Describe the bug

When referencing a symlink with the /@fs/... endpoint in dev mode, the final destination of the symlink is not considered when verifying the file is within the serve root. This may or may not be significant as the possibility of having a malicious symlink is likely very low.

Reproduction

npm init vite@latest 

Create a Vite config with strict fs and serve root of current directory:

export default {
  server: {
    fs: {
      // Allow serving files from one level up to the project root
	strict: true,
      allow: ['.']
    }
  }
}

Verify that you cannot access a file outside of the current directory (such as /etc/passwd). Setup a symlink to /etc/passwd within the project directory:

/tmp/vitetest/vite-project ❯ ln -s /etc/passwd/ test
/tmp/vitetest/vite-project ❯ ls -lah
total 64K
drwxrwxr-x  3 josh josh 4.0K Oct 13 10:38 .
drwxrwxr-x  3 josh josh 4.0K Oct 13 10:27 ..
-rw-rw-r--  1 josh josh 1.5K Oct 13 10:27 favicon.svg
-rw-rw-r--  1 josh josh   44 Oct 13 10:27 .gitignore
-rw-rw-r--  1 josh josh  353 Oct 13 10:27 index.html
-rw-rw-r--  1 josh josh  177 Oct 13 10:27 main.js
drwxrwxr-x 17 josh josh 4.0K Oct 13 10:27 node_modules
-rw-rw-r--  1 josh josh  193 Oct 13 10:27 package.json
-rw-rw-r--  1 josh josh  23K Oct 13 10:27 package-lock.json
-rw-rw-r--  1 josh josh  199 Oct 13 10:27 style.css
lrwxrwxrwx  1 josh josh   16 Oct 13 10:38 test -> /etc/passwd/test
-rw-rw-r--  1 josh josh  152 Oct 13 10:30 vite.config.js
/tmp/vitetest/vite-project ❯    

Start the development server with npm run dev and access http://localhost:3000/@fs/tmp/vitetest/vite-project/test and /etc/passwd will be read.

System Info

System:
    OS: Linux 5.8 Ubuntu 20.04.1 LTS (Focal Fossa)
    CPU: (8) x64 Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz
    Memory: 450.98 MB / 31.25 GB
    Container: Yes
    Shell: 5.8 - /usr/bin/zsh
  Binaries:
    Node: 14.15.5 - /usr/bin/node
    Yarn: 1.22.5 - /usr/bin/yarn
    npm: 7.17.0 - /usr/local/bin/npm
  Browsers:
    Chrome: 94.0.4606.81
    Firefox: 93.0
  npmPackages:
    vite: ^2.6.4 => 2.6.7

Used Package Manager

npm

Logs

No response

Validations

• Follow our Code of Conduct
• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to https://github.com/vuejs/vue-next instead.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
• The provided reproduction is a minimal reproducible example of the bug.