-
Notifications
You must be signed in to change notification settings - Fork 150
Expand file tree
/
Copy pathvite.config.test.ts
More file actions
76 lines (65 loc) · 2.61 KB
/
vite.config.test.ts
File metadata and controls
76 lines (65 loc) · 2.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
import { beforeAll, describe, expect, it } from 'bun:test'
import path from 'path'
import { createServer, loadConfigFromFile } from 'vite'
const ROOT = path.resolve(import.meta.dirname)
/**
* Vite's `server.fs` configuration must use a strict allowlist so the dev
* server only exposes frontend source code. Without this, the `@fs` endpoint
* leaks backend source, config, and other sensitive files to any HTTP client.
*
* See: https://vitejs.dev/config/server-options.html#server-fs-allow
*/
describe('vite server.fs allowlist', () => {
let resolvedAllow: string[]
let serverFsConfig: { strict: boolean; allow: string[] }
beforeAll(async () => {
const loaded = await loadConfigFromFile(
{ command: 'serve', mode: 'development' },
path.join(ROOT, 'vite.config.ts'),
)
if (!loaded) throw new Error('Failed to load vite config')
// Create a minimal server to resolve the full fs config (merges Vite defaults)
let server
try {
server = await createServer({ root: ROOT, configFile: false, server: loaded.config.server, plugins: [] })
serverFsConfig = server.config.server.fs
resolvedAllow = serverFsConfig.allow.map((p) => path.resolve(p))
} finally {
await server?.close()
}
})
it('enables strict filesystem access', () => {
expect(serverFsConfig.strict).toBe(true)
})
it('defines an explicit allow list', () => {
expect(resolvedAllow).toBeArray()
expect(resolvedAllow.length).toBeGreaterThan(0)
})
const assertDirectoryNotAllowed = (dirName: string) => {
it(`does not allow the ${dirName} directory`, () => {
const targetDir = path.resolve(ROOT, dirName)
for (const allowed of resolvedAllow) {
// Check both directions: the sensitive dir is an allowed path (or child),
// AND no allowed path is a subdirectory of the sensitive dir.
const isAllowed =
allowed === targetDir ||
targetDir.startsWith(allowed + path.sep) ||
allowed.startsWith(targetDir + path.sep)
expect(isAllowed).toBe(false)
}
})
}
assertDirectoryNotAllowed('backend')
assertDirectoryNotAllowed('deploy')
it('does not allow the project root directly (would expose everything)', () => {
for (const allowed of resolvedAllow) {
expect(allowed).not.toBe(ROOT)
}
})
it('allows frontend source directories', () => {
expect(resolvedAllow).toContain(path.resolve(ROOT, 'src'))
expect(resolvedAllow).toContain(path.resolve(ROOT, 'shared'))
expect(resolvedAllow).toContain(path.resolve(ROOT, 'public'))
expect(resolvedAllow).toContain(path.resolve(ROOT, 'node_modules'))
})
})