feat!: server fs strict by default (#5341)

vitejs · Oct 27, 2021 · 2136771 · 2136771
1 parent 1a15460
commit 2136771
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 25 deletions.
diff --git a/docs/config/index.md b/docs/config/index.md
@@ -542,18 +542,16 @@ createServer()
 
 ### server.fs.strict
 
-- **Experimental**
 - **Type:** `boolean`
-- **Default:** `false` (will change to `true` in future versions)
+- **Default:** `true` (enabled by default since Vite 2.7)
 
   Restrict serving files outside of workspace root.
 
 ### server.fs.allow
 
-- **Experimental**
 - **Type:** `string[]`
 
-  Restrict files that could be served via `/@fs/`. When `server.fs.strict` is set to `true`, accessing files outside this directory list will result in a 403.
+  Restrict files that could be served via `/@fs/`. When `server.fs.strict` is set to `true`, accessing files outside this directory list that aren't imported from an allowed file will result in a 403.
 
   Vite will search for the root of the potential workspace and use it as default. A valid workspace met the following conditions, otherwise will fallback to the [project root](/guide/#index-html-and-project-root).
 

diff --git a/packages/vite/src/node/server/index.ts b/packages/vite/src/node/server/index.ts
@@ -148,18 +148,15 @@ export interface FileSystemServeOptions {
    * Set to `false` to disable the warning
    * Default to false at this moment, will enabled by default in the future versions.
    *
-   * @experimental
-   * @default undefined
+   * @default true
    */
-  strict?: boolean | undefined
+  strict?: boolean
 
   /**
    * Restrict accessing files outside the allowed directories.
    *
    * Accepts absolute path or a path relative to project root.
    * Will try to search up for workspace root by default.
-   *
-   * @experimental
    */
   allow?: string[]
 
@@ -717,8 +714,7 @@ export function resolveServerOptions(
   }
 
   server.fs = {
-    // TODO: make strict by default
-    strict: server.fs?.strict,
+    strict: server.fs?.strict ?? true,
     allow: allowDirs,
     deny
   }

diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts
@@ -137,8 +137,7 @@ export function isFileServingAllowed(
   url: string,
   server: ViteDevServer
 ): boolean {
-  // explicitly disabled
-  if (server.config.server.fs.strict === false) return true
+  if (!server.config.server.fs.strict) return true
 
   const cleanedUrl = cleanUrl(url)
   const file = ensureLeadingSlash(normalizePath(cleanedUrl))
@@ -151,18 +150,6 @@ export function isFileServingAllowed(
   if (server.config.server.fs.allow.some((i) => file.startsWith(i + '/')))
     return true
 
-  if (!server.config.server.fs.strict) {
-    if (isFileReadable(cleanedUrl)) {
-      server.config.logger.warnOnce(`Unrestricted file system access to "${url}"`)
-      server.config.logger.warnOnce(
-        `For security concerns, accessing files outside of serving allow list will ` +
-        `be restricted by default in the future version of Vite. ` +
-        `Refer to https://vitejs.dev/config/#server-fs-allow for more details.`
-      )
-    }
-    return true
-  }
-
   return false
 }