Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: server.fs.deny support #5378

Merged
merged 5 commits into from
Oct 27, 2021
Merged

feat: server.fs.deny support #5378

merged 5 commits into from
Oct 27, 2021

Conversation

antfu
Copy link
Member

@antfu antfu commented Oct 21, 2021
edited
Loading

Description

Support excluding files to be served by Vite. .env, .pem, .crt will been excluded by default.

Additional context

Open for discussion, will do documentation later.

Related:

What is the purpose of this pull request?

  • Bug fix
  • New Feature
  • Documentation update
  • Other

Before submitting the PR, please make sure you do the following

  • Read the Contributing Guidelines.
  • Read the Pull Request Guidelines and follow the Commit Convention.
  • Check that there isn't already a PR that solves the problem the same way to avoid creating a duplicate.
  • Provide a description in this PR that addresses what the PR is solving, or reference the issue that it solves (e.g. fixes #123).
  • Ideally, include relevant tests that fail without this PR but pass with it.

@benmccann
Copy link
Collaborator

benmccann commented Oct 21, 2021
edited
Loading

I think it should be called deny to be consistent with allow (if it were called denied then it should also be allowed)

But I'm rather hesitant about this. Blacklisting seems like a dangerous approach for anything security-related because there's always some file you could forget or overlook. Much safer to go with a whitelist approach, which I think would be solved by #5361

@patak-dev
Copy link
Member

But I'm rather hesitant about this. Blacklisting seems like a dangerous approach for anything security-related because there's always some file you could forget or overlook. Much safer to go with a whitelist approach, which I think would be solved by #5361

#5361 would still be merged, this PR is complementary. Whitelisting is also quite hard for Vite in general, as we would need to not only filter by folder like you do in SvelteKit but also by file type. So something like /index.html + /src/ + /public/ could work but maybe users have a different folder structure.

I think both options need to be available, and then frameworks can decide how to use them. The current defaults look good to me too.

@antfu antfu changed the title feat: server.fs.denied support feat: server.fs.deny support Oct 22, 2021
Shinigami92
Shinigami92 suggested changes Oct 22, 2021
View reviewed changes
Copy link
Member

@Shinigami92 Shinigami92 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think docs are missing

Nice feature :)

packages/vite/src/node/server/index.ts Outdated Show resolved Hide resolved
@Shinigami92 Shinigami92 added needs documentation Documentations are needed p2-nice-to-have Not breaking anything but nice to have (priority) labels Oct 22, 2021
@antfu antfu force-pushed the feat/vite-fs-disallow branch from db05b1a to fa86b17 Compare October 24, 2021 16:22
patak-dev
patak-dev previously approved these changes Oct 24, 2021
View reviewed changes
Copy link
Member

@patak-dev patak-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We didn't manage to discuss this one with Evan, but I think it should be safe to include it in the beta release this week as is marked experimental and it is an extension that was already discussed as a possibility in the past.

One detail, we are allowing files that are directly imported by allowed files to be served even if they aren't in an allowed folder. Maybe we should do the same for deny? At this point, I'm leaning towards a hard deny. We could leave the PR as is an only do a soft deny using the module graph if an use case justifies it (that I don't think it would be the case)

@patak-dev patak-dev added this to the 2.7 milestone Oct 24, 2021
Shinigami92
Shinigami92 previously approved these changes Oct 24, 2021
View reviewed changes
@patak-dev patak-dev added p4-important Violate documented behavior or significantly improves performance (priority) and removed needs documentation Documentations are needed p2-nice-to-have Not breaking anything but nice to have (priority) labels Oct 24, 2021
@antfu antfu dismissed stale reviews from Shinigami92 and patak-dev via 2280d24 October 27, 2021 11:46
Shinigami92
Shinigami92 previously approved these changes Oct 27, 2021
View reviewed changes
@Shinigami92 Shinigami92 dismissed their stale review October 27, 2021 13:12

Damnd, GitHub notifications redirects me directly to the diff and then I didn't saw tests are failing :D

@patak-dev patak-dev merged commit 1a15460 into vitejs:main Oct 27, 2021
@bluwy bluwy mentioned this pull request Apr 8, 2022
Closed
4 tasks
@bluwy bluwy mentioned this pull request Apr 13, 2022
Merged
9 tasks
@ZYinMD ZYinMD mentioned this pull request Apr 26, 2022
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Shinigami92 Shinigami92 Shinigami92 approved these changes

@patak-dev patak-dev patak-dev approved these changes

Assignees
No one assigned
Labels
p4-important Violate documented behavior or significantly improves performance (priority)
Projects
None yet
Milestone
2.7
Development

Successfully merging this pull request may close these issues.
4 participants
@antfu @benmccann @patak-dev @Shinigami92