fix: fs.deny with globs with directories (#16250)

2024-11-21 14:48:41 +00:00 · 2024-03-24 21:31:50 +09:00 · 2024-03-24 21:31:50 +09:00 · d2db33f7d4
commit d2db33f7d4
parent ee81e19676
6 changed files with 58 additions and 5 deletions
--- a/packages/vite/src/node/server/index.ts
+++ b/packages/vite/src/node/server/index.ts
@ -617,10 +617,19 @@ export async function _createServer(
    _importGlobMap: new Map(),
    _forceOptimizeOnRestart: false,
    _pendingRequests: new Map(),
-    _fsDenyGlob: picomatch(config.server.fs.deny, {
-      matchBase: true,
-      nocase: true,
-    }),
+    _fsDenyGlob: picomatch(
+      // matchBase: true does not work as it's documented
+      // https://github.com/micromatch/picomatch/issues/89
+      // convert patterns without `/` on our side for now
+      config.server.fs.deny.map((pattern) =>
+        pattern.includes('/') ? pattern : `**/${pattern}`,
+      ),
+      {
+        matchBase: false,
+        nocase: true,
+        dot: true,
+      },
+    ),
    _shortcutsOptions: undefined,
  }

--- a/playground/fs-serve/tests/deny/fs-serve-deny.spec.ts
+++ b/playground/fs-serve/tests/deny/fs-serve-deny.spec.ts
@ -0,0 +1,17 @@
+import { describe, expect, test } from 'vitest'
+import { isServe, page, viteTestUrl } from '~utils'
+
+describe.runIf(isServe)('main', () => {
+  test('**/deny/** should deny src/deny/deny.txt', async () => {
+    const res = await page.request.fetch(
+      new URL('/src/deny/deny.txt', viteTestUrl).href,
+    )
+    expect(res.status()).toBe(403)
+  })
+  test('**/deny/** should deny src/deny/.deny', async () => {
+    const res = await page.request.fetch(
+      new URL('/src/deny/.deny', viteTestUrl).href,
+    )
+    expect(res.status()).toBe(403)
+  })
+})
--- a/playground/fs-serve/package.json
+++ b/playground/fs-serve/package.json
@ -10,6 +10,9 @@
    "preview": "vite preview root",
    "dev:base": "vite root --config ./root/vite.config-base.js",
    "build:base": "vite build root --config ./root/vite.config-base.js",
-    "preview:base": "vite preview root --config ./root/vite.config-base.js"
+    "preview:base": "vite preview root --config ./root/vite.config-base.js",
+    "dev:deny": "vite root --config ./root/vite.config-deny.js",
+    "build:deny": "vite build root --config ./root/vite.config-deny.js",
+    "preview:deny": "vite preview root --config ./root/vite.config-deny.js"
  }
 }
--- a/playground/fs-serve/root/src/deny/.deny
+++ b/playground/fs-serve/root/src/deny/.deny
@ -0,0 +1 @@
+.deny
--- a/playground/fs-serve/root/src/deny/deny.txt
+++ b/playground/fs-serve/root/src/deny/deny.txt
@ -0,0 +1 @@
+deny
--- a/playground/fs-serve/root/vite.config-deny.js
+++ b/playground/fs-serve/root/vite.config-deny.js
@ -0,0 +1,22 @@
+import path from 'node:path'
+import { defineConfig } from 'vite'
+
+export default defineConfig({
+  build: {
+    rollupOptions: {
+      input: {
+        main: path.resolve(__dirname, 'src/index.html'),
+      },
+    },
+  },
+  server: {
+    fs: {
+      strict: true,
+      allow: [path.resolve(__dirname, 'src')],
+      deny: ['**/deny/**'],
+    },
+  },
+  define: {
+    ROOT: JSON.stringify(path.dirname(__dirname).replace(/\\/g, '/')),
+  },
+})