Vue/vite
1
0
Fork 0
mirror of https://github.com/vitejs/vite.git synced 2024-11-21 22:59:10 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

fix: fs raw query (#18112)

Browse Source
This commit is contained in:
patak 2024-09-16 17:38:29 +02:00 committed by GitHub
parent adf379963a
commit 9d2413c8b6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
packages/vite/src/node/server/middlewares/static.ts
View File

@ -259,7 +259,7 @@ export function isFileLoadingAllowed(
return false return false
} }
function ensureServingAccess( export function ensureServingAccess(
url: string, url: string,
server: ViteDevServer, server: ViteDevServer,
res: ServerResponse, res: ServerResponse,

9
packages/vite/src/node/server/middlewares/transform.ts
View File

@ -12,6 +12,7 @@ import {
isJSRequest, isJSRequest,
normalizePath, normalizePath,
prettifyUrl, prettifyUrl,
rawRE,
removeImportQuery, removeImportQuery,
removeTimestampQuery, removeTimestampQuery,
urlRE, urlRE,
@ -34,6 +35,7 @@ import {
import { ERR_CLOSED_SERVER } from '../pluginContainer' import { ERR_CLOSED_SERVER } from '../pluginContainer'
import { cleanUrl, unwrapId, withTrailingSlash } from '../../../shared/utils' import { cleanUrl, unwrapId, withTrailingSlash } from '../../../shared/utils'
import { NULL_BYTE_PLACEHOLDER } from '../../../shared/constants' import { NULL_BYTE_PLACEHOLDER } from '../../../shared/constants'
import { ensureServingAccess } from './static'
const debugCache = createDebugger('vite:cache') const debugCache = createDebugger('vite:cache')
@ -164,6 +166,13 @@ export function transformMiddleware(
warnAboutExplicitPublicPathInUrl(url) warnAboutExplicitPublicPathInUrl(url)
} }
if (
(rawRE.test(url) || urlRE.test(url)) &&
!ensureServingAccess(url, server, res, next)
) {
return
}
if ( if (
isJSRequest(url) || isJSRequest(url) ||
isImportRequest(url) || isImportRequest(url) ||

5
playground/fs-serve/__tests__/fs-serve.spec.ts
View File

@ -77,6 +77,11 @@ describe.runIf(isServe)('main', () => {
expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403') expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403')
}) })
test('unsafe fs fetch', async () => {
expect(await page.textContent('.unsafe-fs-fetch-raw')).toBe('')
expect(await page.textContent('.unsafe-fs-fetch-raw-status')).toBe('403')
})
test('unsafe fs fetch with special characters (#8498)', async () => { test('unsafe fs fetch with special characters (#8498)', async () => {
expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('') expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('')
expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('404') expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('404')

20
playground/fs-serve/root/src/index.html
View File

@ -35,6 +35,8 @@
<h2>Unsafe /@fs/ Fetch</h2> <h2>Unsafe /@fs/ Fetch</h2>
<pre class="unsafe-fs-fetch-status"></pre> <pre class="unsafe-fs-fetch-status"></pre>
<pre class="unsafe-fs-fetch"></pre> <pre class="unsafe-fs-fetch"></pre>
<pre class="unsafe-fs-fetch-raw-status"></pre>
<pre class="unsafe-fs-fetch-raw"></pre>
<pre class="unsafe-fs-fetch-8498-status"></pre> <pre class="unsafe-fs-fetch-8498-status"></pre>
<pre class="unsafe-fs-fetch-8498"></pre> <pre class="unsafe-fs-fetch-8498"></pre>
<pre class="unsafe-fs-fetch-8498-2-status"></pre> <pre class="unsafe-fs-fetch-8498-2-status"></pre>
@ -188,6 +190,24 @@
console.error(e) console.error(e)
}) })
// not imported before, outside of root, treated as unsafe
fetch(
joinUrlSegments(
base,
joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw',
),
)
.then((r) => {
text('.unsafe-fs-fetch-raw-status', r.status)
return r.json()
})
.then((data) => {
text('.unsafe-fs-fetch-raw', JSON.stringify(data))
})
.catch((e) => {
console.error(e)
})
// outside root with special characters #8498 // outside root with special characters #8498
fetch( fetch(
joinUrlSegments( joinUrlSegments(