fix: avoid path traversal with optimize deps sourcemap handler (#22161)

Author: sapphi-red

packages/vite/src/node/server/middlewares/transform.ts

@@ -161,6 +161,10 @@ export function transformMiddleware(
           const sourcemapPath = url.startsWith(FS_PREFIX)
             ? fsPathFromId(url)
             : normalizePath(path.resolve(server.config.root, url.slice(1)))
+          // url may contain relative path that may resolve outside of the optimized deps directory
+          if (!depsOptimizer.isOptimizedDepFile(sourcemapPath)) {
+            return next()
+          }
           try {
             const map = JSON.parse(
               await fsp.readFile(sourcemapPath, 'utf-8'),

playground/fs-serve/__tests__/fs-serve.spec.ts

@@ -93,6 +93,21 @@ describe.runIf(isServe)('invalid request', () => {
       target: path.posix.join('/@fs/', root, 'root/src/dummy.crt/') + '.',
       status: 'HTTP/1.1 403 Forbidden',
     },
+    {
+      name: 'denied optimize deps sourcemap handler',
+      target:
+        path.posix.join('/@fs/', root) +
+        '/node_modules/.vite/deps/../../../unsafe.map',
+      status: 'HTTP/1.1 403 Forbidden',
+    },
+    {
+      name: 'denied backslash optimize deps sourcemap handler',
+      target:
+        path.posix.join('/@fs/', root) +
+        '/node_modules/.vite/deps/..\\..\\..\\unsafe.map',
+      status: isWindows ? 'HTTP/1.1 403 Forbidden' : 'HTTP/1.1 200 OK',
+      content: isWindows ? undefined : 'Cache-Control: no-cache',
+    },
     {
       name: 'HTML outside root with relative path',
       target: '/../unsafe.html',

playground/fs-serve/unsafe.map

@@ -0,0 +1,3 @@
+{
+  "key": "unsafe"
+}