import { ensureServingAccess } from './static'
|
||||
|
||||
const debugCache = createDebugger('vite:cache')
|
||||
|
||||
@ -158,6 +160,13 @@ export function transformMiddleware(
|
||||
warnAboutExplicitPublicPathInUrl(url)
|
||||
}
|
||||
|
||||
if (
|
||||
(rawRE.test(url) || urlRE.test(url)) &&
|
||||
!ensureServingAccess(url, server, res, next)
|
||||
) {
|
||||
return
|
||||
}
|
||||
|
||||
if (
|
||||
isJSRequest(url) ||
|
||||
isImportRequest(url) ||
|
||||
|
@ -77,6 +77,11 @@ describe.runIf(isServe)('main', () => {
|
||||
expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403')
|
||||
})
|
||||
|
||||
test('unsafe fs fetch', async () => {
|
||||
expect(await page.textContent('.unsafe-fs-fetch-raw')).toBe('')
|
||||
expect(await page.textContent('.unsafe-fs-fetch-raw-status')).toBe('403')
|
||||
})
|
||||
|
||||
test('unsafe fs fetch with special characters (#8498)', async () => {
|
||||
expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('')
|
||||
expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('404')
|
||||
|
@ -35,6 +35,8 @@
|
||||
<h2>Unsafe /@fs/ Fetch</h2>
|
||||
<pre class="unsafe-fs-fetch-status"></pre>
|
||||
<pre class="unsafe-fs-fetch"></pre>
|
||||
<pre class="unsafe-fs-fetch-raw-status"></pre>
|
||||
<pre class="unsafe-fs-fetch-raw"></pre>
|
||||
<pre class="unsafe-fs-fetch-8498-status"></pre>
|
||||
<pre class="unsafe-fs-fetch-8498"></pre>
|
||||
<pre class="unsafe-fs-fetch-8498-2-status"></pre>
|
||||
@ -188,6 +190,24 @@
|
||||
console.error(e)
|
||||
})
|
||||
|
||||
// not imported before, outside of root, treated as unsafe
|
||||
fetch(
|
||||
joinUrlSegments(
|
||||
base,
|
||||
joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw',
|
||||
),
|
||||
)
|
||||
.then((r) => {
|
||||
text('.unsafe-fs-fetch-raw-status', r.status)
|
||||
return r.json()
|
||||
})
|
||||
.then((data) => {
|
||||
text('.unsafe-fs-fetch-raw', JSON.stringify(data))
|
||||
})
|
||||
.catch((e) => {
|
||||
console.error(e)
|
||||
})
|
||||
|
||||
// outside root with special characters #8498
|
||||
fetch(
|
||||
joinUrlSegments(
|
||||
|
Loading…
Reference in New Issue
Block a user