From 4b35a8a022f8ddff76680642c8e7189ada19c256 Mon Sep 17 00:00:00 2001 From: GrygrFlzr Date: Wed, 7 Jul 2021 09:15:55 +0700 Subject: [PATCH 1/3] chore: Enable vite.server.fs.strict internally by default --- .changeset/silly-grapes-cover.md | 5 +++++ packages/kit/src/core/build/index.js | 30 +++++++++++++++++++++++++--- packages/kit/src/core/dev/index.js | 10 +++++++++- 3 files changed, 41 insertions(+), 4 deletions(-) create mode 100644 .changeset/silly-grapes-cover.md diff --git a/.changeset/silly-grapes-cover.md b/.changeset/silly-grapes-cover.md new file mode 100644 index 000000000000..a9c7c986e125 --- /dev/null +++ b/.changeset/silly-grapes-cover.md @@ -0,0 +1,5 @@ +--- +'@sveltejs/kit': patch +--- + +Enable Vite's server.fs.strict by default diff --git a/packages/kit/src/core/build/index.js b/packages/kit/src/core/build/index.js index 8ce8a11020f9..e9cd8f4512db 100644 --- a/packages/kit/src/core/build/index.js +++ b/packages/kit/src/core/build/index.js @@ -134,8 +134,16 @@ async function build_client({ /** @type {any} */ const user_config = config.kit.vite(); + const default_config = { + server: { + fs: { + strict: true + } + } + }; + /** @type {[any, string[]]} */ - const [merged_config, conflicts] = deep_merge(user_config, { + const [merged_config, conflicts] = deep_merge(default_config, user_config, { configFile: false, root: cwd, base, @@ -408,8 +416,16 @@ async function build_server( /** @type {any} */ const user_config = config.kit.vite(); + const default_config = { + server: { + fs: { + strict: true + } + } + }; + /** @type {[any, string[]]} */ - const [merged_config, conflicts] = deep_merge(user_config, { + const [merged_config, conflicts] = deep_merge(default_config, user_config, { configFile: false, root: cwd, base, @@ -515,8 +531,16 @@ async function build_service_worker( /** @type {any} */ const user_config = config.kit.vite(); + const default_config = { + server: { + fs: { + strict: true + } + } + }; + /** @type {[any, string[]]} */ - const [merged_config, conflicts] = deep_merge(user_config, { + const [merged_config, conflicts] = deep_merge(default_config, user_config, { configFile: false, root: cwd, base, diff --git a/packages/kit/src/core/dev/index.js b/packages/kit/src/core/dev/index.js index 70f6caf32622..8f45c63645bb 100644 --- a/packages/kit/src/core/dev/index.js +++ b/packages/kit/src/core/dev/index.js @@ -82,6 +82,14 @@ class Watcher extends EventEmitter { /** @type {any} */ const user_config = (this.config.kit.vite && this.config.kit.vite()) || {}; + const default_config = { + server: { + fs: { + strict: true + } + } + }; + /** @type {(req: import("http").IncomingMessage, res: import("http").ServerResponse) => void} */ let handler = (req, res) => {}; @@ -90,7 +98,7 @@ class Watcher extends EventEmitter { const alias = user_config.resolve && user_config.resolve.alias; /** @type {[any, string[]]} */ - const [merged_config, conflicts] = deep_merge(user_config, { + const [merged_config, conflicts] = deep_merge(default_config, user_config, { configFile: false, root: this.cwd, resolve: { From 734c8fc8fb59e78975ae65b6753acec25855d4f0 Mon Sep 17 00:00:00 2001 From: GrygrFlzr Date: Wed, 7 Jul 2021 09:22:54 +0700 Subject: [PATCH 2/3] chore: actually make the option optional --- packages/kit/src/core/build/index.js | 15 ++++++++++++--- packages/kit/src/core/dev/index.js | 5 ++++- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/packages/kit/src/core/build/index.js b/packages/kit/src/core/build/index.js index e9cd8f4512db..da8cb87ff7f6 100644 --- a/packages/kit/src/core/build/index.js +++ b/packages/kit/src/core/build/index.js @@ -142,8 +142,11 @@ async function build_client({ } }; + // don't warn on overriding defaults + const [modified_user_config] = deep_merge(default_config, user_config); + /** @type {[any, string[]]} */ - const [merged_config, conflicts] = deep_merge(default_config, user_config, { + const [merged_config, conflicts] = deep_merge(modified_user_config, { configFile: false, root: cwd, base, @@ -424,8 +427,11 @@ async function build_server( } }; + // don't warn on overriding defaults + const [modified_user_config] = deep_merge(default_config, user_config); + /** @type {[any, string[]]} */ - const [merged_config, conflicts] = deep_merge(default_config, user_config, { + const [merged_config, conflicts] = deep_merge(modified_user_config, { configFile: false, root: cwd, base, @@ -539,8 +545,11 @@ async function build_service_worker( } }; + // don't warn on overriding defaults + const [modified_user_config] = deep_merge(default_config, user_config); + /** @type {[any, string[]]} */ - const [merged_config, conflicts] = deep_merge(default_config, user_config, { + const [merged_config, conflicts] = deep_merge(modified_user_config, { configFile: false, root: cwd, base, diff --git a/packages/kit/src/core/dev/index.js b/packages/kit/src/core/dev/index.js index 8f45c63645bb..d08da148b7b2 100644 --- a/packages/kit/src/core/dev/index.js +++ b/packages/kit/src/core/dev/index.js @@ -97,8 +97,11 @@ class Watcher extends EventEmitter { const alias = user_config.resolve && user_config.resolve.alias; + // don't warn on overriding defaults + const [modified_user_config] = deep_merge(default_config, user_config); + /** @type {[any, string[]]} */ - const [merged_config, conflicts] = deep_merge(default_config, user_config, { + const [merged_config, conflicts] = deep_merge(modified_user_config, { configFile: false, root: this.cwd, resolve: { From d545427c05d320769dae3b8b4a1c1199d7db97cf Mon Sep 17 00:00:00 2001 From: GrygrFlzr Date: Wed, 7 Jul 2021 09:31:18 +0700 Subject: [PATCH 3/3] chore: document new default Vite server.fs.strict behavior --- documentation/faq/90-fs-strict.md | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 documentation/faq/90-fs-strict.md diff --git a/documentation/faq/90-fs-strict.md b/documentation/faq/90-fs-strict.md new file mode 100644 index 000000000000..26f0f19803be --- /dev/null +++ b/documentation/faq/90-fs-strict.md @@ -0,0 +1,10 @@ +--- +question: "Internal server error: The request url [...] is outside of Vite serving allow list" +--- + +For security reasons, Vite has been configured to only allow filesystem access when the request file fulfils one of these requirements: +- Within workspace root +- Within the listed `server.fs.allow` exceptions +- Part of the dependency graph of your application code + +Refer to Vite documentation for [`server.fs.allow`](https://vitejs.dev/config/#server-fs-allow) for configuration and more details.