fix: preview.allowedHosts with specific values was not respected (#19246)

sapphi-red · sapphi-red · commit 9df6e6beabf0 · 2025-01-21T19:30:48.000+09:00
diff --git a/packages/vite/src/node/preview.ts b/packages/vite/src/node/preview.ts
@@ -194,7 +194,7 @@ export async function preview(
   const { allowedHosts } = config.preview
   // no need to check for HTTPS as HTTPS is not vulnerable to DNS rebinding attacks
   if (allowedHosts !== true && !config.preview.https) {
-    app.use(hostCheckMiddleware(config))
+    app.use(hostCheckMiddleware(config, true))
   }
 
   // proxy
diff --git a/packages/vite/src/node/server/index.ts b/packages/vite/src/node/server/index.ts
@@ -858,7 +858,7 @@ export async function _createServer(
   const { allowedHosts } = serverConfig
   // no need to check for HTTPS as HTTPS is not vulnerable to DNS rebinding attacks
   if (allowedHosts !== true && !serverConfig.https) {
-    middlewares.use(hostCheckMiddleware(config))
+    middlewares.use(hostCheckMiddleware(config, false))
   }
 
   middlewares.use(cachedTransformMiddleware(server))
diff --git a/packages/vite/src/node/server/middlewares/hostCheck.ts b/packages/vite/src/node/server/middlewares/hostCheck.ts
@@ -3,7 +3,8 @@ import type { Connect } from 'dep-types/connect'
 import type { ResolvedConfig } from '../../config'
 import type { ResolvedPreviewOptions, ResolvedServerOptions } from '../..'
 
-const allowedHostsCache = new WeakMap<ResolvedConfig, Set<string>>()
+const allowedHostsServerCache = new WeakMap<ResolvedConfig, Set<string>>()
+const allowedHostsPreviewCache = new WeakMap<ResolvedConfig, Set<string>>()
 
 const isFileOrExtensionProtocolRE = /^(?:file|.+-extension):/i
 
@@ -118,48 +119,59 @@ export function isHostAllowedWithoutCache(
 
 /**
  * @param config resolved config
+ * @param isPreview whether it's for the preview server or not
  * @param host the value of host header. See [RFC 9110 7.2](https://datatracker.ietf.org/doc/html/rfc9110#name-host-and-authority).
  */
-export function isHostAllowed(config: ResolvedConfig, host: string): boolean {
-  if (config.server.allowedHosts === true) {
+export function isHostAllowed(
+  config: ResolvedConfig,
+  isPreview: boolean,
+  host: string,
+): boolean {
+  const allowedHosts = isPreview
+    ? config.preview.allowedHosts
+    : config.server.allowedHosts
+  if (allowedHosts === true) {
     return true
   }
 
-  if (!allowedHostsCache.has(config)) {
-    allowedHostsCache.set(config, new Set())
+  const cache = isPreview ? allowedHostsPreviewCache : allowedHostsServerCache
+  if (!cache.has(config)) {
+    cache.set(config, new Set())
   }
 
-  const allowedHosts = allowedHostsCache.get(config)!
-  if (allowedHosts.has(host)) {
+  const cachedAllowedHosts = cache.get(config)!
+  if (cachedAllowedHosts.has(host)) {
     return true
   }
 
   const result = isHostAllowedWithoutCache(
-    config.server.allowedHosts ?? [],
+    allowedHosts ?? [],
     config.additionalAllowedHosts,
     host,
   )
   if (result) {
-    allowedHosts.add(host)
+    cachedAllowedHosts.add(host)
   }
   return result
 }
 
 export function hostCheckMiddleware(
   config: ResolvedConfig,
+  isPreview: boolean,
 ): Connect.NextHandleFunction {
   // Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
   return function viteHostCheckMiddleware(req, res, next) {
     const hostHeader = req.headers.host
-    if (!hostHeader || !isHostAllowed(config, hostHeader)) {
+    if (!hostHeader || !isHostAllowed(config, isPreview, hostHeader)) {
       const hostname = hostHeader?.replace(/:\d+$/, '')
       const hostnameWithQuotes = JSON.stringify(hostname)
+      const optionName = `${isPreview ? 'preview' : 'server'}.allowedHosts`
       res.writeHead(403, {
         'Content-Type': 'text/plain',
       })
       res.end(
         `Blocked request. This host (${hostnameWithQuotes}) is not allowed.\n` +
-          `To allow this host, add ${hostnameWithQuotes} to \`server.allowedHosts\` in vite.config.js.`,
+          `To allow this host, add ${hostnameWithQuotes} to \`${optionName}\` in vite.config.js.`,
       )
       return
     }
diff --git a/packages/vite/src/node/server/ws.ts b/packages/vite/src/node/server/ws.ts
@@ -155,7 +155,7 @@ export function createWebSocketServer(
 
   const shouldHandle = (req: IncomingMessage) => {
     const hostHeader = req.headers.host
-    if (!hostHeader || !isHostAllowed(config, hostHeader)) {
+    if (!hostHeader || !isHostAllowed(config, false, hostHeader)) {
       return false
     }
 

Original file line number	Diff line number	Diff line change
`@@ -194,7 +194,7 @@ export async function preview(`
`194`	`194`	`const { allowedHosts } = config.preview`
`195`	`195`	`// no need to check for HTTPS as HTTPS is not vulnerable to DNS rebinding attacks`
`196`	`196`	`if (allowedHosts !== true && !config.preview.https) {`
`197`		`- app.use(hostCheckMiddleware(config))`
	`197`	`+ app.use(hostCheckMiddleware(config, true))`
`198`	`198`	`}`
`199`	`199`
`200`	`200`	`// proxy`
Original file line number	Diff line number	Diff line change
`@@ -858,7 +858,7 @@ export async function _createServer(`
`858`	`858`	`const { allowedHosts } = serverConfig`
`859`	`859`	`// no need to check for HTTPS as HTTPS is not vulnerable to DNS rebinding attacks`
`860`	`860`	`if (allowedHosts !== true && !serverConfig.https) {`
`861`		`- middlewares.use(hostCheckMiddleware(config))`
	`861`	`+ middlewares.use(hostCheckMiddleware(config, false))`
`862`	`862`	`}`
`863`	`863`
`864`	`864`	`middlewares.use(cachedTransformMiddleware(server))`
Original file line number	Diff line number	Diff line change
`@@ -155,7 +155,7 @@ export function createWebSocketServer(`
`155`	`155`
`156`	`156`	`const shouldHandle = (req: IncomingMessage) => {`
`157`	`157`	`const hostHeader = req.headers.host`
`158`		`- if (!hostHeader \|\| !isHostAllowed(config, hostHeader)) {`
	`158`	`+ if (!hostHeader \|\| !isHostAllowed(config, false, hostHeader)) {`
`159`	`159`	`return false`
`160`	`160`	`}`
`161`	`161`