[PR #287] [MERGED] Block access to .vite/ build metadata in production server #446

New issue

Closed

opened 2026-05-06 12:39:51 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:39:51 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/287
Author: @southpolesteve
Created: 3/6/2026
Status: ✅ Merged
Merged: 3/6/2026
Merged by: @southpolesteve

Base: main ← Head: fix/block-internal-build-paths

📝 Commits (1)

857f2d7 Block access to .vite/ build metadata in production server

📊 Changes

2 files changed (+21 additions, -0 deletions)

View changed files

📝 packages/vinext/src/server/prod-server.ts (+8 -0)
📝 tests/pages-router.test.ts (+13 -0)

📄 Description

Summary

The .vite/ directory in the client build output contains build manifests (ssr-manifest.json, manifest.json) and other artifacts that should not be publicly accessible. The tryServeStatic() function had no filtering for these paths.
Added a check in tryServeStatic() that rejects requests to .vite/ paths after URL decoding, which also handles encoded variants like /%2Evite/.

Changes

packages/vinext/src/server/prod-server.ts: Added .vite/ path check in tryServeStatic() after decodeURIComponent to block direct and encoded access to build metadata.
tests/pages-router.test.ts: Two new tests verifying .vite/ssr-manifest.json returns 404 for both direct and percent-encoded paths.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/287 **Author:** [@southpolesteve](https://github.com/southpolesteve) **Created:** 3/6/2026 **Status:** ✅ Merged **Merged:** 3/6/2026 **Merged by:** [@southpolesteve](https://github.com/southpolesteve) **Base:** `main` ← **Head:** `fix/block-internal-build-paths` --- ### 📝 Commits (1) - [`857f2d7`](https://github.com/cloudflare/vinext/commit/857f2d78528d53a01cfe8a33ce33ea2eb85fdbf8) Block access to .vite/ build metadata in production server ### 📊 Changes **2 files changed** (+21 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/server/prod-server.ts` (+8 -0) 📝 `tests/pages-router.test.ts` (+13 -0) </details> ### 📄 Description ## Summary - The `.vite/` directory in the client build output contains build manifests (`ssr-manifest.json`, `manifest.json`) and other artifacts that should not be publicly accessible. The `tryServeStatic()` function had no filtering for these paths. - Added a check in `tryServeStatic()` that rejects requests to `.vite/` paths after URL decoding, which also handles encoded variants like `/%2Evite/`. ## Changes - `packages/vinext/src/server/prod-server.ts`: Added `.vite/` path check in `tryServeStatic()` after `decodeURIComponent` to block direct and encoded access to build metadata. - `tests/pages-router.test.ts`: Two new tests verifying `.vite/ssr-manifest.json` returns 404 for both direct and percent-encoded paths. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>