fix: fs.deny with globs with directories (vitejs#16250)

sapphi-red · Mar 24, 2024 · e30f387 · e30f387
1 parent bfc5649
commit e30f387
Show file tree

Hide file tree

Showing 6 changed files with 54 additions and 4 deletions.
diff --git a/packages/playground/fs-serve/__tests__/deny/fs-serve-deny.spec.ts b/packages/playground/fs-serve/__tests__/deny/fs-serve-deny.spec.ts
@@ -0,0 +1,17 @@
+import { describe, expect, test } from 'vitest'
+import { isServe, page, viteTestUrl } from '~utils'
+
+describe.runIf(isServe)('main', () => {
+  test('**/deny/** should deny src/deny/deny.txt', async () => {
+    const res = await page.request.fetch(
+      new URL('/src/deny/deny.txt', viteTestUrl).href
+    )
+    expect(res.status()).toBe(403)
+  })
+  test('**/deny/** should deny src/deny/.deny', async () => {
+    const res = await page.request.fetch(
+      new URL('/src/deny/.deny', viteTestUrl).href
+    )
+    expect(res.status()).toBe(403)
+  })
+})
diff --git a/packages/playground/fs-serve/package.json b/packages/playground/fs-serve/package.json
@@ -6,6 +6,9 @@
     "dev": "vite root",
     "build": "vite build root",
     "debug": "node --inspect-brk ../../vite/bin/vite",
-    "preview": "vite preview"
+    "preview": "vite preview",
+    "dev:deny": "vite root --config ./root/vite.config-deny.js",
+    "build:deny": "vite build root --config ./root/vite.config-deny.js",
+    "preview:deny": "vite preview root --config ./root/vite.config-deny.js"
   }
 }
diff --git a/packages/playground/fs-serve/root/src/deny/.deny b/packages/playground/fs-serve/root/src/deny/.deny
@@ -0,0 +1 @@
+.deny
diff --git a/packages/playground/fs-serve/root/src/deny/deny.txt b/packages/playground/fs-serve/root/src/deny/deny.txt
@@ -0,0 +1 @@
+deny
diff --git a/packages/playground/fs-serve/root/vite.config-deny.js b/packages/playground/fs-serve/root/vite.config-deny.js
@@ -0,0 +1,22 @@
+import path from 'node:path'
+import { defineConfig } from 'vite'
+
+export default defineConfig({
+  build: {
+    rollupOptions: {
+      input: {
+        main: path.resolve(__dirname, 'src/index.html')
+      }
+    }
+  },
+  server: {
+    fs: {
+      strict: true,
+      allow: [path.resolve(__dirname, 'src')],
+      deny: ['**/deny/**']
+    }
+  },
+  define: {
+    ROOT: JSON.stringify(path.dirname(__dirname).replace(/\\/g, '/'))
+  }
+})
diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts
@@ -156,7 +156,11 @@ export function serveRawFsMiddleware(
   }
 }
 
-const _matchOptions = { matchBase: true, nocase: true }
+const _matchOptions = {
+  matchBase: false,
+  nocase: true,
+  dot: true
+}
 
 export function isFileServingAllowed(
   url: string,
@@ -166,8 +170,10 @@ export function isFileServingAllowed(
 
   const file = fsPathFromUrl(url)
 
-  if (server.config.server.fs.deny.some((i) => isMatch(file, i, _matchOptions)))
-    return false
+  const deny = server.config.server.fs.deny.map((pattern) =>
+    pattern.includes('/') ? pattern : `**/${pattern}`
+  )
+  if (deny.some((i) => isMatch(file, i, _matchOptions))) return false
 
   if (server.moduleGraph.safeModulesPath.has(file)) return true