prevent server-side fetch from succeeding if filename contains # (#6549)

Rich-Harris · web-flow · commit cd89d87c5558 · 2022-09-03T18:03:19.000-04:00
* prevent server-side fetch from succeeding if filename contains # - closes #2802 * huh i guess this was wrong all along
diff --git a/.changeset/green-kiwis-roll.md b/.changeset/green-kiwis-roll.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+[breaking] prevent server-side fetch from reading files with # character in the filename
diff --git a/packages/kit/src/runtime/server/page/fetch.js b/packages/kit/src/runtime/server/page/fetch.js
@@ -63,7 +63,7 @@ export function create_fetch({ event, options, state, route, prerender_default }
 			}
 		}
 
-		const resolved = resolve(event.url.pathname, requested.split('?')[0]);
+		const resolved = resolve(event.url.pathname, requested.split('?')[0]).replace(/#.+$/, '');
 
 		/** @type {Response} */
 		let response;
diff --git a/packages/kit/test/apps/basics/src/hooks.js b/packages/kit/test/apps/basics/src/hooks.js
@@ -37,7 +37,12 @@ export const handle = sequence(
 				? ({ html }) => html.replace('__REPLACEME__', 'Worked!')
 				: undefined
 		});
-		response.headers.append('set-cookie', 'name=SvelteKit; path=/; HttpOnly');
+
+		try {
+			// in some tests we fetch stuff with undici, and the headers are immutable.
+			// we can safely ignore it in those cases
+			response.headers.append('set-cookie', 'name=SvelteKit; path=/; HttpOnly');
+		} catch {}
 
 		return response;
 	}
diff --git a/packages/kit/test/apps/basics/src/routes/load/static-file-with-hash/+page.js b/packages/kit/test/apps/basics/src/routes/load/static-file-with-hash/+page.js
@@ -0,0 +1,8 @@
+/** @type {import('./$types').PageLoad} */
+export async function load({ fetch }) {
+	const res = await fetch('/load/assets/a#b.txt');
+
+	return {
+		status: res.status
+	};
+}
diff --git a/packages/kit/test/apps/basics/src/routes/load/static-file-with-hash/+page.svelte b/packages/kit/test/apps/basics/src/routes/load/static-file-with-hash/+page.svelte
@@ -0,0 +1,6 @@
+<script>
+	/** @type {import('./$types').PageData} */
+	export let data;
+</script>
+
+<h1>status: {data.status}</h1>
diff --git a/packages/kit/test/apps/basics/static/load/assets/a#b.txt b/packages/kit/test/apps/basics/static/load/assets/a#b.txt
@@ -0,0 +1 @@
+nope
diff --git a/packages/kit/test/apps/basics/test/server.test.js b/packages/kit/test/apps/basics/test/server.test.js
@@ -249,7 +249,12 @@ test.describe('Load', () => {
 		request
 	}) => {
 		const response = await request.get('/errors/error-in-layout');
-		expect(await response.text()).toContain('Error: 500');
+		expect(await response.text()).toContain('Error: 404');
+	});
+
+	test('fetch does not load a file with a # character', async ({ request }) => {
+		const response = await request.get('/load/static-file-with-hash');
+		expect(await response.text()).toContain('status: 404');
 	});
 });
 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@sveltejs/kit': patch
 +---
++
 +[breaking] prevent server-side fetch from reading files with # character in the filename
Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ export function create_fetch({ event, options, state, route, prerender_default }`
`63`	`63`	`}`
`64`	`64`	`}`
`65`	`65`
`66`		`- const resolved = resolve(event.url.pathname, requested.split('?')[0]);`
	`66`	`+ const resolved = resolve(event.url.pathname, requested.split('?')[0]).replace(/#.+$/, '');`
`67`	`67`
`68`	`68`	`/** @type {Response} */`
`69`	`69`	`let response;`