From 19dae997f91607424af2d0e159ae2570463bbcb3 Mon Sep 17 00:00:00 2001
From: patak <matias.capeletto@gmail.com>
Date: Mon, 17 May 2021 08:32:45 +0200
Subject: [PATCH] fix: skip fs fallback for out of root urls, fix #3364 (#3431)

---
 .../src/node/server/middlewares/static.ts     | 14 ++++++++++---
 .../vite/src/node/server/transformRequest.ts  | 21 ++++++++++---------
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts
index e243957618e75b..5801b7d15bbd17 100644
--- a/packages/vite/src/node/server/middlewares/static.ts
+++ b/packages/vite/src/node/server/middlewares/static.ts
@@ -109,16 +109,24 @@ export function serveRawFsMiddleware(
   }
 }
 
+export function isFileAccessAllowed(
+  url: string,
+  { root, strict }: Required<FileSystemServeOptions>
+): boolean {
+  return !strict || normalizePath(url).startsWith(root + path.posix.sep)
+}
+
 export function ensureServingAccess(
   url: string,
-  { root, strict }: Required<FileSystemServeOptions>,
+  serveOptions: Required<FileSystemServeOptions>,
   logger: Logger
 ): void {
+  const { strict, root } = serveOptions
   // TODO: early return, should remove once we polished the restriction logic
   if (!strict) return
 
-  const normalizedUrl = normalizePath(url)
-  if (!normalizedUrl.startsWith(root + path.posix.sep)) {
+  if (!isFileAccessAllowed(url, serveOptions)) {
+    const normalizedUrl = normalizePath(url)
     if (strict) {
       throw new AccessRestrictedError(
         `The request url "${normalizedUrl}" is outside of vite dev server root "${root}". 
diff --git a/packages/vite/src/node/server/transformRequest.ts b/packages/vite/src/node/server/transformRequest.ts
index 8138a0ca306ce6..5e506bd36299bb 100644
--- a/packages/vite/src/node/server/transformRequest.ts
+++ b/packages/vite/src/node/server/transformRequest.ts
@@ -16,7 +16,7 @@ import {
 import { checkPublicFile } from '../plugins/asset'
 import { ssrTransform } from '../ssr/ssrTransform'
 import { injectSourcesContent } from './sourcemap'
-import { ensureServingAccess } from './middlewares/static'
+import { isFileAccessAllowed } from './middlewares/static'
 
 const debugLoad = createDebugger('vite:load')
 const debugTransform = createDebugger('vite:transform')
@@ -73,15 +73,16 @@ export async function transformRequest(
     // try fallback loading it from fs as string
     // if the file is a binary, there should be a plugin that already loaded it
     // as string
-    try {
-      if (!options.ssr) {
-        ensureServingAccess(file, config.server.fsServe, config.logger)
-      }
-      code = await fs.readFile(file, 'utf-8')
-      isDebug && debugLoad(`${timeFrom(loadStart)} [fs] ${prettyUrl}`)
-    } catch (e) {
-      if (e.code !== 'ENOENT') {
-        throw e
+    // only try the fallback if access is allowed, skip for out of root url
+    // like /service-worker.js or /api/users
+    if (options.ssr || isFileAccessAllowed(file, config.server.fsServe)) {
+      try {
+        code = await fs.readFile(file, 'utf-8')
+        isDebug && debugLoad(`${timeFrom(loadStart)} [fs] ${prettyUrl}`)
+      } catch (e) {
+        if (e.code !== 'ENOENT') {
+          throw e
+        }
       }
     }
     if (code) {