fix: fs check in transform middleware (#19761)

patak-dev · patak-dev · commit 7a4fabab6a3a · 2025-03-31T11:25:27.000+02:00
diff --git a/packages/vite/src/node/server/middlewares/transform.ts b/packages/vite/src/node/server/middlewares/transform.ts
@@ -12,10 +12,8 @@ import {
   isJSRequest,
   normalizePath,
   prettifyUrl,
-  rawRE,
   removeImportQuery,
   removeTimestampQuery,
-  urlRE,
 } from '../../utils'
 import { send } from '../send'
 import { ERR_LOAD_URL, transformRequest } from '../transformRequest'
@@ -45,6 +43,11 @@ const debugCache = createDebugger('vite:cache')
 const knownIgnoreList = new Set(['/', '/favicon.ico'])
 const trailingQuerySeparatorsRE = /[?&]+$/
 
+// TODO: consolidate this regex pattern with the url, raw, and inline checks in plugins
+const urlRE = /[?&]url\b/
+const rawRE = /[?&]raw\b/
+const inlineRE = /[?&]inline\b/
+
 /**
  * A middleware that short-circuits the middleware chain to serve cached transformed modules
  */
@@ -176,7 +179,8 @@ export function transformMiddleware(
       )
       if (
         (rawRE.test(urlWithoutTrailingQuerySeparators) ||
-          urlRE.test(urlWithoutTrailingQuerySeparators)) &&
+          urlRE.test(urlWithoutTrailingQuerySeparators) ||
+          inlineRE.test(urlWithoutTrailingQuerySeparators)) &&
         !ensureServingAccess(
           urlWithoutTrailingQuerySeparators,
           server,
diff --git a/playground/fs-serve/__tests__/fs-serve.spec.ts b/playground/fs-serve/__tests__/fs-serve.spec.ts
@@ -67,6 +67,18 @@ describe.runIf(isServe)('main', () => {
     expect(await page.textContent('.unsafe-fetch-8498-2-status')).toBe('404')
   })
 
+  test('unsafe fetch import inline', async () => {
+    expect(await page.textContent('.unsafe-fetch-import-inline-status')).toBe(
+      '403',
+    )
+  })
+
+  test('unsafe fetch raw query import', async () => {
+    expect(
+      await page.textContent('.unsafe-fetch-raw-query-import-status'),
+    ).toBe('403')
+  })
+
   test('safe fs fetch', async () => {
     expect(await page.textContent('.safe-fs-fetch')).toBe(stringified)
     expect(await page.textContent('.safe-fs-fetch-status')).toBe('200')
@@ -120,6 +132,18 @@ describe.runIf(isServe)('main', () => {
     expect(await page.textContent('.unsafe-fs-fetch-8498-2-status')).toBe('404')
   })
 
+  test('unsafe fs fetch import inline', async () => {
+    expect(
+      await page.textContent('.unsafe-fs-fetch-import-inline-status'),
+    ).toBe('403')
+  })
+
+  test('unsafe fs fetch import inline wasm init', async () => {
+    expect(
+      await page.textContent('.unsafe-fs-fetch-import-inline-wasm-init-status'),
+    ).toBe('403')
+  })
+
   test('nested entry', async () => {
     expect(await page.textContent('.nested-entry')).toBe('foobar')
   })
diff --git a/playground/fs-serve/root/src/index.html b/playground/fs-serve/root/src/index.html
@@ -23,6 +23,8 @@ <h2>Unsafe Fetch</h2>
 <pre class="unsafe-fetch-8498"></pre>
 <pre class="unsafe-fetch-8498-2-status"></pre>
 <pre class="unsafe-fetch-8498-2"></pre>
+<pre class="unsafe-fetch-import-inline-status"></pre>
+<pre class="unsafe-fetch-raw-query-import-status"></pre>
 
 <h2>Safe /@fs/ Fetch</h2>
 <pre class="safe-fs-fetch-status"></pre>
@@ -45,6 +47,8 @@ <h2>Unsafe /@fs/ Fetch</h2>
 <pre class="unsafe-fs-fetch-8498"></pre>
 <pre class="unsafe-fs-fetch-8498-2-status"></pre>
 <pre class="unsafe-fs-fetch-8498-2"></pre>
+<pre class="unsafe-fs-fetch-import-inline-status"></pre>
+<pre class="unsafe-fs-fetch-import-inline-wasm-init-status"></pre>
 
 <h2>Nested Entry</h2>
 <pre class="nested-entry"></pre>
@@ -160,6 +164,24 @@ <h2>Denied</h2>
       console.error(e)
     })
 
+  // outside of allowed dir with import inline
+  fetch(joinUrlSegments(base, '/unsafe.txt?import&inline'))
+    .then((r) => {
+      text('.unsafe-fetch-import-inline-status', r.status)
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
+  // outside of allowed dir with raw query import
+  fetch(joinUrlSegments(base, '/unsafe.txt?raw?import'))
+    .then((r) => {
+      text('.unsafe-fetch-raw-query-import-status', r.status)
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
   // imported before, should be treated as safe
   fetch(joinUrlSegments(base, joinUrlSegments('/@fs/', ROOT) + '/safe.json'))
     .then((r) => {
@@ -247,6 +269,35 @@ <h2>Denied</h2>
       console.error(e)
     })
 
+  // outside of root inline
+  fetch(
+    joinUrlSegments(
+      base,
+      joinUrlSegments('/@fs/', ROOT) + '/root/unsafe.txt?import&inline',
+    ),
+  )
+    .then((r) => {
+      text('.unsafe-fs-fetch-import-inline-status', r.status)
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
+  // outside of root inline, faux wasm?init
+  fetch(
+    joinUrlSegments(
+      base,
+      joinUrlSegments('/@fs/', ROOT) +
+        '/root/unsafe.txt?import&?inline=1.wasm?init',
+    ),
+  )
+    .then((r) => {
+      text('.unsafe-fs-fetch-import-inline-wasm-init-status', r.status)
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
   // outside root with special characters #8498
   fetch(
     joinUrlSegments(
