From 4fb89197d17612c3bff2c560bb56d4cd2ff3dab9 Mon Sep 17 00:00:00 2001
From: patak <583075+patak-dev@users.noreply.github.com>
Date: Mon, 16 Sep 2024 17:38:29 +0200
Subject: [PATCH 1/2] fix: fs raw query (#18112)

---
 .../src/node/server/middlewares/static.ts     |  2 +-
 .../src/node/server/middlewares/transform.ts  |  9 +++++++++
 .../fs-serve/__tests__/fs-serve.spec.ts       |  5 +++++
 playground/fs-serve/root/src/index.html       | 20 +++++++++++++++++++
 4 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts
index dac16e071b8217..6cb8a0c383a77f 100644
--- a/packages/vite/src/node/server/middlewares/static.ts
+++ b/packages/vite/src/node/server/middlewares/static.ts
@@ -232,7 +232,7 @@ export function isFileServingAllowed(
   return false
 }
 
-function ensureServingAccess(
+export function ensureServingAccess(
   url: string,
   server: ViteDevServer,
   res: ServerResponse,
diff --git a/packages/vite/src/node/server/middlewares/transform.ts b/packages/vite/src/node/server/middlewares/transform.ts
index 6df8ae25091c6d..b56ccb76ff9ef3 100644
--- a/packages/vite/src/node/server/middlewares/transform.ts
+++ b/packages/vite/src/node/server/middlewares/transform.ts
@@ -12,6 +12,7 @@ import {
   isJSRequest,
   normalizePath,
   prettifyUrl,
+  rawRE,
   removeImportQuery,
   removeTimestampQuery,
   urlRE,
@@ -35,6 +36,7 @@ import { ERR_CLOSED_SERVER } from '../pluginContainer'
 import { getDepsOptimizer } from '../../optimizer'
 import { cleanUrl, unwrapId, withTrailingSlash } from '../../../shared/utils'
 import { NULL_BYTE_PLACEHOLDER } from '../../../shared/constants'
+import { ensureServingAccess } from './static'
 
 const debugCache = createDebugger('vite:cache')
 
@@ -161,6 +163,13 @@ export function transformMiddleware(
         warnAboutExplicitPublicPathInUrl(url)
       }
 
+      if (
+        (rawRE.test(url) || urlRE.test(url)) &&
+        !ensureServingAccess(url, server, res, next)
+      ) {
+        return
+      }
+
       if (
         isJSRequest(url) ||
         isImportRequest(url) ||
diff --git a/playground/fs-serve/__tests__/fs-serve.spec.ts b/playground/fs-serve/__tests__/fs-serve.spec.ts
index 9d9d4c6ec80e54..16ecc0b78dc295 100644
--- a/playground/fs-serve/__tests__/fs-serve.spec.ts
+++ b/playground/fs-serve/__tests__/fs-serve.spec.ts
@@ -77,6 +77,11 @@ describe.runIf(isServe)('main', () => {
     expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403')
   })
 
+  test('unsafe fs fetch', async () => {
+    expect(await page.textContent('.unsafe-fs-fetch-raw')).toBe('')
+    expect(await page.textContent('.unsafe-fs-fetch-raw-status')).toBe('403')
+  })
+
   test('unsafe fs fetch with special characters (#8498)', async () => {
     expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('')
     expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('404')
diff --git a/playground/fs-serve/root/src/index.html b/playground/fs-serve/root/src/index.html
index 06bee3f8671949..fb1276d79fea22 100644
--- a/playground/fs-serve/root/src/index.html
+++ b/playground/fs-serve/root/src/index.html
@@ -35,6 +35,8 @@ <h2>Safe /@fs/ Fetch</h2>
 <h2>Unsafe /@fs/ Fetch</h2>
 <pre class="unsafe-fs-fetch-status"></pre>
 <pre class="unsafe-fs-fetch"></pre>
+<pre class="unsafe-fs-fetch-raw-status"></pre>
+<pre class="unsafe-fs-fetch-raw"></pre>
 <pre class="unsafe-fs-fetch-8498-status"></pre>
 <pre class="unsafe-fs-fetch-8498"></pre>
 <pre class="unsafe-fs-fetch-8498-2-status"></pre>
@@ -188,6 +190,24 @@ <h2>Denied</h2>
       console.error(e)
     })
 
+  // not imported before, outside of root, treated as unsafe
+  fetch(
+    joinUrlSegments(
+      base,
+      joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw',
+    ),
+  )
+    .then((r) => {
+      text('.unsafe-fs-fetch-raw-status', r.status)
+      return r.json()
+    })
+    .then((data) => {
+      text('.unsafe-fs-fetch-raw', JSON.stringify(data))
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
   // outside root with special characters #8498
   fetch(
     joinUrlSegments(

From f04268c8bbe7bea124de024790586dd95bf1c3d7 Mon Sep 17 00:00:00 2001
From: jackfromeast <thisiszhengyu@gmail.com>
Date: Mon, 16 Sep 2024 11:42:53 -0400
Subject: [PATCH 2/2] fix: avoid DOM Clobbering gadget in
 `getRelativeUrlFromDocument` (#18115)

---
 packages/vite/src/node/build.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/vite/src/node/build.ts b/packages/vite/src/node/build.ts
index 8bcacb834680e8..e3e7291fbb4150 100644
--- a/packages/vite/src/node/build.ts
+++ b/packages/vite/src/node/build.ts
@@ -1133,7 +1133,7 @@ const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
   getResolveUrl(
     `'${escapeId(partialEncodeURIPath(relativePath))}', ${
       umd ? `typeof document === 'undefined' ? location.href : ` : ''
-    }document.currentScript && document.currentScript.src || document.baseURI`,
+    }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`,
   )
 
 const getFileUrlFromFullPath = (path: string) =>