fix(rsc): validate findSourceMapURL request (#1024)

Author: hi-ogawa

packages/plugin-rsc/e2e/basic.test.ts

@@ -20,6 +20,17 @@ import path from 'node:path'
 test.describe('dev-default', () => {
   const f = useFixture({ root: 'examples/basic', mode: 'dev' })
   defineTest(f)
+
+  test('validate findSourceMapURL', async () => {
+    const requestUrl = new URL(f.url('__vite_rsc_findSourceMapURL'))
+    requestUrl.searchParams.set(
+      'filename',
+      new URL('../examples/basic/.env', import.meta.url).href,
+    )
+    requestUrl.searchParams.set('environmentName', 'Server')
+    const response = await fetch(requestUrl)
+    expect(response.status).toBe(404)
+  })
 })
 
 test.describe('dev-initial', () => {

packages/plugin-rsc/examples/basic/.env

@@ -0,0 +1 @@
+TEST_ENV=ok

packages/plugin-rsc/src/plugins/find-source-map-url.ts

@@ -1,5 +1,10 @@
 import { fileURLToPath } from 'node:url'
-import type { EnvironmentModuleNode, Plugin, ViteDevServer } from 'vite'
+import {
+  isFileLoadingAllowed,
+  type EnvironmentModuleNode,
+  type Plugin,
+  type ViteDevServer,
+} from 'vite'
 import fs from 'node:fs'
 
 //
@@ -48,7 +53,10 @@ async function findSourceMapURL(
   // this is likely server external (i.e. outside of Vite processing)
   if (filename.startsWith('file://')) {
     filename = fileURLToPath(filename)
-    if (fs.existsSync(filename)) {
+    if (
+      isFileLoadingAllowed(server.config, filename) &&
+      fs.existsSync(filename)
+    ) {
       // line-by-line identity source map
       const content = fs.readFileSync(filename, 'utf-8')
       return {