vitejs
diff --git a/‎packages/vite/src/node/server/middlewares/transform.ts‎
Lines changed: 13 additions & 2 deletions b/‎packages/vite/src/node/server/middlewares/transform.ts‎
Lines changed: 13 additions & 2 deletions
diff --git a/‎playground/fs-serve/__tests__/fs-serve.spec.ts‎
Lines changed: 14 additions & 0 deletions b/‎playground/fs-serve/__tests__/fs-serve.spec.ts‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎playground/fs-serve/root/src/index.html‎
Lines changed: 38 additions & 0 deletions b/‎playground/fs-serve/root/src/index.html‎
Lines changed: 38 additions & 0 deletions
@@ -43,6 +43,7 @@ import { ensureServingAccess } from './static'
 const debugCache = createDebugger('vite:cache')
 
 const knownIgnoreList = new Set(['/', '/favicon.ico'])
+const trailingQuerySeparatorsRE = /[?&]+$/
 
 /**
  * A middleware that short-circuits the middleware chain to serve cached transformed modules
@@ -169,9 +170,19 @@ export function transformMiddleware(
  warnAboutExplicitPublicPathInUrl(url)
  }
 
+ const urlWithoutTrailingQuerySeparators = url.replace(
+ trailingQuerySeparatorsRE,
+ '',
+ )
  if (
- (rawRE.test(url) || urlRE.test(url)) &&
- !ensureServingAccess(url, server, res, next)
+ (rawRE.test(urlWithoutTrailingQuerySeparators) ||
+ urlRE.test(urlWithoutTrailingQuerySeparators)) &&
+ !ensureServingAccess(
+ urlWithoutTrailingQuerySeparators,
+ server,
+ res,
+ next,
+ )
  ) {
  return
  }
 
@@ -96,6 +96,20 @@ describe.runIf(isServe)('main', () => {
  expect(await page.textContent('.unsafe-fs-fetch-raw-status')).toBe('403')
  })
 
+ test('unsafe fs fetch query 1', async () => {
+ expect(await page.textContent('.unsafe-fs-fetch-raw-query1')).toBe('')
+ expect(await page.textContent('.unsafe-fs-fetch-raw-query1-status')).toBe(
+ '403',
+ )
+ })
+
+ test('unsafe fs fetch query 2', async () => {
+ expect(await page.textContent('.unsafe-fs-fetch-raw-query2')).toBe('')
+ expect(await page.textContent('.unsafe-fs-fetch-raw-query2-status')).toBe(
+ '403',
+ )
+ })
+
  test('unsafe fs fetch with special characters (#8498)', async () => {
  expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('')
  expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('404')
 
@@ -37,6 +37,10 @@ <h2>Unsafe /@fs/ Fetch</h2>
 <pre class="unsafe-fs-fetch"></pre>
 <pre class="unsafe-fs-fetch-raw-status"></pre>
 <pre class="unsafe-fs-fetch-raw"></pre>
+<pre class="unsafe-fs-fetch-raw-query1-status"></pre>
+<pre class="unsafe-fs-fetch-raw-query1"></pre>
+<pre class="unsafe-fs-fetch-raw-query2-status"></pre>
+<pre class="unsafe-fs-fetch-raw-query2"></pre>
 <pre class="unsafe-fs-fetch-8498-status"></pre>
 <pre class="unsafe-fs-fetch-8498"></pre>
 <pre class="unsafe-fs-fetch-8498-2-status"></pre>
@@ -209,6 +213,40 @@ <h2>Denied</h2>
  console.error(e)
  })
 
+ fetch(
+ joinUrlSegments(
+ base,
+ joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw??',
+ ),
+ )
+ .then((r) => {
+ text('.unsafe-fs-fetch-raw-query1-status', r.status)
+ return r.json()
+ })
+ .then((data) => {
+ text('.unsafe-fs-fetch-raw-query1', JSON.stringify(data))
+ })
+ .catch((e) => {
+ console.error(e)
+ })
+
+ fetch(
+ joinUrlSegments(
+ base,
+ joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw?&',
+ ),
+ )
+ .then((r) => {
+ text('.unsafe-fs-fetch-raw-query2-status', r.status)
+ return r.json()
+ })
+ .then((data) => {
+ text('.unsafe-fs-fetch-raw-query2', JSON.stringify(data))
+ })
+ .catch((e) => {
+ console.error(e)
+ })
+
  // outside root with special characters #8498
  fetch(
  joinUrlSegments(