fix: fs deny for case insensitive

Author: patak-dev

packages/vite/src/node/server/index.ts

@@ -452,7 +452,10 @@ export async function createServer(
     _importGlobMap: new Map(),
     _forceOptimizeOnRestart: false,
     _pendingRequests: new Map(),
-    _fsDenyGlob: picomatch(config.server.fs.deny, { matchBase: true })
+    _fsDenyGlob: picomatch(config.server.fs.deny, {
+      matchBase: true,
+      nocase: true
+    })
   }
 
   server.transformIndexHtml = createDevHtmlTransformFn(server)

playground/fs-serve/__tests__/fs-serve.spec.ts

@@ -95,7 +95,13 @@ describe.runIf(isServe)('main', () => {
   })
 
   test('denied', async () => {
-    expect(await page.textContent('.unsafe-dotenv')).toBe('404')
+    expect(await page.textContent('.unsafe-dotenv')).toBe('403')
+  })
+
+  test('denied EnV casing', async () => {
+    // It is 403 in case insensitive system, 404 in others
+    const code = await page.textContent('.unsafe-dotEnV-casing')
+    expect(code === '403' || code === '404').toBeTruthy()
   })
 })
 

playground/fs-serve/root/src/index.html

@@ -45,6 +45,7 @@ <h2>Nested Entry</h2>
 
 <h2>Denied</h2>
 <pre class="unsafe-dotenv"></pre>
+<pre class="unsafe-dotEnV-casing"></pre>
 
 <script type="module">
   import '../../entry'
@@ -202,14 +203,23 @@ <h2>Denied</h2>
     })
 
   // .env, denied by default
-  fetch('/@fs/' + ROOT + '/root/.env')
+  fetch('/@fs/' + ROOT + '/root/src/.env')
     .then((r) => {
       text('.unsafe-dotenv', r.status)
     })
     .catch((e) => {
       console.error(e)
     })
 
+  // .env, for case insensitive file systems
+  fetch('/@fs/' + ROOT + '/root/src/.EnV')
+    .then((r) => {
+      text('.unsafe-dotEnV-casing', r.status)
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
   function text(sel, text) {
     document.querySelector(sel).textContent = text
   }