Skip to content

Restrict access to .dev.vars files #9513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 11, 2025
Merged

Restrict access to .dev.vars files #9513

merged 3 commits into from
Jun 11, 2025

Conversation

jamesopstad
Copy link
Contributor

@jamesopstad jamesopstad commented Jun 6, 2025
edited
Loading

Fixes #000.

Note: access to Worker config files has not been restricted as they can have any names. These do not contain sensitive content, however.

  • Tests
    • TODO (before merge)
    • Tests included
    • Tests not necessary because:
  • Wrangler / Vite E2E Tests CI Job required? (Use "e2e" label or ask maintainer to run separately)
    • I don't know
    • Required
    • Not required because: N/A
  • Public documentation
    • TODO (before merge)
    • Cloudflare docs PR(s):
    • Documentation not necessary because: N/A
  • Wrangler V3 Backport
    • TODO (before merge)
    • Wrangler PR:
    • Not necessary because: Not a Wrangler change

@jamesopstad jamesopstad requested review from a team as code owners June 6, 2025 15:00
@jamesopstad jamesopstad added the vite-plugin Relating to the `@cloudflare/vite-plugin` package label Jun 6, 2025
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jun 6, 2025
edited
Loading

🦋 Changeset detected

Latest commit: f5922b2

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@cloudflare/vite-plugin Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-project-automation github-project-automation bot moved this to Untriaged in workers-sdk Jun 6, 2025
@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Jun 6, 2025
edited
Loading

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@9513

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@9513

miniflare

npm i https://pkg.pr.new/miniflare@9513

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@9513

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@9513

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@9513

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@9513

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@9513

wrangler

npm i https://pkg.pr.new/wrangler@9513

commit: f5922b2

petebacondarwin
petebacondarwin approved these changes Jun 6, 2025
View reviewed changes
packages/vite-plugin-cloudflare/playground/sensitive-files/src/index.ts
@@ -0,0 +1,5 @@
export default {
async fetch() {
return new Response("Worker response");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once #9510 lands we should also check that env.ASSETS.fetch() also doesn't expose these files.

packages/vite-plugin-cloudflare/src/index.ts
Comment on lines +118 to +123
const defaultDeniedFiles = [
".env",
".env.*",
"*.{crt,pem}",
"**/.git/**",
];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these the default Vite ones? Did you have to copy them over?
Is it not possible to just add our .dev.vars etc paths over the top of what Vite provides??
Doesn't Vite just merge them automatically?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They don't get merged automatically, unfortunately. I was expecting them to be exported for this purpose (like they export defaultAllowedOrigins) but they're not. I could open a PR to Vite to export.

@github-project-automation github-project-automation bot moved this from Untriaged to Approved in workers-sdk Jun 6, 2025
@jamesopstad jamesopstad enabled auto-merge June 11, 2025 15:50
@jamesopstad jamesopstad added this pull request to the merge queue Jun 11, 2025
Merged via the queue into main with commit 0e50072 Jun 11, 2025
21 checks passed
@jamesopstad jamesopstad deleted the james/fs-deny branch June 11, 2025 16:03
@github-project-automation github-project-automation bot moved this from Approved to Done in workers-sdk Jun 11, 2025
@workers-devprod workers-devprod mentioned this pull request Jun 11, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@petebacondarwin petebacondarwin petebacondarwin approved these changes

Assignees
No one assigned
Labels
vite-plugin Relating to the `@cloudflare/vite-plugin` package
Projects
workers-sdk
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jamesopstad @petebacondarwin