fix(importAnalysis): strip url base before passing as safeModulePaths #13712
Conversation
patak-dev
added
the
p4-important
| }, | ||
| } | ||
|
|
||
| const rewriteTestRootOptions = { |
There was a problem hiding this comment.
You cannot directly use the configuration from vite.config-base.js here. In vite.config-base.js, the variable __dirname is used, which returns a value based on "playground" instead of "playground-temp" that is used for testing. I guess this may be a bug. That's why I am using "serve" to start the testing server instead of relying on vite.config-base.js.
There was a problem hiding this comment.
The config file read in __tests__ from vite.config.js is different from the one read in playground-temp, especially when it involves expressions like __dirname.
like:
{
build: {
rollupOptions: {
input: {
main: path.resolve(__dirname, 'src/index.html'),
},
},
},
server: {
fs: {
strict: true,
allow: [path.resolve(__dirname, 'src')],
},
}There was a problem hiding this comment.
This is strange, we are using __dirname in the worker and assets playgrounds too in the configs. Maybe there is an issue here because the root is set?
There was a problem hiding this comment.
You were correct, I sent a PR to fix the config variants handling here:
This comment was marked as off-topic.
This comment was marked as off-topic.
These are flaky tests. We're having issues with them since last week, it is unrelated to this PR. |
| @@ -556,8 +556,10 @@ export function importAnalysisPlugin(config: ResolvedConfig): Plugin { | |||
| } | |||
| } | |||
|
|
|||
| // record as safe modules | |||
| server?.moduleGraph.safeModulesPath.add(fsPathFromUrl(url)) | |||
| // record as safe modules # stripBase: https://github.com/vitejs/vite/issues/9438#issuecomment-1486662486 | |||
There was a problem hiding this comment.
it we're going to link to a comment it should probably be #9438 (comment), but it'd be nicer to just explain why it's necessary here rather than making someone copy paste a URL into their browser to read the explanation (same below)
There was a problem hiding this comment.
I tried to fix it. Thanks for guiding me on this PR.
| // When the base path is set, the safeModulesPath does not include the base prefix internally. | ||
| // Therefore, when retrieving a file from safeModulesPath, the base path should be stripped. | ||
| // See https://github.com/vitejs/vite/issues/9438#issuecomment-1465270409 | ||
| const file = fsPathFromUrl(stripBase(url, server.config.rawBase)) |
There was a problem hiding this comment.
This function is called from serveRawFsMiddleware/serveStaticMiddleware/transformMiddleware that runs after baseMiddleware (this middleware strips the base). So I think we shouldn't run stripBase here.
vite/packages/vite/src/node/server/index.ts
Lines 614 to 646 in 1292ad0
There was a problem hiding this comment.
So that's how it is. I remove stripBase here
| // inside allowed dir, safe fetch | ||
| fetch('/src/safe.txt') | ||
| fetch(base + '/src/safe.txt') |
There was a problem hiding this comment.
if we've got /base/ then we'll end up with a //. This should probably use joinUrlSegments or path.posix.join
There was a problem hiding this comment.
i use joinUrlSegments to fix that
Co-authored-by: Ben McCann <[email protected]>
The config will be loaded automatically as vitejs#13725 is merged
|
IIUC, this issue can't be exploited, no? In that case, let's merge it for Vite 5 (we'll start the beta soon). @sapphi-red let me know if you think it is important to get this one in a patch though. |
bluwy
changed the title
|
I'm not sure if we need to hold off this change. I think it'd be nice to fix as patch though. |
|
I think this issue can't be exploited. But I think it'd be good to merge this in a patch. |
update call stripBase in utils.ts before passing to fsPathFromUrl (fix #9438)
Description
Additional context
What is the purpose of this pull request?
Before submitting the PR, please make sure you do the following
fixes #123).