vitejs · Mar 31, 2025 · Mar 31, 2025
Showing with 89 additions and 4 deletions.

+6 −0 packages/vite/CHANGELOG.md

+1 −1 packages/vite/package.json

+7 −3 packages/vite/src/node/server/middlewares/transform.ts

+24 −0 playground/fs-serve/__tests__/fs-serve.spec.ts

+51 −0 playground/fs-serve/root/src/index.html
diff --git a/packages/vite/CHANGELOG.md b/packages/vite/CHANGELOG.md
@@ -1,3 +1,9 @@
+## <small>6.2.4 (2025-03-31)</small>
+
+* fix: fs check in transform middleware (#19761) ([7a4faba](https://github.com/vitejs/vite/commit/7a4fabab6a3aa24c89144e15a13d78f92b52e588)), closes [#19761](https://github.com/vitejs/vite/issues/19761)
+
+
+
 ## <small>6.2.3 (2025-03-24)</small>
 
 * fix: fs raw query with query separators (#19702) ([f234b57](https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1)), closes [#19702](https://github.com/vitejs/vite/issues/19702)

diff --git a/packages/vite/package.json b/packages/vite/package.json
@@ -1,6 +1,6 @@
 {
   "name": "vite",
-  "version": "6.2.3",
+  "version": "6.2.4",
   "type": "module",
   "license": "MIT",
   "author": "Evan You",

diff --git a/packages/vite/src/node/server/middlewares/transform.ts b/packages/vite/src/node/server/middlewares/transform.ts
@@ -12,10 +12,8 @@ import {
   isJSRequest,
   normalizePath,
   prettifyUrl,
-  rawRE,
   removeImportQuery,
   removeTimestampQuery,
-  urlRE,
 } from '../../utils'
 import { send } from '../send'
 import { ERR_LOAD_URL, transformRequest } from '../transformRequest'
@@ -45,6 +43,11 @@ const debugCache = createDebugger('vite:cache')
 const knownIgnoreList = new Set(['/', '/favicon.ico'])
 const trailingQuerySeparatorsRE = /[?&]+$/
 
+// TODO: consolidate this regex pattern with the url, raw, and inline checks in plugins
+const urlRE = /[?&]url\b/
+const rawRE = /[?&]raw\b/
+const inlineRE = /[?&]inline\b/
+
 /**
  * A middleware that short-circuits the middleware chain to serve cached transformed modules
  */
@@ -176,7 +179,8 @@ export function transformMiddleware(
       )
       if (
         (rawRE.test(urlWithoutTrailingQuerySeparators) ||
-          urlRE.test(urlWithoutTrailingQuerySeparators)) &&
+          urlRE.test(urlWithoutTrailingQuerySeparators) ||
+          inlineRE.test(urlWithoutTrailingQuerySeparators)) &&
         !ensureServingAccess(
           urlWithoutTrailingQuerySeparators,
           server,

diff --git a/playground/fs-serve/__tests__/fs-serve.spec.ts b/playground/fs-serve/__tests__/fs-serve.spec.ts
@@ -67,6 +67,18 @@ describe.runIf(isServe)('main', () => {
     expect(await page.textContent('.unsafe-fetch-8498-2-status')).toBe('404')
   })
 
+  test('unsafe fetch import inline', async () => {
+    expect(await page.textContent('.unsafe-fetch-import-inline-status')).toBe(
+      '403',
+    )
+  })
+
+  test('unsafe fetch raw query import', async () => {
+    expect(
+      await page.textContent('.unsafe-fetch-raw-query-import-status'),
+    ).toBe('403')
+  })
+
   test('safe fs fetch', async () => {
     expect(await page.textContent('.safe-fs-fetch')).toBe(stringified)
     expect(await page.textContent('.safe-fs-fetch-status')).toBe('200')
@@ -120,6 +132,18 @@ describe.runIf(isServe)('main', () => {
     expect(await page.textContent('.unsafe-fs-fetch-8498-2-status')).toBe('404')
   })
 
+  test('unsafe fs fetch import inline', async () => {
+    expect(
+      await page.textContent('.unsafe-fs-fetch-import-inline-status'),
+    ).toBe('403')
+  })
+
+  test('unsafe fs fetch import inline wasm init', async () => {
+    expect(
+      await page.textContent('.unsafe-fs-fetch-import-inline-wasm-init-status'),
+    ).toBe('403')
+  })
+
   test('nested entry', async () => {
     expect(await page.textContent('.nested-entry')).toBe('foobar')
   })

diff --git a/playground/fs-serve/root/src/index.html b/playground/fs-serve/root/src/index.html
@@ -23,6 +23,8 @@ <h2>Unsafe Fetch</h2>
 <pre class="unsafe-fetch-8498"></pre>
 <pre class="unsafe-fetch-8498-2-status"></pre>
 <pre class="unsafe-fetch-8498-2"></pre>
+<pre class="unsafe-fetch-import-inline-status"></pre>
+<pre class="unsafe-fetch-raw-query-import-status"></pre>
 
 <h2>Safe /@fs/ Fetch</h2>
 <pre class="safe-fs-fetch-status"></pre>
@@ -45,6 +47,8 @@ <h2>Unsafe /@fs/ Fetch</h2>
 <pre class="unsafe-fs-fetch-8498"></pre>
 <pre class="unsafe-fs-fetch-8498-2-status"></pre>
 <pre class="unsafe-fs-fetch-8498-2"></pre>
+<pre class="unsafe-fs-fetch-import-inline-status"></pre>
+<pre class="unsafe-fs-fetch-import-inline-wasm-init-status"></pre>
 
 <h2>Nested Entry</h2>
 <pre class="nested-entry"></pre>
@@ -160,6 +164,24 @@ <h2>Denied</h2>
       console.error(e)
     })
 
+  // outside of allowed dir with import inline
+  fetch(joinUrlSegments(base, '/unsafe.txt?import&inline'))
+    .then((r) => {
+      text('.unsafe-fetch-import-inline-status', r.status)
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
+  // outside of allowed dir with raw query import
+  fetch(joinUrlSegments(base, '/unsafe.txt?raw?import'))
+    .then((r) => {
+      text('.unsafe-fetch-raw-query-import-status', r.status)
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
   // imported before, should be treated as safe
   fetch(joinUrlSegments(base, joinUrlSegments('/@fs/', ROOT) + '/safe.json'))
     .then((r) => {
@@ -247,6 +269,35 @@ <h2>Denied</h2>
       console.error(e)
     })
 
+  // outside of root inline
+  fetch(
+    joinUrlSegments(
+      base,
+      joinUrlSegments('/@fs/', ROOT) + '/root/unsafe.txt?import&inline',
+    ),
+  )
+    .then((r) => {
+      text('.unsafe-fs-fetch-import-inline-status', r.status)
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
+  // outside of root inline, faux wasm?init
+  fetch(
+    joinUrlSegments(
+      base,
+      joinUrlSegments('/@fs/', ROOT) +
+        '/root/unsafe.txt?import&?inline=1.wasm?init',
+    ),
+  )
+    .then((r) => {
+      text('.unsafe-fs-fetch-import-inline-wasm-init-status', r.status)
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
   // outside root with special characters #8498
   fetch(
     joinUrlSegments(