From 35942cde11fd8a68fa89bf25f7aa1ddb87d775b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=BF=A0=20/=20green?= Date: Tue, 7 Jan 2025 17:44:23 +0900 Subject: [PATCH] fix: don't resolve URL starting with double slash (#19059) --- packages/vite/src/node/server/middlewares/static.ts | 11 +++++++---- .../assets-sanitize/__tests__/assets-sanitize.spec.ts | 2 +- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts index 8dc4616996aeae..ea7cd9b8b7688e 100644 --- a/packages/vite/src/node/server/middlewares/static.ts +++ b/packages/vite/src/node/server/middlewares/static.ts @@ -119,12 +119,15 @@ export function serveStaticMiddleware( if ( cleanedUrl[cleanedUrl.length - 1] === '/' || path.extname(cleanedUrl) === '.html' || - isInternalRequest(req.url!) + isInternalRequest(req.url!) || + // skip url starting with // as these will be interpreted as + // scheme relative URLs by new URL() and will not be a valid file path + req.url?.startsWith('//') ) { return next() } - const url = new URL(req.url!.replace(/^\/{2,}/, '/'), 'http://example.com') + const url = new URL(req.url!, 'http://example.com') const pathname = decodeURI(url.pathname) // apply aliases to static requests as well @@ -177,12 +180,12 @@ export function serveRawFsMiddleware( // Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...` return function viteServeRawFsMiddleware(req, res, next) { - const url = new URL(req.url!.replace(/^\/{2,}/, '/'), 'http://example.com') // In some cases (e.g. linked monorepos) files outside of root will // reference assets that are also out of served root. In such cases // the paths are rewritten to `/@fs/` prefixed paths and must be served by // searching based from fs root. - if (url.pathname.startsWith(FS_PREFIX)) { + if (req.url!.startsWith(FS_PREFIX)) { + const url = new URL(req.url!, 'http://example.com') const pathname = decodeURI(url.pathname) // restrict files outside of `fs.allow` if ( diff --git a/playground/assets-sanitize/__tests__/assets-sanitize.spec.ts b/playground/assets-sanitize/__tests__/assets-sanitize.spec.ts index f4a25aa1ef6264..a64292c7d7d78b 100644 --- a/playground/assets-sanitize/__tests__/assets-sanitize.spec.ts +++ b/playground/assets-sanitize/__tests__/assets-sanitize.spec.ts @@ -28,5 +28,5 @@ if (!isBuild) { test.runIf(!isBuild)('denied .env', async () => { expect(await page.textContent('.unsafe-dotenv')).toBe('403') - expect(await page.textContent('.unsafe-dotenv-double-slash')).toBe('403') + expect(await page.textContent('.unsafe-dotenv-double-slash')).toBe('200') // SPA fallback })