From 91641c4da0a011d4c5352e88fc68389d4e1289a5 Mon Sep 17 00:00:00 2001
From: patak <matias.capeletto@gmail.com>
Date: Fri, 19 Jan 2024 14:02:51 +0100
Subject: [PATCH] fix: fs deny for case insensitive systems (#15653)

---
 packages/vite/src/node/server/index.ts           |  5 ++++-
 .../__tests__/base/fs-serve-base.spec.ts         |  8 +++++++-
 playground/fs-serve/__tests__/fs-serve.spec.ts   |  8 +++++++-
 playground/fs-serve/root/src/index.html          | 16 +++++++++++++++-
 4 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/packages/vite/src/node/server/index.ts b/packages/vite/src/node/server/index.ts
index bec44dafb25910..eb34efa3dd4b99 100644
--- a/packages/vite/src/node/server/index.ts
+++ b/packages/vite/src/node/server/index.ts
@@ -617,7 +617,10 @@ export async function _createServer(
     _importGlobMap: new Map(),
     _forceOptimizeOnRestart: false,
     _pendingRequests: new Map(),
-    _fsDenyGlob: picomatch(config.server.fs.deny, { matchBase: true }),
+    _fsDenyGlob: picomatch(config.server.fs.deny, {
+      matchBase: true,
+      nocase: true,
+    }),
     _shortcutsOptions: undefined,
   }
 
diff --git a/playground/fs-serve/__tests__/base/fs-serve-base.spec.ts b/playground/fs-serve/__tests__/base/fs-serve-base.spec.ts
index 4660fafcc8031f..51e87ccd3b57cf 100644
--- a/playground/fs-serve/__tests__/base/fs-serve-base.spec.ts
+++ b/playground/fs-serve/__tests__/base/fs-serve-base.spec.ts
@@ -92,7 +92,13 @@ describe.runIf(isServe)('main', () => {
   })
 
   test('denied', async () => {
-    expect(await page.textContent('.unsafe-dotenv')).toBe('404')
+    expect(await page.textContent('.unsafe-dotenv')).toBe('403')
+  })
+
+  test('denied EnV casing', async () => {
+    // It is 403 in case insensitive system, 404 in others
+    const code = await page.textContent('.unsafe-dotEnV-casing')
+    expect(code === '403' || code === '404').toBeTruthy()
   })
 })
 
diff --git a/playground/fs-serve/__tests__/fs-serve.spec.ts b/playground/fs-serve/__tests__/fs-serve.spec.ts
index 86e030326ea420..9d9d4c6ec80e54 100644
--- a/playground/fs-serve/__tests__/fs-serve.spec.ts
+++ b/playground/fs-serve/__tests__/fs-serve.spec.ts
@@ -92,7 +92,13 @@ describe.runIf(isServe)('main', () => {
   })
 
   test('denied', async () => {
-    expect(await page.textContent('.unsafe-dotenv')).toBe('404')
+    expect(await page.textContent('.unsafe-dotenv')).toBe('403')
+  })
+
+  test('denied EnV casing', async () => {
+    // It is 403 in case insensitive system, 404 in others
+    const code = await page.textContent('.unsafe-dotEnV-casing')
+    expect(code === '403' || code === '404').toBeTruthy()
   })
 })
 
diff --git a/playground/fs-serve/root/src/index.html b/playground/fs-serve/root/src/index.html
index 5de6804a7658de..06bee3f8671949 100644
--- a/playground/fs-serve/root/src/index.html
+++ b/playground/fs-serve/root/src/index.html
@@ -45,6 +45,7 @@ <h2>Nested Entry</h2>
 
 <h2>Denied</h2>
 <pre class="unsafe-dotenv"></pre>
+<pre class="unsafe-dotEnV-casing"></pre>
 
 <script type="module">
   import '../../entry'
@@ -236,7 +237,9 @@ <h2>Denied</h2>
     })
 
   // .env, denied by default
-  fetch(joinUrlSegments(base, joinUrlSegments('/@fs/', ROOT) + '/root/.env'))
+  fetch(
+    joinUrlSegments(base, joinUrlSegments('/@fs/', ROOT) + '/root/src/.env'),
+  )
     .then((r) => {
       text('.unsafe-dotenv', r.status)
     })
@@ -244,6 +247,17 @@ <h2>Denied</h2>
       console.error(e)
     })
 
+  // .env, for case insensitive file systems
+  fetch(
+    joinUrlSegments(base, joinUrlSegments('/@fs/', ROOT) + '/root/src/.EnV'),
+  )
+    .then((r) => {
+      text('.unsafe-dotEnV-casing', r.status)
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
   function text(sel, text) {
     document.querySelector(sel).textContent = text
   }