( config: ResolvedConfig, filePath: string, )
| 292 | * Warning: parameters are not validated, only works with normalized absolute paths |
| 293 | */ |
| 294 | export function isFileLoadingAllowed( |
| 295 | config: ResolvedConfig, |
| 296 | filePath: string, |
| 297 | ): boolean { |
| 298 | const { fs } = config.server |
| 299 | |
| 300 | if (!fs.strict) return true |
| 301 | |
| 302 | if (isWindows && filePath.includes('~')) { |
| 303 | // `~` is used for Windows 8.3 short names, which can be used to bypass the check. |
| 304 | // While is it valid to have files with `~` in the path, we disallow it to be safe. |
| 305 | return false |
| 306 | } |
| 307 | |
| 308 | const hasDriveLetter = isWindows && windowsDriveRE.test(filePath) |
| 309 | const hasColon = (hasDriveLetter ? filePath.slice(2) : filePath).includes(':') |
| 310 | if (hasColon) { |
| 311 | // the `:` is included in the path which may be used for NTFS ADS |
| 312 | return false |
| 313 | } |
| 314 | |
| 315 | // NOTE: `fs.readFile('/foo.png/')` tries to load `'/foo.png'` |
| 316 | // so we should check the path without trailing slash |
| 317 | const filePathWithoutTrailingSlash = filePath.endsWith('/') |
| 318 | ? filePath.slice(0, -1) |
| 319 | : filePath |
| 320 | if (config.fsDenyGlob(filePathWithoutTrailingSlash)) return false |
| 321 | |
| 322 | if (config.safeModulePaths.has(filePath)) return true |
| 323 | |
| 324 | if (fs.allow.some((uri) => isFileInTargetPath(uri, filePath))) return true |
| 325 | |
| 326 | return false |
| 327 | } |
| 328 | |
| 329 | export function checkLoadingAccess( |
| 330 | config: ResolvedConfig, |
no test coverage detected