refactor: use hostValidationMiddleware (#20019)

Author: sapphi-red

packages/vite/LICENSE.md

@@ -1164,6 +1164,35 @@ Repository: gulpjs/glob-parent
 
 ---------------------------------------
 
+## host-validation-middleware
+License: MIT
+By: sapphi-red
+Repository: git+https://github.com/sapphi-red/host-validation-middleware.git
+
+> MIT License
+> 
+> Copyright (c) 2025 sapphi-red
+> 
+> Permission is hereby granted, free of charge, to any person obtaining a copy
+> of this software and associated documentation files (the "Software"), to deal
+> in the Software without restriction, including without limitation the rights
+> to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+> copies of the Software, and to permit persons to whom the Software is
+> furnished to do so, subject to the following conditions:
+> 
+> The above copyright notice and this permission notice shall be included in all
+> copies or substantial portions of the Software.
+> 
+> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+> IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+> FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+> AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+> LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+> OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+> SOFTWARE.
+
+---------------------------------------
+
 ## http-proxy
 License: MIT
 By: Charlie Robbins, jcrugzz <jcrugzz@gmail.com>

packages/vite/package.json

@@ -120,6 +120,7 @@
  "escape-html": "^1.0.3",
  "estree-walker": "^3.0.3",
  "etag": "^1.8.1",
+ "host-validation-middleware": "^0.1.1",
  "http-proxy": "^1.18.1",
  "launch-editor-middleware": "^2.10.0",
  "lightningcss": "^1.30.0",

packages/vite/src/node/config.ts

@@ -630,8 +630,6 @@ export interface ResolvedConfig
  /** @internal */
  safeModulePaths: Set<string>
  /** @internal */
- additionalAllowedHosts: string[]
- /** @internal */
  [SYMBOL_RESOLVED_CONFIG]: true
  } & PluginHookUtils
  > {}
@@ -1452,6 +1450,14 @@ export async function resolveConfig(
 
  const preview = resolvePreviewOptions(config.preview, server)
 
+ const additionalAllowedHosts = getAdditionalAllowedHosts(server, preview)
+ if (Array.isArray(server.allowedHosts)) {
+ server.allowedHosts.push(...additionalAllowedHosts)
+ }
+ if (Array.isArray(preview.allowedHosts)) {
+ preview.allowedHosts.push(...additionalAllowedHosts)
+ }
+
  resolved = {
  configFile: configFile ? normalizePath(configFile) : undefined,
  configFileDependencies: configFileDependencies.map((name) =>
@@ -1554,7 +1560,6 @@ export async function resolveConfig(
  },
  ),
  safeModulePaths: new Set<string>(),
- additionalAllowedHosts: getAdditionalAllowedHosts(server, preview),
  [SYMBOL_RESOLVED_CONFIG]: true,
  }
  resolved = {

packages/vite/src/node/preview.ts

@@ -39,7 +39,7 @@ import { resolveConfig } from './config'
 import type { InlineConfig, ResolvedConfig } from './config'
 import { DEFAULT_PREVIEW_PORT } from './constants'
 import type { RequiredExceptFor } from './typeUtils'
-import { hostCheckMiddleware } from './server/middlewares/hostCheck'
+import { hostValidationMiddleware } from './server/middlewares/hostCheck'
 
 export interface PreviewOptions extends CommonServerOptions {}
 
@@ -206,7 +206,7 @@ export async function preview(
  const { allowedHosts } = config.preview
  // no need to check for HTTPS as HTTPS is not vulnerable to DNS rebinding attacks
  if (allowedHosts !== true && !config.preview.https) {
- app.use(hostCheckMiddleware(config, true))
+ app.use(hostValidationMiddleware(allowedHosts, true))
  }
 
  // proxy

packages/vite/src/node/server/index.ts

@@ -98,7 +98,7 @@ import type { TransformOptions, TransformResult } from './transformRequest'
 import { transformRequest } from './transformRequest'
 import { searchForPackageRoot, searchForWorkspaceRoot } from './searchRoot'
 import type { DevEnvironment } from './environment'
-import { hostCheckMiddleware } from './middlewares/hostCheck'
+import { hostValidationMiddleware } from './middlewares/hostCheck'
 import { rejectInvalidRequestMiddleware } from './middlewares/rejectInvalidRequest'
 
 const usedConfigs = new WeakSet<ResolvedConfig>()
@@ -879,7 +879,7 @@ export async function _createServer(
  const { allowedHosts } = serverConfig
  // no need to check for HTTPS as HTTPS is not vulnerable to DNS rebinding attacks
  if (allowedHosts !== true && !serverConfig.https) {
- middlewares.use(hostCheckMiddleware(config, false))
+ middlewares.use(hostValidationMiddleware(allowedHosts, false))
  }
 
  middlewares.use(cachedTransformMiddleware(server))

packages/vite/src/node/server/middlewares/__tests__/hostCheck.spec.ts

@@ -1,8 +1,5 @@
-import { describe, expect, test } from 'vitest'
-import {
- getAdditionalAllowedHosts,
- isHostAllowedWithoutCache,
-} from '../hostCheck'
+import { expect, test } from 'vitest'
+import { getAdditionalAllowedHosts } from '../hostCheck'
 
 test('getAdditionalAllowedHosts', async () => {
  const actual = getAdditionalAllowedHosts(
@@ -26,87 +23,3 @@ test('getAdditionalAllowedHosts', async () => {
  ].sort(),
  )
 })
-
-describe('isHostAllowedWithoutCache', () => {
- const allowCases = {
- 'IP address': [
- '192.168.0.0',
- '[::1]',
- '127.0.0.1:5173',
- '[2001:db8:0:0:1:0:0:1]:5173',
- ],
- localhost: [
- 'localhost',
- 'localhost:5173',
- 'foo.localhost',
- 'foo.bar.localhost',
- ],
- specialProtocols: [
- // for electron browser window (https://github.com/webpack/webpack-dev-server/issues/3821)
- 'file:///path/to/file.html',
- // for browser extensions (https://github.com/webpack/webpack-dev-server/issues/3807)
- 'chrome-extension://foo',
- ],
- }
-
- const disallowCases = {
- 'IP address': ['255.255.255.256', '[:', '[::z]'],
- localhost: ['localhos', 'localhost.foo'],
- specialProtocols: ['mailto:foo@bar.com'],
- others: [''],
- }
-
- for (const [name, inputList] of Object.entries(allowCases)) {
- test.each(inputList)(`allows ${name} (%s)`, (input) => {
- const actual = isHostAllowedWithoutCache([], [], input)
- expect(actual).toBe(true)
- })
- }
-
- for (const [name, inputList] of Object.entries(disallowCases)) {
- test.each(inputList)(`disallows ${name} (%s)`, (input) => {
- const actual = isHostAllowedWithoutCache([], [], input)
- expect(actual).toBe(false)
- })
- }
-
- test('allows additionalAlloweHosts option', () => {
- const additionalAllowedHosts = ['vite.example.com']
- const actual = isHostAllowedWithoutCache(
- [],
- additionalAllowedHosts,
- 'vite.example.com',
- )
- expect(actual).toBe(true)
- })
-
- test('allows single allowedHosts', () => {
- const cases = {
- allowed: ['example.com'],
- disallowed: ['vite.dev'],
- }
- for (const c of cases.allowed) {
- const actual = isHostAllowedWithoutCache(['example.com'], [], c)
- expect(actual, c).toBe(true)
- }
- for (const c of cases.disallowed) {
- const actual = isHostAllowedWithoutCache(['example.com'], [], c)
- expect(actual, c).toBe(false)
- }
- })
-
- test('allows all subdomain allowedHosts', () => {
- const cases = {
- allowed: ['example.com', 'foo.example.com', 'foo.bar.example.com'],
- disallowed: ['vite.dev'],
- }
- for (const c of cases.allowed) {
- const actual = isHostAllowedWithoutCache(['.example.com'], [], c)
- expect(actual, c).toBe(true)
- }
- for (const c of cases.disallowed) {
- const actual = isHostAllowedWithoutCache(['.example.com'], [], c)
- expect(actual, c).toBe(false)
- }
- })
-})

packages/vite/src/node/server/middlewares/hostCheck.ts

@@ -1,13 +1,7 @@
-import net from 'node:net'
 import type { Connect } from 'dep-types/connect'
-import type { ResolvedConfig } from '../../config'
+import { hostValidationMiddleware as originalHostValidationMiddleware } from 'host-validation-middleware'
 import type { ResolvedPreviewOptions, ResolvedServerOptions } from '../..'
 
-const allowedHostsServerCache = new WeakMap<ResolvedConfig, Set<string>>()
-const allowedHostsPreviewCache = new WeakMap<ResolvedConfig, Set<string>>()
-
-const isFileOrExtensionProtocolRE = /^(?:file|.+-extension):/i
-
 export function getAdditionalAllowedHosts(
  resolvedServerOptions: Pick<ResolvedServerOptions, 'host' | 'hmr' | 'origin'>,
  resolvedPreviewOptions: Pick<ResolvedPreviewOptions, 'host'>,
@@ -49,132 +43,20 @@ export function getAdditionalAllowedHosts(
  return list
 }
 
-// Based on webpack-dev-server's `checkHeader` function: https://github.com/webpack/webpack-dev-server/blob/v5.2.0/lib/Server.js#L3086
-// https://github.com/webpack/webpack-dev-server/blob/v5.2.0/LICENSE
-export function isHostAllowedWithoutCache(
+export function hostValidationMiddleware(
  allowedHosts: string[],
- additionalAllowedHosts: string[],
- host: string,
-): boolean {
- if (isFileOrExtensionProtocolRE.test(host)) {
- return true
- }
-
- // We don't care about malformed Host headers,
- // because we only need to consider browser requests.
- // Non-browser clients can send any value they want anyway.
- //
- // `Host = uri-host [ ":" port ]`
- const trimmedHost = host.trim()
-
- // IPv6
- if (trimmedHost[0] === '[') {
- const endIpv6 = trimmedHost.indexOf(']')
- if (endIpv6 < 0) {
- return false
- }
- // DNS rebinding attacks does not happen with IP addresses
- return net.isIP(trimmedHost.slice(1, endIpv6)) === 6
- }
-
- // uri-host does not include ":" unless IPv6 address
- const colonPos = trimmedHost.indexOf(':')
- const hostname =
- colonPos === -1 ? trimmedHost : trimmedHost.slice(0, colonPos)
-
- // DNS rebinding attacks does not happen with IP addresses
- if (net.isIP(hostname) === 4) {
- return true
- }
-
- // allow localhost and .localhost by default as they always resolve to the loopback address
- // https://datatracker.ietf.org/doc/html/rfc6761#section-6.3
- if (hostname === 'localhost' || hostname.endsWith('.localhost')) {
- return true
- }
-
- for (const additionalAllowedHost of additionalAllowedHosts) {
- if (additionalAllowedHost === hostname) {
- return true
- }
- }
-
- for (const allowedHost of allowedHosts) {
- if (allowedHost === hostname) {
- return true
- }
-
- // allow all subdomains of it
- // e.g. `.foo.example` will allow `foo.example`, `*.foo.example`, `*.*.foo.example`, etc
- if (
- allowedHost[0] === '.' &&
- (allowedHost.slice(1) === hostname || hostname.endsWith(allowedHost))
- ) {
- return true
- }
- }
-
- return false
-}
-
-/**
- * @param config resolved config
- * @param isPreview whether it's for the preview server or not
- * @param host the value of host header. See [RFC 9110 7.2](https://datatracker.ietf.org/doc/html/rfc9110#name-host-and-authority).
- */
-export function isHostAllowed(
- config: ResolvedConfig,
- isPreview: boolean,
- host: string,
-): boolean {
- const allowedHosts = isPreview
- ? config.preview.allowedHosts
- : config.server.allowedHosts
- if (allowedHosts === true) {
- return true
- }
-
- const cache = isPreview ? allowedHostsPreviewCache : allowedHostsServerCache
- if (!cache.has(config)) {
- cache.set(config, new Set())
- }
-
- const cachedAllowedHosts = cache.get(config)!
- if (cachedAllowedHosts.has(host)) {
- return true
- }
-
- const result = isHostAllowedWithoutCache(
- allowedHosts,
- config.additionalAllowedHosts,
- host,
- )
- if (result) {
- cachedAllowedHosts.add(host)
- }
- return result
-}
-
-export function hostCheckMiddleware(
- config: ResolvedConfig,
  isPreview: boolean,
 ): Connect.NextHandleFunction {
- // Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
- return function viteHostCheckMiddleware(req, res, next) {
- const hostHeader = req.headers.host
- if (!hostHeader || !isHostAllowed(config, isPreview, hostHeader)) {
- const hostname = hostHeader?.replace(/:\d+$/, '')
+ return originalHostValidationMiddleware({
+ // Freeze the array to allow caching
+ allowedHosts: Object.freeze([...allowedHosts]),
+ generateErrorMessage(hostname) {
  const hostnameWithQuotes = JSON.stringify(hostname)
  const optionName = `${isPreview ? 'preview' : 'server'}.allowedHosts`
- res.writeHead(403, {
- 'Content-Type': 'text/plain',
- })
- res.end(
+ return (
  `Blocked request. This host (${hostnameWithQuotes}) is not allowed.\n` +
-  `To allow this host, add ${hostnameWithQuotes} to \`${optionName}\` in vite.config.js.`,
+ `To allow this host, add ${hostnameWithQuotes} to \`${optionName}\` in vite.config.js.`
  )
- return
- }
- return next()
- }
+ },
+ })
 }