From ed9aeba212df04b83ed01810780663ff2cdd0adf Mon Sep 17 00:00:00 2001 From: Hiroshi Ogawa Date: Thu, 23 Jan 2025 15:40:46 +0900 Subject: [PATCH] fix(browser): restrict served files from `/__screenshot-error` (#7340) --- packages/browser/src/node/plugin.ts | 10 +++++++++- packages/ui/client/components/views/ViewReport.vue | 4 ++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/packages/browser/src/node/plugin.ts b/packages/browser/src/node/plugin.ts index 4041e7034cef..74e03f639405 100644 --- a/packages/browser/src/node/plugin.ts +++ b/packages/browser/src/node/plugin.ts @@ -93,7 +93,15 @@ export default (parentServer: ParentBrowserProject, base = '/'): Plugin[] => { } const url = new URL(req.url, 'http://localhost') - const file = url.searchParams.get('file') + const id = url.searchParams.get('id') + if (!id) { + res.statusCode = 404 + res.end() + return + } + + const task = parentServer.vitest.state.idMap.get(id) + const file = task?.meta.failScreenshotPath if (!file) { res.statusCode = 404 res.end() diff --git a/packages/ui/client/components/views/ViewReport.vue b/packages/ui/client/components/views/ViewReport.vue index 60f1db5e0f7e..6b4b27746b49 100644 --- a/packages/ui/client/components/views/ViewReport.vue +++ b/packages/ui/client/components/views/ViewReport.vue @@ -116,11 +116,11 @@ const showScreenshot = ref(false) const timestamp = ref(Date.now()) const currentTask = ref() const currentScreenshotUrl = computed(() => { - const file = currentTask.value?.meta.failScreenshotPath + const id = currentTask.value?.id // force refresh const t = timestamp.value // browser plugin using /, change this if base can be modified - return file ? `/__screenshot-error?file=${encodeURIComponent(file)}&t=${t}` : undefined + return id ? `/__screenshot-error?id=${encodeURIComponent(id)}&t=${t}` : undefined }) function showScreenshotModal(task: Task) {