fix: fs.deny with globs with directories (#16250)

sapphi-red · web-flow · commit ba5269cca81d · 2024-03-24T13:31:50.000+01:00
diff --git a/packages/vite/src/node/server/index.ts b/packages/vite/src/node/server/index.ts
@@ -685,10 +685,19 @@ export async function _createServer(
     _importGlobMap: new Map(),
     _forceOptimizeOnRestart: false,
     _pendingRequests: new Map(),
-    _fsDenyGlob: picomatch(config.server.fs.deny, {
-      matchBase: true,
-      nocase: true,
-    }),
+    _fsDenyGlob: picomatch(
+      // matchBase: true does not work as it's documented
+      // https://github.com/micromatch/picomatch/issues/89
+      // convert patterns without `/` on our side for now
+      config.server.fs.deny.map((pattern) =>
+        pattern.includes('/') ? pattern : `**/${pattern}`,
+      ),
+      {
+        matchBase: false,
+        nocase: true,
+        dot: true,
+      },
+    ),
     _shortcutsOptions: undefined,
   }
 
diff --git a/playground/fs-serve/__tests__/deny/fs-serve-deny.spec.ts b/playground/fs-serve/__tests__/deny/fs-serve-deny.spec.ts
@@ -0,0 +1,17 @@
+import { describe, expect, test } from 'vitest'
+import { isServe, page, viteTestUrl } from '~utils'
+
+describe.runIf(isServe)('main', () => {
+  test('**/deny/** should deny src/deny/deny.txt', async () => {
+    const res = await page.request.fetch(
+      new URL('/src/deny/deny.txt', viteTestUrl).href,
+    )
+    expect(res.status()).toBe(403)
+  })
+  test('**/deny/** should deny src/deny/.deny', async () => {
+    const res = await page.request.fetch(
+      new URL('/src/deny/.deny', viteTestUrl).href,
+    )
+    expect(res.status()).toBe(403)
+  })
+})
diff --git a/playground/fs-serve/package.json b/playground/fs-serve/package.json
@@ -10,6 +10,9 @@
     "preview": "vite preview root",
     "dev:base": "vite root --config ./root/vite.config-base.js",
     "build:base": "vite build root --config ./root/vite.config-base.js",
-    "preview:base": "vite preview root --config ./root/vite.config-base.js"
+    "preview:base": "vite preview root --config ./root/vite.config-base.js",
+    "dev:deny": "vite root --config ./root/vite.config-deny.js",
+    "build:deny": "vite build root --config ./root/vite.config-deny.js",
+    "preview:deny": "vite preview root --config ./root/vite.config-deny.js"
   }
 }
diff --git a/playground/fs-serve/root/src/deny/.deny b/playground/fs-serve/root/src/deny/.deny
@@ -0,0 +1 @@
+.deny
diff --git a/playground/fs-serve/root/src/deny/deny.txt b/playground/fs-serve/root/src/deny/deny.txt
@@ -0,0 +1 @@
+deny
diff --git a/playground/fs-serve/root/vite.config-deny.js b/playground/fs-serve/root/vite.config-deny.js
@@ -0,0 +1,22 @@
+import path from 'node:path'
+import { defineConfig } from 'vite'
+
+export default defineConfig({
+  build: {
+    rollupOptions: {
+      input: {
+        main: path.resolve(__dirname, 'src/index.html'),
+      },
+    },
+  },
+  server: {
+    fs: {
+      strict: true,
+      allow: [path.resolve(__dirname, 'src')],
+      deny: ['**/deny/**'],
+    },
+  },
+  define: {
+    ROOT: JSON.stringify(path.dirname(__dirname).replace(/\\/g, '/')),
+  },
+})

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,9 @@`
`10`	`10`	`"preview": "vite preview root",`
`11`	`11`	`"dev:base": "vite root --config ./root/vite.config-base.js",`
`12`	`12`	`"build:base": "vite build root --config ./root/vite.config-base.js",`
`13`		`- "preview:base": "vite preview root --config ./root/vite.config-base.js"`
	`13`	`+ "preview:base": "vite preview root --config ./root/vite.config-base.js",`
	`14`	`+ "dev:deny": "vite root --config ./root/vite.config-deny.js",`
	`15`	`+ "build:deny": "vite build root --config ./root/vite.config-deny.js",`
	`16`	`+ "preview:deny": "vite preview root --config ./root/vite.config-deny.js"`
`14`	`17`	`}`
`15`	`18`	`}`