Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: fs.deny with leading double slash #13348

Merged
merged 1 commit into from May 26, 2023
Merged

fix: fs.deny with leading double slash #13348

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 2 additions & 2 deletions packages/vite/src/node/server/middlewares/static.ts
View file
Open in desktop
Expand Up @@ -100,7 +100,7 @@ export function serveStaticMiddleware(
return next()
}

const url = new URL(req.url!, 'http://example.com')
const url = new URL(req.url!.replace(/^\/+/, '/'), 'http://example.com')
const pathname = decodeURIComponent(url.pathname)

// apply aliases to static requests as well
Expand Down Expand Up @@ -153,7 +153,7 @@ export function serveRawFsMiddleware(

// Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
return function viteServeRawFsMiddleware(req, res, next) {
const url = new URL(req.url!, 'http://example.com')
const url = new URL(req.url!.replace(/^\/+/, '/'), 'http://example.com')
// In some cases (e.g. linked monorepos) files outside of root will
// reference assets that are also out of served root. In such cases
// the paths are rewritten to `/@fs/` prefixed paths and must be served by
Expand Down
1 change: 1 addition & 0 deletions playground/assets-sanitize/.env
View file
Open in desktop
@@ -0,0 +1 @@
KEY=unsafe
5 changes: 5 additions & 0 deletions playground/assets-sanitize/__tests__/assets-sanitize.spec.ts
View file
Open in desktop
Expand Up @@ -25,3 +25,8 @@ if (!isBuild) {
expect(Object.keys(manifest).length).toBe(3) // 2 svg, 1 index.js
})
}

test.runIf(!isBuild)('denied .env', async () => {
expect(await page.textContent('.unsafe-dotenv')).toBe('403')
expect(await page.textContent('.unsafe-dotenv-double-slash')).toBe('403')
})
31 changes: 30 additions & 1 deletion playground/assets-sanitize/index.html
View file
Open in desktop
Expand Up @@ -6,6 +6,35 @@
margin-bottom: 1rem;
}
</style>
<h1>test elements below should show circles and their url</h1>
<h3>test elements below should show circles and their url</h3>
<div class="test-el plus-circle"></div>
<div class="test-el underscore-circle"></div>

<h3>Denied .env</h3>
<div class="unsafe-dotenv"></div>
<div class="unsafe-dotenv-double-slash"></div>

<script type="module">
// .env, denied by default. See fs-serve playground for other fs tests
// these checks ensure that a project without a custom root respects fs.deny

fetch('/.env')
.then((r) => {
text('.unsafe-dotenv', r.status)
})
.catch((e) => {
console.error(e)
})

fetch(window.location + '/.env')
.then((r) => {
text('.unsafe-dotenv-double-slash', r.status)
})
.catch((e) => {
console.error(e)
})

function text(el, text) {
document.querySelector(el).textContent = text
}
</script>