From 897cf3c02261dd853afdbe5c4bfa2959449fa8c3 Mon Sep 17 00:00:00 2001
From: sapphi-red <49056869+sapphi-red@users.noreply.github.com>
Date: Sun, 24 Mar 2024 23:00:05 +0900
Subject: [PATCH] fix: `fs.deny` with globs with directories (#16250)

---
 .../__tests__/deny/fs-serve-deny.spec.ts      | 18 +++++++++++++++
 .../fs-serve/__tests__/deny/vite.config.js    |  1 +
 packages/playground/fs-serve/package.json     |  5 ++++-
 .../playground/fs-serve/root/src/deny/.deny   |  1 +
 .../fs-serve/root/src/deny/deny.txt           |  1 +
 .../fs-serve/root/vite.config-deny.js         | 22 +++++++++++++++++++
 .../src/node/server/middlewares/static.ts     | 12 +++++++---
 7 files changed, 56 insertions(+), 4 deletions(-)
 create mode 100644 packages/playground/fs-serve/__tests__/deny/fs-serve-deny.spec.ts
 create mode 100644 packages/playground/fs-serve/__tests__/deny/vite.config.js
 create mode 100644 packages/playground/fs-serve/root/src/deny/.deny
 create mode 100644 packages/playground/fs-serve/root/src/deny/deny.txt
 create mode 100644 packages/playground/fs-serve/root/vite.config-deny.js

diff --git a/packages/playground/fs-serve/__tests__/deny/fs-serve-deny.spec.ts b/packages/playground/fs-serve/__tests__/deny/fs-serve-deny.spec.ts
new file mode 100644
index 00000000000000..19a78dee021a2d
--- /dev/null
+++ b/packages/playground/fs-serve/__tests__/deny/fs-serve-deny.spec.ts
@@ -0,0 +1,18 @@
+import { isBuild } from '../../../testUtils'
+
+describe('main', () => {
+  if (!isBuild) {
+    test('**/deny/** should deny src/deny/deny.txt', async () => {
+      const res = await page.request.fetch(
+        new URL('/src/deny/deny.txt', viteTestUrl).href
+      )
+      expect(res.status()).toBe(403)
+    })
+    test('**/deny/** should deny src/deny/.deny', async () => {
+      const res = await page.request.fetch(
+        new URL('/src/deny/.deny', viteTestUrl).href
+      )
+      expect(res.status()).toBe(403)
+    })
+  }
+})
diff --git a/packages/playground/fs-serve/__tests__/deny/vite.config.js b/packages/playground/fs-serve/__tests__/deny/vite.config.js
new file mode 100644
index 00000000000000..8c7726526c2f8b
--- /dev/null
+++ b/packages/playground/fs-serve/__tests__/deny/vite.config.js
@@ -0,0 +1 @@
+module.exports = require('../../root/vite.config-deny')
diff --git a/packages/playground/fs-serve/package.json b/packages/playground/fs-serve/package.json
index 45497d2a3c5e8a..896a81d31e8e55 100644
--- a/packages/playground/fs-serve/package.json
+++ b/packages/playground/fs-serve/package.json
@@ -6,6 +6,9 @@
     "dev": "vite root",
     "build": "vite build root",
     "debug": "node --inspect-brk ../../vite/bin/vite",
-    "preview": "vite preview"
+    "preview": "vite preview",
+    "dev:deny": "vite root --config ./root/vite.config-deny.js",
+    "build:deny": "vite build root --config ./root/vite.config-deny.js",
+    "preview:deny": "vite preview root --config ./root/vite.config-deny.js"
   }
 }
diff --git a/packages/playground/fs-serve/root/src/deny/.deny b/packages/playground/fs-serve/root/src/deny/.deny
new file mode 100644
index 00000000000000..73bd3960853c61
--- /dev/null
+++ b/packages/playground/fs-serve/root/src/deny/.deny
@@ -0,0 +1 @@
+.deny
diff --git a/packages/playground/fs-serve/root/src/deny/deny.txt b/packages/playground/fs-serve/root/src/deny/deny.txt
new file mode 100644
index 00000000000000..f9df83416f8a72
--- /dev/null
+++ b/packages/playground/fs-serve/root/src/deny/deny.txt
@@ -0,0 +1 @@
+deny
diff --git a/packages/playground/fs-serve/root/vite.config-deny.js b/packages/playground/fs-serve/root/vite.config-deny.js
new file mode 100644
index 00000000000000..dd6bc2ab734acf
--- /dev/null
+++ b/packages/playground/fs-serve/root/vite.config-deny.js
@@ -0,0 +1,22 @@
+import path from 'node:path'
+import { defineConfig } from 'vite'
+
+export default defineConfig({
+  build: {
+    rollupOptions: {
+      input: {
+        main: path.resolve(__dirname, 'src/index.html')
+      }
+    }
+  },
+  server: {
+    fs: {
+      strict: true,
+      allow: [path.resolve(__dirname, 'src')],
+      deny: ['**/deny/**']
+    }
+  },
+  define: {
+    ROOT: JSON.stringify(path.dirname(__dirname).replace(/\\/g, '/'))
+  }
+})
diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts
index aa1fe419f913f1..330bf4fc47d78a 100644
--- a/packages/vite/src/node/server/middlewares/static.ts
+++ b/packages/vite/src/node/server/middlewares/static.ts
@@ -156,7 +156,11 @@ export function serveRawFsMiddleware(
   }
 }
 
-const _matchOptions = { matchBase: true, nocase: true }
+const _matchOptions = {
+  matchBase: false,
+  nocase: true,
+  dot: true
+}
 
 export function isFileServingAllowed(
   url: string,
@@ -166,8 +170,10 @@ export function isFileServingAllowed(
 
   const file = fsPathFromUrl(url)
 
-  if (server.config.server.fs.deny.some((i) => isMatch(file, i, _matchOptions)))
-    return false
+  const deny = server.config.server.fs.deny.map((pattern) =>
+    pattern.includes('/') ? pattern : `**/${pattern}`
+  )
+  if (deny.some((i) => isMatch(file, i, _matchOptions))) return false
 
   if (server.moduleGraph.safeModulesPath.has(file)) return true