fix: fs.deny with globs with directories (vitejs#16250)

sapphi-red · sapphi-red · commit 1da83929ae42 · 2024-03-24T22:54:50.000+09:00
diff --git a/packages/vite/src/node/server/index.ts b/packages/vite/src/node/server/index.ts
@@ -452,10 +452,19 @@ export async function createServer(
     _importGlobMap: new Map(),
     _forceOptimizeOnRestart: false,
     _pendingRequests: new Map(),
-    _fsDenyGlob: picomatch(config.server.fs.deny, {
-      matchBase: true,
-      nocase: true
-    })
+    _fsDenyGlob: picomatch(
+      // matchBase: true does not work as it's documented
+      // https://github.com/micromatch/picomatch/issues/89
+      // convert patterns without `/` on our side for now
+      config.server.fs.deny.map((pattern) =>
+        pattern.includes('/') ? pattern : `**/${pattern}`
+      ),
+      {
+        matchBase: false,
+        nocase: true,
+        dot: true
+      }
+    )
   }
 
   server.transformIndexHtml = createDevHtmlTransformFn(server)
diff --git a/playground/fs-serve/__tests__/deny/fs-serve-deny.spec.ts b/playground/fs-serve/__tests__/deny/fs-serve-deny.spec.ts
@@ -0,0 +1,17 @@
+import { describe, expect, test } from 'vitest'
+import { isServe, page, viteTestUrl } from '~utils'
+
+describe.runIf(isServe)('main', () => {
+  test('**/deny/** should deny src/deny/deny.txt', async () => {
+    const res = await page.request.fetch(
+      new URL('/src/deny/deny.txt', viteTestUrl).href
+    )
+    expect(res.status()).toBe(403)
+  })
+  test('**/deny/** should deny src/deny/.deny', async () => {
+    const res = await page.request.fetch(
+      new URL('/src/deny/.deny', viteTestUrl).href
+    )
+    expect(res.status()).toBe(403)
+  })
+})
diff --git a/playground/fs-serve/__tests__/deny/vite.config.js b/playground/fs-serve/__tests__/deny/vite.config.js
@@ -0,0 +1 @@
+module.exports = require('../../root/vite.config-deny')
diff --git a/playground/fs-serve/package.json b/playground/fs-serve/package.json
@@ -6,6 +6,9 @@
     "dev": "vite root",
     "build": "vite build root",
     "debug": "node --inspect-brk ../../packages/vite/bin/vite",
-    "preview": "vite preview root"
+    "preview": "vite preview root",
+    "dev:deny": "vite root --config ./root/vite.config-deny.js",
+    "build:deny": "vite build root --config ./root/vite.config-deny.js",
+    "preview:deny": "vite preview root --config ./root/vite.config-deny.js"
   }
 }
diff --git a/playground/fs-serve/root/src/deny/.deny b/playground/fs-serve/root/src/deny/.deny
@@ -0,0 +1 @@
+.deny
diff --git a/playground/fs-serve/root/src/deny/deny.txt b/playground/fs-serve/root/src/deny/deny.txt
@@ -0,0 +1 @@
+deny
diff --git a/playground/fs-serve/root/vite.config-deny.js b/playground/fs-serve/root/vite.config-deny.js
@@ -0,0 +1,22 @@
+import path from 'node:path'
+import { defineConfig } from 'vite'
+
+export default defineConfig({
+  build: {
+    rollupOptions: {
+      input: {
+        main: path.resolve(__dirname, 'src/index.html')
+      }
+    }
+  },
+  server: {
+    fs: {
+      strict: true,
+      allow: [path.resolve(__dirname, 'src')],
+      deny: ['**/deny/**']
+    }
+  },
+  define: {
+    ROOT: JSON.stringify(path.dirname(__dirname).replace(/\\/g, '/'))
+  }
+})

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+module.exports = require('../../root/vite.config-deny')`
Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,9 @@`
`6`	`6`	`"dev": "vite root",`
`7`	`7`	`"build": "vite build root",`
`8`	`8`	`"debug": "node --inspect-brk ../../packages/vite/bin/vite",`
`9`		`- "preview": "vite preview root"`
	`9`	`+ "preview": "vite preview root",`
	`10`	`+ "dev:deny": "vite root --config ./root/vite.config-deny.js",`
	`11`	`+ "build:deny": "vite build root --config ./root/vite.config-deny.js",`
	`12`	`+ "preview:deny": "vite preview root --config ./root/vite.config-deny.js"`
`10`	`13`	`}`
`11`	`14`	`}`