fix: backport #18112, fs raw query

Author: patak-dev

packages/vite/src/node/plugins/asset.ts

@@ -29,8 +29,8 @@ export const duplicateAssets = new WeakMap<
   Map<string, OutputAsset>
 >()
 
-const rawRE = /(\?|&)raw(?:&|$)/
-const urlRE = /(\?|&)url(?:&|$)/
+export const rawRE = /(\?|&)raw(?:&|$)/
+export const urlRE = /(\?|&)url(?:&|$)/
 
 const assetCache = new WeakMap<ResolvedConfig, Map<string, string>>()
 

packages/vite/src/node/server/middlewares/static.ts

@@ -174,7 +174,7 @@ export function isFileServingAllowed(
   return false
 }
 
-function ensureServingAccess(
+export function ensureServingAccess(
   url: string,
   server: ViteDevServer,
   res: ServerResponse,

packages/vite/src/node/server/middlewares/transform.ts

@@ -35,6 +35,8 @@ import {
   ERR_OUTDATED_OPTIMIZED_DEP
 } from '../../plugins/optimizedDeps'
 import { getDepsOptimizer } from '../../optimizer'
+import { rawRE, urlRE } from '../../plugins/asset'
+import { ensureServingAccess } from './static'
 
 const debugCache = createDebugger('vite:cache')
 const isDebug = !!process.env.DEBUG
@@ -147,6 +149,13 @@ export function transformMiddleware(
         }
       }
 
+      if (
+        (rawRE.test(url) || urlRE.test(url)) &&
+        !ensureServingAccess(url, server, res, next)
+      ) {
+        return
+      }
+
       if (
         isJSRequest(url) ||
         isImportRequest(url) ||

playground/fs-serve/__tests__/fs-serve.spec.ts

@@ -76,6 +76,11 @@ describe.runIf(isServe)('main', () => {
     expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403')
   })
 
+  test('unsafe fs fetch', async () => {
+    expect(await page.textContent('.unsafe-fs-fetch-raw')).toBe('')
+    expect(await page.textContent('.unsafe-fs-fetch-raw-status')).toBe('403')
+  })
+
   test('unsafe fs fetch with special characters (#8498)', async () => {
     expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('')
     expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('403')

playground/fs-serve/root/src/index.html

@@ -35,6 +35,8 @@ <h2>Safe /@fs/ Fetch</h2>
 <h2>Unsafe /@fs/ Fetch</h2>
 <pre class="unsafe-fs-fetch-status"></pre>
 <pre class="unsafe-fs-fetch"></pre>
+<pre class="unsafe-fs-fetch-raw-status"></pre>
+<pre class="unsafe-fs-fetch-raw"></pre>
 <pre class="unsafe-fs-fetch-8498-status"></pre>
 <pre class="unsafe-fs-fetch-8498"></pre>
 <pre class="unsafe-fs-fetch-8498-2-status"></pre>
@@ -166,6 +168,24 @@ <h2>Denied</h2>
       console.error(e)
     })
 
+  // not imported before, outside of root, treated as unsafe
+  fetch(
+    joinUrlSegments(
+      base,
+      joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw',
+    ),
+  )
+    .then((r) => {
+      text('.unsafe-fs-fetch-raw-status', r.status)
+      return r.json()
+    })
+    .then((data) => {
+      text('.unsafe-fs-fetch-raw', JSON.stringify(data))
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
   // outside root with special characters #8498
   fetch('/@fs/' + ROOT + '/root/src/%2e%2e%2f%2e%2e%2funsafe%2ejson')
     .then((r) => {