fix: backport #19702, fs raw query with query separators (#19703)

Author: sapphi-red

packages/vite/src/node/server/middlewares/transform.ts

@@ -41,6 +41,7 @@ import { ensureServingAccess } from './static'
 const debugCache = createDebugger('vite:cache')
 
 const knownIgnoreList = new Set(['/', '/favicon.ico'])
+const trailingQuerySeparatorsRE = /[?&]+$/
 
 /**
  * A middleware that short-circuits the middleware chain to serve cached transformed modules
@@ -163,9 +164,19 @@ export function transformMiddleware(
         warnAboutExplicitPublicPathInUrl(url)
       }
 
+      const urlWithoutTrailingQuerySeparators = url.replace(
+        trailingQuerySeparatorsRE,
+        '',
+      )
       if (
-        (rawRE.test(url) || urlRE.test(url)) &&
-        !ensureServingAccess(url, server, res, next)
+        (rawRE.test(urlWithoutTrailingQuerySeparators) ||
+          urlRE.test(urlWithoutTrailingQuerySeparators)) &&
+        !ensureServingAccess(
+          urlWithoutTrailingQuerySeparators,
+          server,
+          res,
+          next,
+        )
       ) {
         return
       }

playground/fs-serve/__tests__/fs-serve.spec.ts

@@ -96,6 +96,20 @@ describe.runIf(isServe)('main', () => {
     expect(await page.textContent('.unsafe-fs-fetch-raw-status')).toBe('403')
   })
 
+  test('unsafe fs fetch query 1', async () => {
+    expect(await page.textContent('.unsafe-fs-fetch-raw-query1')).toBe('')
+    expect(await page.textContent('.unsafe-fs-fetch-raw-query1-status')).toBe(
+      '403',
+    )
+  })
+
+  test('unsafe fs fetch query 2', async () => {
+    expect(await page.textContent('.unsafe-fs-fetch-raw-query2')).toBe('')
+    expect(await page.textContent('.unsafe-fs-fetch-raw-query2-status')).toBe(
+      '403',
+    )
+  })
+
   test('unsafe fs fetch with special characters (#8498)', async () => {
     expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('')
     expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('404')

playground/fs-serve/root/src/index.html

@@ -37,6 +37,10 @@ <h2>Unsafe /@fs/ Fetch</h2>
 <pre class="unsafe-fs-fetch"></pre>
 <pre class="unsafe-fs-fetch-raw-status"></pre>
 <pre class="unsafe-fs-fetch-raw"></pre>
+<pre class="unsafe-fs-fetch-raw-query1-status"></pre>
+<pre class="unsafe-fs-fetch-raw-query1"></pre>
+<pre class="unsafe-fs-fetch-raw-query2-status"></pre>
+<pre class="unsafe-fs-fetch-raw-query2"></pre>
 <pre class="unsafe-fs-fetch-8498-status"></pre>
 <pre class="unsafe-fs-fetch-8498"></pre>
 <pre class="unsafe-fs-fetch-8498-2-status"></pre>
@@ -209,6 +213,40 @@ <h2>Denied</h2>
       console.error(e)
     })
 
+  fetch(
+    joinUrlSegments(
+      base,
+      joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw??',
+    ),
+  )
+    .then((r) => {
+      text('.unsafe-fs-fetch-raw-query1-status', r.status)
+      return r.json()
+    })
+    .then((data) => {
+      text('.unsafe-fs-fetch-raw-query1', JSON.stringify(data))
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
+  fetch(
+    joinUrlSegments(
+      base,
+      joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw?&',
+    ),
+  )
+    .then((r) => {
+      text('.unsafe-fs-fetch-raw-query2-status', r.status)
+      return r.json()
+    })
+    .then((data) => {
+      text('.unsafe-fs-fetch-raw-query2', JSON.stringify(data))
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
   // outside root with special characters #8498
   fetch(
     joinUrlSegments(