refactor: isFileReadable

packages/vite/src/node/plugins/resolve.ts

@@ -24,7 +24,8 @@ import {
   isDataUrl,
   cleanUrl,
   slash,
-  nestedResolveFrom
+  nestedResolveFrom,
+  isFileReadable
 } from '../utils'
 import { ViteDevServer, SSROptions } from '..'
 import { createFilter } from '@rollup/pluginutils'
@@ -372,15 +373,10 @@ function tryResolveFile(
   tryPrefix?: string,
   skipPackageJson?: boolean
 ): string | undefined {
-  let isReadable = false
-  try {
-    // #2051 if we don't have read permission on a directory, existsSync() still
-    // works and will result in massively slow subsequent checks (which are
-    // unnecessary in the first place)
-    fs.accessSync(file, fs.constants.R_OK)
-    isReadable = true
-  } catch (e) {}
-  if (isReadable) {
+  // #2051 if we don't have read permission on a directory, existsSync() still
+  // works and will result in massively slow subsequent checks (which are
+  // unnecessary in the first place)
+  if (isFileReadable(file)) {
     if (!fs.statSync(file).isDirectory()) {
       return getRealPath(file, preserveSymlinks) + postfix
     } else if (tryIndex) {

packages/vite/src/node/server/middlewares/static.ts

@@ -1,5 +1,4 @@
 import path from 'path'
-import fs from 'fs'
 import { ServerResponse } from 'http'
 import sirv, { Options } from 'sirv'
 import { Connect } from 'types/connect'
@@ -12,7 +11,8 @@ import {
   isImportRequest,
   isInternalRequest,
   isWindows,
-  slash
+  slash,
+  isFileReadable
 } from '../../utils'
 
 const sirvOptions: Options = {
@@ -144,7 +144,7 @@ export function isFileServingAllowed(
     return true
 
   if (!server.config.server.fs.strict) {
-    if (fs.existsSync(file)) {
+    if (isFileReadable(file)) {
       server.config.logger.warnOnce(`Unrestricted file system access to "${url}"`)
       server.config.logger.warnOnce(
         `For security concerns, accessing files outside of serving allow list will ` +
@@ -167,7 +167,7 @@ function ensureServingAccess(
   if (isFileServingAllowed(url, server)) {
     return true
   }
-  if (fs.existsSync(url)) {
+  if (isFileReadable(cleanUrl(url))) {
     const message = `The request url "${url}" is outside of Vite serving allow list:
 
 ${server.config.server.fs.allow.map((i) => `- ${i}`).join('\n')}

packages/vite/src/node/server/searchRoot.ts

@@ -1,6 +1,7 @@
 import fs from 'fs'
 import { dirname } from 'path'
 import { join } from 'path'
+import { isFileReadable } from '../utils'
 
 // https://github.com/vitejs/vite/issues/2820#issuecomment-812495079
 const ROOT_FILES = [
@@ -21,9 +22,7 @@ const ROOT_FILES = [
 // yarn: https://classic.yarnpkg.com/en/docs/workspaces/#toc-how-to-use-it
 function hasWorkspacePackageJSON(root: string): boolean {
   const path = join(root, 'package.json')
-  try {
-    fs.accessSync(path, fs.constants.R_OK)
-  } catch {
+  if (!isFileReadable(path)) {
     return false
   }
   const content = JSON.parse(fs.readFileSync(path, 'utf-8')) || {}

packages/vite/src/node/utils.ts

@@ -377,6 +377,20 @@ export function writeFile(
   fs.writeFileSync(filename, content)
 }
 
+/**
+ * Use instead of fs.existsSync(filename)
+ * #2051 if we don't have read permission on a directory, existsSync() still
+ * works and will result in massively slow subsequent checks (which are
+ * unnecessary in the first place)
+ */
+export function isFileReadable(filename: string,) {
+  try {
+    fs.accessSync(filename, fs.constants.R_OK)
+    return true
+  } catch (e) {}
+  return false
+}
+
 /**
  * Delete every file and subdirectory. **The given directory must exist.**
  * Pass an optional `skip` array to preserve files in the root directory.