fix: Restrict which files Vite publishes (#12390)

Fixes #12362
vaadin · Nov 19, 2021 · a1f5b00 · a1f5b00
1 parent 6a8a003
commit a1f5b00
Show file tree

Hide file tree

Showing 3 changed files with 106 additions and 3 deletions.
diff --git a/flow-server/src/main/java/com/vaadin/flow/server/frontend/TaskUpdateSettingsFile.java b/flow-server/src/main/java/com/vaadin/flow/server/frontend/TaskUpdateSettingsFile.java
@@ -81,6 +81,8 @@ public void execute() {
                 FrontendUtils.getUnixPath(new File(staticOutput).toPath()));
         settings.put("generatedFolder", "generated");
         settings.put("frontendBundleOutput", webappResources);
+        settings.put("addonFrontendFolder", combinePath(buildDirectory,
+                FrontendUtils.DEFAULT_FLOW_RESOURCES_FOLDER));
 
         settings.put("themeName", themeName);
 

diff --git a/flow-server/src/main/resources/vite.generated.ts b/flow-server/src/main/resources/vite.generated.ts
@@ -12,11 +12,12 @@ import settings from '#settingsImport#';
 import { UserConfigFn, defineConfig, HtmlTagDescriptor, mergeConfig } from 'vite';
 
 import brotli from 'rollup-plugin-brotli';
-import checker from 'vite-plugin-checker'
+import checker from 'vite-plugin-checker';
 
 const frontendFolder = path.resolve(__dirname, settings.frontendFolder);
 const themeFolder = path.resolve(frontendFolder, settings.themeFolder);
-const buildFolder = path.resolve(__dirname, settings.frontendBundleOutput);
+const frontendBundleFolder = path.resolve(__dirname, settings.frontendBundleOutput);
+const addonFrontendFolder = path.resolve(__dirname, settings.addonFrontendFolder);
 
 const projectStaticAssetsFolders = [
   path.resolve(__dirname, 'src', 'main', 'resources', 'META-INF', 'resources'),
@@ -72,6 +73,13 @@ function runWatchDog(watchDogPort) {
 
 let spaMiddlewareForceRemoved = false;
 
+const allowedFrontendFolders = [
+  frontendFolder,
+  addonFrontendFolder,
+  path.resolve(addonFrontendFolder, '..', 'frontend'), // Contains only generated-flow-imports
+  path.resolve(frontendFolder, '../node_modules')
+];
+
 export const vaadinConfig: UserConfigFn = (env) => {
   const devMode = env.mode === 'development';
   const basePath = env.mode === 'production' ? '' : '/VAADIN/';
@@ -90,8 +98,13 @@ export const vaadinConfig: UserConfigFn = (env) => {
         Frontend: frontendFolder
       }
     },
+    server: {
+      fs: {
+        allow: allowedFrontendFolders,
+      }
+    },
     build: {
-      outDir: buildFolder,
+      outDir: frontendBundleFolder,
       assetsDir: 'VAADIN/build',
       rollupOptions: {
         input: {

diff --git a/flow-tests/test-frontend/vite-basics/src/test/java/com/vaadin/viteapp/FileAccessIT.java b/flow-tests/test-frontend/vite-basics/src/test/java/com/vaadin/viteapp/FileAccessIT.java
@@ -0,0 +1,88 @@
+package com.vaadin.viteapp;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+
+import org.apache.commons.io.IOUtils;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class FileAccessIT {
+
+    @BeforeClass
+    public static void waitForDevServer()
+            throws MalformedURLException, IOException, InterruptedException {
+        for (int i = 0; i < 50; i++) {
+            // Wait for index.ts so Vite also has run processing on files and
+            // later checks
+            // hopefully won't fail
+            String indexPage = IOUtils.toString(
+                    new URL("http://localhost:8888/VAADIN/generated/index.ts"),
+                    StandardCharsets.UTF_8);
+            if (indexPage.contains("router.setRoutes(routes);")) {
+                return;
+            }
+            Thread.sleep(500);
+        }
+        throw new IllegalStateException("Dev server never started");
+    }
+
+    @Test
+    public void expectedFoldersAccessible() throws Exception {
+        /*
+         * This just tests a few sample folders to see that there is not a
+         * fundamental problem
+         */
+        assertAllowed("target/flow-frontend/Flow.js");
+        assertAllowed("target/frontend/generated-flow-imports.js");
+        assertAllowed("frontend/index.ts");
+    }
+
+    private void assertAllowed(String fileInProject) throws IOException {
+        String result = IOUtils.toString(getFsUrl(fileInProject),
+                StandardCharsets.UTF_8);
+        Assert.assertFalse(result.isEmpty());
+    }
+
+    @Test
+    public void mostFoldersNotAccessible() throws Exception {
+        /*
+         * This just tests a few sample folders to see that there is not a
+         * fundamental problem
+         */
+        assertDenied("target/vaadin-dev-server-settings.json");
+        assertDenied("pom.xml");
+        assertDenied("../pom.xml");
+    }
+
+    private void assertDenied(String fileInProject) {
+        try {
+            URL url = getFsUrl(fileInProject);
+            IOUtils.toString(url, StandardCharsets.UTF_8);
+            Assert.fail("Request for " + url + " should not succeed");
+        } catch (IOException e) {
+            Assert.assertTrue(
+                    "Request for " + fileInProject + " should have failed",
+                    e.getMessage().contains(
+                            "Server returned HTTP response code: 403"));
+        }
+
+    }
+
+    private URL getFsUrl(String fileInProject) throws IOException {
+        // For Windows, the URLs should be like
+        // http://localhost:8888/VAADIN/@fs/C:/Code/flow/flow-tests/test-frontend/vite-basics/target/vaadin-dev-server-settings.json
+
+        String currentPath = new java.io.File(".").getCanonicalPath()
+                .replace("\\", "/");
+        if (!currentPath.startsWith("/")) {
+            currentPath = "/" + currentPath;
+        }
+        return new URL("http://localhost:8888/VAADIN/@fs" + currentPath + "/"
+                + fileInProject);
+    }
+
+}