[web] Respond with 404 to non-found asset or package files (#67088)

5d6321b5 · Mouad Debbar · GitHub · 385ae402 · 5d6321b5 · 5d6321b5
Unverified Commit 5d6321b5 authored Oct 02, 2020 by Mouad Debbar Committed by GitHub Oct 02, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 46 additions and 0 deletions

devfs_web.dart packages/flutter_tools/lib/src/isolated/devfs_web.dart +5 -0

devfs_web_test.dart .../flutter_tools/test/general.shard/web/devfs_web_test.dart +41 -0

No files found.
--- a/packages/flutter_tools/lib/src/isolated/devfs_web.dart
+++ b/packages/flutter_tools/lib/src/isolated/devfs_web.dart
@@ -406,6 +406,11 @@ class WebAssetServer implements AssetReader {
    }

    if (!file.existsSync()) {
+      // Paths starting with these prefixes should've been resolved above.
+      if (requestPath.startsWith('assets/') ||
+          requestPath.startsWith('packages/')) {
+        return shelf.Response.notFound('');
+      }
      return _serveIndex();
    }


--- a/packages/flutter_tools/test/general.shard/web/devfs_web_test.dart
+++ b/packages/flutter_tools/test/general.shard/web/devfs_web_test.dart
@@ -260,6 +260,47 @@ void main() {
    expect(await response.readAsString(), htmlContent);
  }));

+  test('does not serve outside the base path', () => testbed.run(() async {
+    webAssetServer.basePath = 'base/path';
+
+    const String htmlContent = '<html><head></head><body id="test"></body></html>';
+    final Directory webDir = globals.fs.currentDirectory
+      .childDirectory('web')
+      ..createSync();
+    webDir.childFile('index.html').writeAsStringSync(htmlContent);
+
+    final Response response = await webAssetServer
+      .handleRequest(Request('GET', Uri.parse('http://foobar/')));
+
+    expect(response.statusCode, HttpStatus.notFound);
+  }));
+
+  test('does not serve index.html when path is inside assets or packages', () => testbed.run(() async {
+    const String htmlContent = '<html><head></head><body id="test"></body></html>';
+    final Directory webDir = globals.fs.currentDirectory
+      .childDirectory('web')
+      ..createSync();
+    webDir.childFile('index.html').writeAsStringSync(htmlContent);
+
+    Response response = await webAssetServer
+      .handleRequest(Request('GET', Uri.parse('http://foobar/assets/foo/bar.png')));
+    expect(response.statusCode, HttpStatus.notFound);
+
+    response = await webAssetServer
+      .handleRequest(Request('GET', Uri.parse('http://foobar/packages/foo/bar.dart.js')));
+    expect(response.statusCode, HttpStatus.notFound);
+
+    webAssetServer.basePath = 'base/path';
+
+    response = await webAssetServer
+      .handleRequest(Request('GET', Uri.parse('http://foobar/base/path/assets/foo/bar.png')));
+    expect(response.statusCode, HttpStatus.notFound);
+
+    response = await webAssetServer
+      .handleRequest(Request('GET', Uri.parse('http://foobar/base/path/packages/foo/bar.dart.js')));
+    expect(response.statusCode, HttpStatus.notFound);
+  }));
+
  test('serves default index.html', () => testbed.run(() async {
    final Response response = await webAssetServer
      .handleRequest(Request('GET', Uri.parse('http://foobar/')));