8000 `./x.js?foo=/../y.js` is resolved as `./y.js` instead of `./x.js` · Issue #19406 · vitejs/vite · GitHub
[go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

./x.js?foo=/../y.js is resolved as ./y.js instead of ./x.js #19406

Open
7 tasks done
hi-ogawa opened this issue Feb 12, 2025 · 0 comments
Open
7 tasks done

./x.js?foo=/../y.js is resolved as ./y.js instead of ./x.js #19406

hi-ogawa opened this issue Feb 12, 2025 · 0 comments
Labels
p2-edge-case Bug, but has workaround or limited in scope (priority)

Comments

@hi-ogawa
Copy link
Collaborator
hi-ogawa commented Feb 12, 2025
edited
Loading

Describe the bug

For the following code, Vite resolves import differently from NodeJs.

import repro from "./x.js?foo=/../y.js"

This appears to be because Vite's fs resolution normalizes id via path.resolve without stripping off ?, such as:

vite/packages/vite/src/node/plugins/resolve.ts

Line 283 in b44e3d4

const fsPath = path.resolve(basedir, id) 

> path.resolve('/x.js?foo=/../y.js')
'/y.js'
> path.resolve('/x.js/../y.js')
'/y.js'
> path.resolve('/x.js?foo=bar')
'/x.js?foo=bar'

Additional note: Going up parent directories with this trick only cheats resolution and the file content is still protected by the same server.fs mechanism, so this is not likely a security issue.

Reproduction

https://stackblitz.com/github/hi-ogawa/reproductions/tree/main/vite-vitest-GHSA-jgmc-vvcc-xjmp?file=src%2Fmain.js

Steps to reproduce

  • Open stackblitz and browser shows [y.js]
  • Run node src/main.js and it shows [x.js]
 node src/main.js
{ repro: '[x.js]' }

System Info

System:
    OS: Linux 5.0 undefined
    CPU: (8) x64 Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz
    Memory: 0 Bytes / 0 Bytes
    Shell: 1.0 - /bin/jsh
  Binaries:
    Node: 18.20.3 - /usr/local/bin/node
    Yarn: 1.22.19 - /usr/local/bin/yarn
    npm: 10.2.3 - /usr/local/bin/npm
    pnpm: 8.15.6 - /usr/local/bin/pnpm
  npmPackages:
    vite: ^6.1.0 => 6.1.0

Used Package Manager

npm

Logs

No response

Validations
@sapphi-red sapphi-red added the p2-edge-case Bug, but has workaround or limited in scope (priority) label Feb 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
p2-edge-case Bug, but has workaround or limited in scope (priority)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hi-ogawa @sapphi-red
0