From 1f2269fb877ea42314a9bc21287cd2e287be6967 Mon Sep 17 00:00:00 2001 From: Rich Harris Date: Mon, 23 May 2022 21:02:29 -0400 Subject: [PATCH 1/3] ensure correct case is used for static assets - closes #4931 --- .changeset/pretty-actors-chew.md | 5 +++++ packages/kit/src/core/dev/plugin.js | 12 +++++++++--- packages/kit/test/apps/basics/test/test.js | 5 +++++ 3 files changed, 19 insertions(+), 3 deletions(-) create mode 100644 .changeset/pretty-actors-chew.md diff --git a/.changeset/pretty-actors-chew.md b/.changeset/pretty-actors-chew.md new file mode 100644 index 000000000000..ae6d3019f694 --- /dev/null +++ b/.changeset/pretty-actors-chew.md @@ -0,0 +1,5 @@ +--- +'@sveltejs/kit': patch +--- + +ensure static assets are only served if correct case is used diff --git a/packages/kit/src/core/dev/plugin.js b/packages/kit/src/core/dev/plugin.js index d0e9fd9a3166..b343f57218f7 100644 --- a/packages/kit/src/core/dev/plugin.js +++ b/packages/kit/src/core/dev/plugin.js @@ -195,9 +195,15 @@ export async function create_plugin(config) { const file = config.kit.files.assets + pathname; if (fs.existsSync(file) && !fs.statSync(file).isDirectory()) { - req.url = encodeURI(pathname); // don't need query/hash - asset_server(req, res); - return; + const has_correct_case = fs + .readdirSync(path.dirname(file)) + .includes(path.basename(file)); + + if (has_correct_case) { + req.url = encodeURI(pathname); // don't need query/hash + asset_server(req, res); + return; + } } } diff --git a/packages/kit/test/apps/basics/test/test.js b/packages/kit/test/apps/basics/test/test.js index ab76155f9833..410eeb617b70 100644 --- a/packages/kit/test/apps/basics/test/test.js +++ b/packages/kit/test/apps/basics/test/test.js @@ -2570,6 +2570,11 @@ test.describe.parallel('Static files', () => { const response = await request.get(path); expect(response.status()).toBe(200); }); + + test('Filenames are case-sensitive', async ({ request }) => { + let response = await request.get('/static.JSON'); + expect(response.status()).toBe(404); + }); }); test.describe.parallel('Matchers', () => { From b310fe667b571fce3c2b7b337ab8476ee9a87950 Mon Sep 17 00:00:00 2001 From: Rich Harris Date: Mon, 23 May 2022 21:27:32 -0400 Subject: [PATCH 2/3] Update packages/kit/test/apps/basics/test/test.js MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: MaurĂ­cio Kishi --- packages/kit/test/apps/basics/test/test.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/kit/test/apps/basics/test/test.js b/packages/kit/test/apps/basics/test/test.js index 410eeb617b70..674a12e31698 100644 --- a/packages/kit/test/apps/basics/test/test.js +++ b/packages/kit/test/apps/basics/test/test.js @@ -2572,7 +2572,7 @@ test.describe.parallel('Static files', () => { }); test('Filenames are case-sensitive', async ({ request }) => { - let response = await request.get('/static.JSON'); + const response = await request.get('/static.JSON'); expect(response.status()).toBe(404); }); }); From 6fe5ab9c6da8ac517da47196a15ec1233f262bd0 Mon Sep 17 00:00:00 2001 From: Rich Harris Date: Mon, 23 May 2022 21:28:28 -0400 Subject: [PATCH 3/3] Update packages/kit/src/core/dev/plugin.js MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: MaurĂ­cio Kishi --- packages/kit/src/core/dev/plugin.js | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/packages/kit/src/core/dev/plugin.js b/packages/kit/src/core/dev/plugin.js index b343f57218f7..92b79f29cc03 100644 --- a/packages/kit/src/core/dev/plugin.js +++ b/packages/kit/src/core/dev/plugin.js @@ -195,9 +195,7 @@ export async function create_plugin(config) { const file = config.kit.files.assets + pathname; if (fs.existsSync(file) && !fs.statSync(file).isDirectory()) { - const has_correct_case = fs - .readdirSync(path.dirname(file)) - .includes(path.basename(file)); + const has_correct_case = fs.realpathSync.native(file) === path.resolve(file); if (has_correct_case) { req.url = encodeURI(pathname); // don't need query/hash