fix(dev): prevent extraneous file requests (#15279)

Author: ematipico

.changeset/fix-serve-files-outside-srcdir.md

@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Fixes an issue where the dev server would serve files like `/README.md` from the project root when they shouldn't be accessible. A new route guard middleware now blocks direct URL access to files that exist outside of `srcDir` and `publicDir`, returning a 404 instead.

packages/astro/src/vite-plugin-astro-server/plugin.ts

@@ -29,6 +29,7 @@ import { baseMiddleware } from './base.js';
 import { createController } from './controller.js';
 import { recordServerError } from './error.js';
 import { setRouteError } from './server-state.js';
+import { routeGuardMiddleware } from './route-guard.js';
 import { trailingSlashMiddleware } from './trailing-slash.js';
 import { sessionConfigToManifest } from '../core/session/utils.js';
 
@@ -98,6 +99,11 @@ export default function createVitePluginAstroServer({
 					route: '',
 					handle: trailingSlashMiddleware(settings),
 				});
+				// Prevent serving files outside srcDir/publicDir (e.g., /README.md at project root)
+				viteServer.middlewares.stack.unshift({
+					route: '',
+					handle: routeGuardMiddleware(settings),
+				});
 
 				// Note that this function has a name so other middleware can find it.
 				viteServer.middlewares.use(async function astroDevHandler(request, response) {

packages/astro/src/vite-plugin-astro-server/route-guard.ts

@@ -0,0 +1,82 @@
+import * as fs from 'node:fs';
+import type * as vite from 'vite';
+import type { AstroSettings } from '../types/astro.js';
+import { notFoundTemplate } from '../template/4xx.js';
+import { writeHtmlResponse } from './response.js';
+
+// Vite internal prefixes that should always be allowed through
+const VITE_INTERNAL_PREFIXES = [
+	'/@vite/',
+	'/@fs/',
+	'/@id/',
+	'/__vite',
+	'/@react-refresh',
+	'/node_modules/',
+	'/.astro/',
+];
+
+/**
+ * Middleware that prevents Vite from serving files that exist outside
+ * of srcDir and publicDir when accessed via direct URL navigation.
+ *
+ * This fixes the issue where files like /README.md are served
+ * when they exist at the project root but aren't part of Astro's routing.
+ */
+export function routeGuardMiddleware(settings: AstroSettings): vite.Connect.NextHandleFunction {
+	const { config } = settings;
+
+	return function devRouteGuard(req, res, next) {
+		const url = req.url;
+		if (!url) {
+			return next();
+		}
+
+		// Only intercept requests that look like browser navigation (HTML requests)
+		// Let all other requests through (JS modules, assets, Vite transforms, etc.)
+		const accept = req.headers.accept || '';
+		if (!accept.includes('text/html')) {
+			return next();
+		}
+
+		let pathname: string;
+		try {
+			pathname = decodeURI(new URL(url, 'http://localhost').pathname);
+		} catch {
+			// Malformed URI, let other middleware handle it
+			return next();
+		}
+
+		// Always allow Vite internal paths through
+		if (VITE_INTERNAL_PREFIXES.some((prefix) => pathname.startsWith(prefix))) {
+			return next();
+		}
+
+		// Always allow requests with query params (Vite transform requests like ?url, ?raw)
+		if (url.includes('?')) {
+			return next();
+		}
+
+		// Check if the file exists in publicDir - allow if so
+		const publicFilePath = new URL('.' + pathname, config.publicDir);
+		if (fs.existsSync(publicFilePath)) {
+			return next();
+		}
+
+		// Check if the file exists in srcDir - allow if so (potential route)
+		const srcFilePath = new URL('.' + pathname, config.srcDir);
+		if (fs.existsSync(srcFilePath)) {
+			return next();
+		}
+
+		// Check if the file exists at project root (outside srcDir/publicDir)
+		const rootFilePath = new URL('.' + pathname, config.root);
+		if (fs.existsSync(rootFilePath)) {
+			// File exists at root but not in srcDir or publicDir - block it
+			const html = notFoundTemplate(pathname);
+			return writeHtmlResponse(res, 404, html);
+		}
+
+		// File doesn't exist anywhere, let other middleware handle it
+		return next();
+	};
+}

packages/astro/test/fixtures/route-guard/LICENSE

@@ -0,0 +1 @@
+MIT License - This file should NOT be accessible via /LICENSE

packages/astro/test/fixtures/route-guard/README.md

@@ -0,0 +1,3 @@
+# Test README
+
+This file should NOT be accessible via /README.md

packages/astro/test/fixtures/route-guard/config.json

@@ -0,0 +1,3 @@
+{
+  "secret": "this-should-not-be-served"
+}

packages/astro/test/fixtures/route-guard/package.json

@@ -0,0 +1,8 @@
+{
+  "name": "@test/route-guard",
+  "version": "0.0.0",
+  "private": true,
+  "dependencies": {
+    "astro": "workspace:*"
+  }
+}

packages/astro/test/fixtures/route-guard/public/robots.txt

@@ -0,0 +1,2 @@
+User-agent: *
+Allow: /

packages/astro/test/fixtures/route-guard/src/pages/about.md

@@ -0,0 +1,5 @@
+---
+---
+# About Page
+
+This is a valid markdown page.

packages/astro/test/fixtures/route-guard/src/pages/index.astro

@@ -0,0 +1,6 @@
+---
+---
+<html>
+  <head><title>Home</title></head>
+  <body><h1>Home Page</h1></body>
+</html>