Skip to content

Commit

Permalink
chore: Enable vite.server.fs.strict internally by default (#1842)
Browse files Browse the repository at this point in the history
  • Loading branch information
@GrygrFlzr
GrygrFlzr committed Jul 7, 2021
1 parent 7ab4fe6 commit 4d2fec5
Show file tree
Hide file tree
Showing 4 changed files with 63 additions and 4 deletions.
5 changes: 5 additions & 0 deletions .changeset/silly-grapes-cover.md
View file
@@ -0,0 +1,5 @@
---
'@sveltejs/kit': patch
---

Enable Vite's server.fs.strict by default
10 changes: 10 additions & 0 deletions documentation/faq/90-fs-strict.md
View file
@@ -0,0 +1,10 @@
---
question: "Internal server error: The request url [...] is outside of Vite serving allow list"
---

For security reasons, Vite has been configured to only allow filesystem access when the request file fulfils one of these requirements:
- Within workspace root
- Within the listed `server.fs.allow` exceptions
- Part of the dependency graph of your application code

Refer to Vite documentation for [`server.fs.allow`](https://vitejs.dev/config/#server-fs-allow) for configuration and more details.
39 changes: 36 additions & 3 deletions packages/kit/src/core/build/index.js
View file
Expand Up @@ -134,8 +134,19 @@ async function build_client({
/** @type {any} */
const user_config = config.kit.vite();

const default_config = {
server: {
fs: {
strict: true
}
}
};

// don't warn on overriding defaults
const [modified_user_config] = deep_merge(default_config, user_config);

/** @type {[any, string[]]} */
const [merged_config, conflicts] = deep_merge(user_config, {
const [merged_config, conflicts] = deep_merge(modified_user_config, {
configFile: false,
root: cwd,
base,
Expand Down Expand Up @@ -408,8 +419,19 @@ async function build_server(
/** @type {any} */
const user_config = config.kit.vite();

const default_config = {
server: {
fs: {
strict: true
}
}
};

// don't warn on overriding defaults
const [modified_user_config] = deep_merge(default_config, user_config);

/** @type {[any, string[]]} */
const [merged_config, conflicts] = deep_merge(user_config, {
const [merged_config, conflicts] = deep_merge(modified_user_config, {
configFile: false,
root: cwd,
base,
Expand Down Expand Up @@ -515,8 +537,19 @@ async function build_service_worker(
/** @type {any} */
const user_config = config.kit.vite();

const default_config = {
server: {
fs: {
strict: true
}
}
};

// don't warn on overriding defaults
const [modified_user_config] = deep_merge(default_config, user_config);

/** @type {[any, string[]]} */
const [merged_config, conflicts] = deep_merge(user_config, {
const [merged_config, conflicts] = deep_merge(modified_user_config, {
configFile: false,
root: cwd,
base,
Expand Down
13 changes: 12 additions & 1 deletion packages/kit/src/core/dev/index.js
View file
Expand Up @@ -82,15 +82,26 @@ class Watcher extends EventEmitter {
/** @type {any} */
const user_config = (this.config.kit.vite && this.config.kit.vite()) || {};

const default_config = {
server: {
fs: {
strict: true
}
}
};

/** @type {(req: import("http").IncomingMessage, res: import("http").ServerResponse) => void} */
let handler = (req, res) => {};

this.server = await get_server(this.https, user_config, (req, res) => handler(req, res));

const alias = user_config.resolve && user_config.resolve.alias;

// don't warn on overriding defaults
const [modified_user_config] = deep_merge(default_config, user_config);

/** @type {[any, string[]]} */
const [merged_config, conflicts] = deep_merge(user_config, {
const [merged_config, conflicts] = deep_merge(modified_user_config, {
configFile: false,
root: this.cwd,
resolve: {
Expand Down

0 comments on commit 4d2fec5

Please sign in to comment.