Skip to content

Commit

Permalink
fix: don't resolve URL starting with double slash (#19059)
Browse files Browse the repository at this point in the history
  • Loading branch information
sapphi-red authored Jan 7, 2025
1 parent ea53e70 commit 35942cd
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 5 deletions.
11 changes: 7 additions & 4 deletions packages/vite/src/node/server/middlewares/static.ts
Original file line number Diff line number Diff line change
Expand Up @@ -119,12 +119,15 @@ export function serveStaticMiddleware(
if (
cleanedUrl[cleanedUrl.length - 1] === '/' ||
path.extname(cleanedUrl) === '.html' ||
isInternalRequest(req.url!)
isInternalRequest(req.url!) ||
// skip url starting with // as these will be interpreted as
// scheme relative URLs by new URL() and will not be a valid file path
req.url?.startsWith('//')
) {
return next()
}

const url = new URL(req.url!.replace(/^\/{2,}/, '/'), 'http://example.com')
const url = new URL(req.url!, 'http://example.com')
const pathname = decodeURI(url.pathname)

// apply aliases to static requests as well
Expand Down Expand Up @@ -177,12 +180,12 @@ export function serveRawFsMiddleware(

// Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
return function viteServeRawFsMiddleware(req, res, next) {
const url = new URL(req.url!.replace(/^\/{2,}/, '/'), 'http://example.com')
// In some cases (e.g. linked monorepos) files outside of root will
// reference assets that are also out of served root. In such cases
// the paths are rewritten to `/@fs/` prefixed paths and must be served by
// searching based from fs root.
if (url.pathname.startsWith(FS_PREFIX)) {
if (req.url!.startsWith(FS_PREFIX)) {
const url = new URL(req.url!, 'http://example.com')
const pathname = decodeURI(url.pathname)
// restrict files outside of `fs.allow`
if (
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,5 +28,5 @@ if (!isBuild) {

test.runIf(!isBuild)('denied .env', async () => {
expect(await page.textContent('.unsafe-dotenv')).toBe('403')
expect(await page.textContent('.unsafe-dotenv-double-slash')).toBe('403')
expect(await page.textContent('.unsafe-dotenv-double-slash')).toBe('200') // SPA fallback
})

0 comments on commit 35942cd

Please sign in to comment.