Restrict access to .dev.vars files (#9513)

* Add failing tests

* Deny acceess to .dev.vars and .dev.vars.*

* Add changeset

Author: jamesopstad

.changeset/nasty-pots-cheat.md

@@ -0,0 +1,5 @@
+---
+"@cloudflare/vite-plugin": patch
+---
+
+Ensure that .dev.vars files cannot be accessed via the dev server or preview server.

packages/vite-plugin-cloudflare/playground/sensitive-files/.dev.vars

@@ -0,0 +1 @@
+DEV_VAR=dev-var

packages/vite-plugin-cloudflare/playground/sensitive-files/.dev.vars.staging

@@ -0,0 +1 @@
+STAGING_DEV_VAR=staging-dev-var

packages/vite-plugin-cloudflare/playground/sensitive-files/.env

@@ -0,0 +1 @@
+ENV_VAR=env-var

packages/vite-plugin-cloudflare/playground/sensitive-files/.env.staging

@@ -0,0 +1 @@
+STAGING_ENV_VAR=staging-env-var

packages/vite-plugin-cloudflare/playground/sensitive-files/.gitignore

@@ -0,0 +1,2 @@
+!.env*
+!.dev.vars*

packages/vite-plugin-cloudflare/playground/sensitive-files/__tests__/sensitive-files.spec.ts

@@ -0,0 +1,56 @@
+import { describe, expect, test } from "vitest";
+import { getResponse, getTextResponse, isBuild } from "../../__test-utils__";
+
+describe.skipIf(isBuild)("denies access to sensitive files in dev", () => {
+	test("denies access to .env", async () => {
+		const response = await getResponse("/.env");
+		expect(response.status()).toBe(403);
+	});
+
+	test("denies access to .env.*", async () => {
+		const response = await getResponse("/.env.staging");
+		expect(response.status()).toBe(403);
+	});
+
+	test("denies access to .dev.vars", async () => {
+		const response = await getResponse("/.dev.vars");
+		expect(response.status()).toBe(403);
+	});
+
+	test("denies access to .dev.vars.*", async () => {
+		const response = await getResponse("/.dev.vars.staging");
+		expect(response.status()).toBe(403);
+	});
+
+	test("denies access to custom-sensitive-file", async () => {
+		const response = await getResponse("/custom-sensitive-file");
+		expect(response.status()).toBe(403);
+	});
+});
+
+describe.runIf(isBuild)("doesn't serve sensitive files in preview", () => {
+	test("doesn't serve .env", async () => {
+		const response = await getTextResponse("/.env");
+		expect(response).toBe("Worker response");
+	});
+
+	test("doesn't serve .env.*", async () => {
+		const response = await getTextResponse("/.env.staging");
+		expect(response).toBe("Worker response");
+	});
+
+	test("doesn't serve .dev.vars", async () => {
+		const response = await getTextResponse("/.dev.vars");
+		expect(response).toBe("Worker response");
+	});
+
+	test("doesn't serve .dev.vars.*", async () => {
+		const response = await getTextResponse("/.dev.vars.staging");
+		expect(response).toBe("Worker response");
+	});
+
+	test("doesn't serve custom-sensitive-file", async () => {
+		const response = await getTextResponse("/custom-sensitive-file");
+		expect(response).toBe("Worker response");
+	});
+});

packages/vite-plugin-cloudflare/playground/sensitive-files/custom-sensitive-file

@@ -0,0 +1 @@
+Sensitive content

packages/vite-plugin-cloudflare/playground/sensitive-files/package.json

@@ -0,0 +1,19 @@
+{
+	"name": "@playground/sensitive-files",
+	"private": true,
+	"type": "module",
+	"scripts": {
+		"build": "vite build",
+		"check:types": "tsc --build",
+		"dev": "vite dev",
+		"preview": "vite preview"
+	},
+	"devDependencies": {
+		"@cloudflare/vite-plugin": "workspace:*",
+		"@cloudflare/workers-tsconfig": "workspace:*",
+		"@cloudflare/workers-types": "^4.20250604.0",
+		"typescript": "catalog:default",
+		"vite": "catalog:vite-plugin",
+		"wrangler": "workspace:*"
+	}
+}

packages/vite-plugin-cloudflare/playground/sensitive-files/src/index.ts

@@ -0,0 +1,5 @@
+export default {
+	async fetch() {
+		return new Response("Worker response");
+	},
+} satisfies ExportedHandler;