From 3edc458927b6bbee0d008bcde4d054aa8141f9f6 Mon Sep 17 00:00:00 2001
From: patak-dev <matias.capeletto@gmail.com>
Date: Mon, 16 Sep 2024 18:01:37 +0200
Subject: [PATCH 1/5] fix: backport #18112, fs raw query

---
 packages/vite/src/node/plugins/asset.ts       |  4 ++--
 .../src/node/server/middlewares/static.ts     |  2 +-
 .../src/node/server/middlewares/transform.ts  |  9 +++++++++
 .../fs-serve/__tests__/fs-serve.spec.ts       |  5 +++++
 playground/fs-serve/root/src/index.html       | 20 +++++++++++++++++++
 5 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/packages/vite/src/node/plugins/asset.ts b/packages/vite/src/node/plugins/asset.ts
index ee96fef25cc343..ca8fcd4999bb88 100644
--- a/packages/vite/src/node/plugins/asset.ts
+++ b/packages/vite/src/node/plugins/asset.ts
@@ -29,8 +29,8 @@ export const duplicateAssets = new WeakMap<
   Map<string, OutputAsset>
 >()
 
-const rawRE = /(\?|&)raw(?:&|$)/
-const urlRE = /(\?|&)url(?:&|$)/
+export const rawRE = /(\?|&)raw(?:&|$)/
+export const urlRE = /(\?|&)url(?:&|$)/
 
 const assetCache = new WeakMap<ResolvedConfig, Map<string, string>>()
 
diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts
index 03306b68fc2197..304aa781dca2b8 100644
--- a/packages/vite/src/node/server/middlewares/static.ts
+++ b/packages/vite/src/node/server/middlewares/static.ts
@@ -174,7 +174,7 @@ export function isFileServingAllowed(
   return false
 }
 
-function ensureServingAccess(
+export function ensureServingAccess(
   url: string,
   server: ViteDevServer,
   res: ServerResponse,
diff --git a/packages/vite/src/node/server/middlewares/transform.ts b/packages/vite/src/node/server/middlewares/transform.ts
index 929c6856d34748..a11119e68bf983 100644
--- a/packages/vite/src/node/server/middlewares/transform.ts
+++ b/packages/vite/src/node/server/middlewares/transform.ts
@@ -35,6 +35,8 @@ import {
   ERR_OUTDATED_OPTIMIZED_DEP
 } from '../../plugins/optimizedDeps'
 import { getDepsOptimizer } from '../../optimizer'
+import { rawRE, urlRE } from '../../plugins/asset'
+import { ensureServingAccess } from './static'
 
 const debugCache = createDebugger('vite:cache')
 const isDebug = !!process.env.DEBUG
@@ -147,6 +149,13 @@ export function transformMiddleware(
         }
       }
 
+      if (
+        (rawRE.test(url) || urlRE.test(url)) &&
+        !ensureServingAccess(url, server, res, next)
+      ) {
+        return
+      }
+
       if (
         isJSRequest(url) ||
         isImportRequest(url) ||
diff --git a/playground/fs-serve/__tests__/fs-serve.spec.ts b/playground/fs-serve/__tests__/fs-serve.spec.ts
index c22e5def30fe7d..fefbc419e43b2a 100644
--- a/playground/fs-serve/__tests__/fs-serve.spec.ts
+++ b/playground/fs-serve/__tests__/fs-serve.spec.ts
@@ -76,6 +76,11 @@ describe.runIf(isServe)('main', () => {
     expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403')
   })
 
+  test('unsafe fs fetch', async () => {
+    expect(await page.textContent('.unsafe-fs-fetch-raw')).toBe('')
+    expect(await page.textContent('.unsafe-fs-fetch-raw-status')).toBe('403')
+  })
+
   test('unsafe fs fetch with special characters (#8498)', async () => {
     expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('')
     expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('403')
diff --git a/playground/fs-serve/root/src/index.html b/playground/fs-serve/root/src/index.html
index 565961d34cd889..b8ed6b18489692 100644
--- a/playground/fs-serve/root/src/index.html
+++ b/playground/fs-serve/root/src/index.html
@@ -35,6 +35,8 @@ <h2>Safe /@fs/ Fetch</h2>
 <h2>Unsafe /@fs/ Fetch</h2>
 <pre class="unsafe-fs-fetch-status"></pre>
 <pre class="unsafe-fs-fetch"></pre>
+<pre class="unsafe-fs-fetch-raw-status"></pre>
+<pre class="unsafe-fs-fetch-raw"></pre>
 <pre class="unsafe-fs-fetch-8498-status"></pre>
 <pre class="unsafe-fs-fetch-8498"></pre>
 <pre class="unsafe-fs-fetch-8498-2-status"></pre>
@@ -166,6 +168,24 @@ <h2>Denied</h2>
       console.error(e)
     })
 
+  // not imported before, outside of root, treated as unsafe
+  fetch(
+    joinUrlSegments(
+      base,
+      joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw',
+    ),
+  )
+    .then((r) => {
+      text('.unsafe-fs-fetch-raw-status', r.status)
+      return r.json()
+    })
+    .then((data) => {
+      text('.unsafe-fs-fetch-raw', JSON.stringify(data))
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
   // outside root with special characters #8498
   fetch('/@fs/' + ROOT + '/root/src/%2e%2e%2f%2e%2e%2funsafe%2ejson')
     .then((r) => {

From 3e2e12cd94d88719360484ede6c5078ce318a733 Mon Sep 17 00:00:00 2001
From: jackfromeast <thisiszhengyu@gmail.com>
Date: Mon, 16 Sep 2024 11:42:53 -0400
Subject: [PATCH 2/5] fix: backport #18115, DOM Clobbering in

---
 packages/vite/src/node/build.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/vite/src/node/build.ts b/packages/vite/src/node/build.ts
index fe147c1cd1b48d..24e5118c7767b1 100644
--- a/packages/vite/src/node/build.ts
+++ b/packages/vite/src/node/build.ts
@@ -1005,7 +1005,7 @@ const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
   getResolveUrl(
     `'${relativePath}', ${
       umd ? `typeof document === 'undefined' ? location.href : ` : ''
-    }document.currentScript && document.currentScript.src || document.baseURI`
+    }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`
   )
 
 const relativeUrlMechanisms: Record<

From 319e23af9fe6777bae14b75b2ae447572ffd2c5b Mon Sep 17 00:00:00 2001
From: patak-dev <matias.capeletto@gmail.com>
Date: Mon, 16 Sep 2024 22:03:14 +0200
Subject: [PATCH 3/5] chore: update to pnpm/action-setup v4

---
 .github/workflows/ci.yml      | 4 ++--
 .github/workflows/publish.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 565c108ac94b9c..5bc63230f95b6f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -50,7 +50,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v2.2.4
+        uses: pnpm/action-setup@v4.0.0
 
       - name: Set node version to ${{ matrix.node_version }}
         uses: actions/setup-node@v3
@@ -106,7 +106,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v2.2.4
+        uses: pnpm/action-setup@v4.0.0
 
       - name: Set node version to 16
         uses: actions/setup-node@v3
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index d167d77f6442a8..4f497a1cc50b96 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -18,7 +18,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v2.2.4
+        uses: pnpm/action-setup@v4.0.0
 
       - name: Set node version to 16.x
         uses: actions/setup-node@v3

From 0d4a3eea327c81d0546bbd050d71e9f3669d8bbc Mon Sep 17 00:00:00 2001
From: patak-dev <matias.capeletto@gmail.com>
Date: Mon, 16 Sep 2024 22:11:46 +0200
Subject: [PATCH 4/5] test: avoid joinUrlSegments, align with prev test

---
 playground/fs-serve/root/src/index.html | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/playground/fs-serve/root/src/index.html b/playground/fs-serve/root/src/index.html
index b8ed6b18489692..5b2363740bf030 100644
--- a/playground/fs-serve/root/src/index.html
+++ b/playground/fs-serve/root/src/index.html
@@ -169,12 +169,7 @@ <h2>Denied</h2>
     })
 
   // not imported before, outside of root, treated as unsafe
-  fetch(
-    joinUrlSegments(
-      base,
-      joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw',
-    ),
-  )
+  fetch('/@fs/' + ROOT + '/unsafe.json?import&raw')
     .then((r) => {
       text('.unsafe-fs-fetch-raw-status', r.status)
       return r.json()

From fa255647741bef6846f102fc1e9f20318919d065 Mon Sep 17 00:00:00 2001
From: sapphi-red <49056869+sapphi-red@users.noreply.github.com>
Date: Tue, 17 Sep 2024 12:01:16 +0900
Subject: [PATCH 5/5] fix(importAnalysis): backport #13712, strip url base
 before passing as safeModulePaths

---
 packages/vite/src/node/plugins/importAnalysis.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/packages/vite/src/node/plugins/importAnalysis.ts b/packages/vite/src/node/plugins/importAnalysis.ts
index d26b0e219085d9..868207bf2ae2c8 100644
--- a/packages/vite/src/node/plugins/importAnalysis.ts
+++ b/packages/vite/src/node/plugins/importAnalysis.ts
@@ -478,7 +478,9 @@ export function importAnalysisPlugin(config: ResolvedConfig): Plugin {
           const [url, resolvedId] = await normalizeUrl(specifier, start)
 
           // record as safe modules
-          server?.moduleGraph.safeModulesPath.add(fsPathFromUrl(url))
+          const urlWithoutBase =
+            base !== '/' && url.startsWith(base) ? url.replace(base, '/') : url
+          server?.moduleGraph.safeModulesPath.add(fsPathFromUrl(urlWithoutBase))
 
           if (url !== specifier) {
             let rewriteDone = false