perf: cache compiled glob for server.fs.deny (#10044)

Author: sapphi-red

docs/config/server-options.md

@@ -297,10 +297,9 @@ export default defineConfig({
 ## server.fs.deny
 
 - **Type:** `string[]`
+- **Default:** `['.env', '.env.*', '*.{pem,crt}']`
 
-Blocklist for sensitive files being restricted to be served by Vite dev server.
-
-Default to `['.env', '.env.*', '*.{pem,crt}']`.
+Blocklist for sensitive files being restricted to be served by Vite dev server. This will have higher priority than [`server.fs.allow`](#server-fs-allow). [picomatch patterns](https://github.com/micromatch/picomatch#globbing-features) are supported.
 
 ## server.origin
 

package.json

@@ -51,6 +51,7 @@
     "@types/micromatch": "^4.0.2",
     "@types/minimist": "^1.2.2",
     "@types/node": "^17.0.42",
+    "@types/picomatch": "^2.3.0",
     "@types/prompts": "^2.0.14",
     "@types/resolve": "^1.20.2",
     "@types/sass": "~1.43.1",

packages/vite/package.json

@@ -105,6 +105,7 @@
     "parse5": "^7.1.1",
     "periscopic": "^3.0.4",
     "picocolors": "^1.0.0",
+    "picomatch": "^2.3.1",
     "postcss-import": "^15.0.0",
     "postcss-load-config": "^4.0.1",
     "postcss-modules": "^5.0.0",

packages/vite/src/node/server/index.ts

@@ -11,6 +11,8 @@ import type { FSWatcher, WatchOptions } from 'types/chokidar'
 import type { Connect } from 'types/connect'
 import launchEditorMiddleware from 'launch-editor-middleware'
 import type { SourceMap } from 'rollup'
+import picomatch from 'picomatch'
+import type { Matcher } from 'picomatch'
 import type { CommonServerOptions } from '../http'
 import {
   httpServerStart,
@@ -143,7 +145,7 @@ export interface FileSystemServeOptions {
    * Restrict accessing files that matches the patterns.
    *
    * This will have higher priority than `allow`.
-   * Glob patterns are supported.
+   * picomatch patterns are supported.
    *
    * @default ['.env', '.env.*', '*.crt', '*.pem']
    */
@@ -283,6 +285,10 @@ export interface ViteDevServer {
       abort: () => void
     }
   >
+  /**
+   * @internal
+   */
+  _fsDenyGlob: Matcher
 }
 
 export interface ResolvedServerUrls {
@@ -426,7 +432,8 @@ export async function createServer(
     _restartPromise: null,
     _importGlobMap: new Map(),
     _forceOptimizeOnRestart: false,
-    _pendingRequests: new Map()
+    _pendingRequests: new Map(),
+    _fsDenyGlob: picomatch(config.server.fs.deny, { matchBase: true })
   }
 
   server.transformIndexHtml = createDevHtmlTransformFn(server)

packages/vite/src/node/server/middlewares/static.ts

@@ -3,7 +3,6 @@ import type { OutgoingHttpHeaders, ServerResponse } from 'node:http'
 import type { Options } from 'sirv'
 import sirv from 'sirv'
 import type { Connect } from 'types/connect'
-import micromatch from 'micromatch'
 import type { ViteDevServer } from '../..'
 import { FS_PREFIX } from '../../constants'
 import {
@@ -18,8 +17,6 @@ import {
   slash
 } from '../../utils'
 
-const { isMatch } = micromatch
-
 const sirvOptions = (headers?: OutgoingHttpHeaders): Options => {
   return {
     dev: true,
@@ -158,8 +155,6 @@ export function serveRawFsMiddleware(
   }
 }
 
-const _matchOptions = { matchBase: true }
-
 export function isFileServingAllowed(
   url: string,
   server: ViteDevServer
@@ -168,8 +163,7 @@ export function isFileServingAllowed(
 
   const file = fsPathFromUrl(url)
 
-  if (server.config.server.fs.deny.some((i) => isMatch(file, i, _matchOptions)))
-    return false
+  if (server._fsDenyGlob(file)) return false
 
   if (server.moduleGraph.safeModulesPath.has(file)) return true