feat(api): add allowWrite and allowExec options to api (#9350)

Author: sheremet-va

.github/workflows/ci.yml

@@ -120,9 +120,6 @@ jobs:
       - name: Test Examples
         run: pnpm run test:examples
 
-      - name: Unit Test UI
-        run: pnpm run -C packages/ui test:ui
-
       - uses: actions/upload-artifact@v6
         if: ${{ !cancelled() }}
         with:

docs/api/browser/commands.md

@@ -17,6 +17,8 @@ By default, Vitest uses `utf-8` encoding but you can override it with options.
 
 ::: tip
 This API follows [`server.fs`](https://vitejs.dev/config/server-options.html#server-fs-allow) limitations for security reasons.
+
+If [`browser.api.allowWrite`](/config/browser/api) or [`api.allowWrite`](/config/api#api-allowwrite) are disabled, `writeFile` and `removeFile` functions won't do anything.
 :::
 
 ```ts

docs/api/browser/locators.md

@@ -7,7 +7,7 @@ outline: [2, 3]
 
 A locator is a representation of an element or a number of elements. Every locator is defined by a string called a selector. Vitest abstracts this selector by providing convenient methods that generate them behind the scenes.
 
-The locator API uses a fork of [Playwright's locators](https://playwright.dev/docs/api/class-locator) called [Ivya](https://npmjs.com/ivya). However, Vitest provides this API to every [provider](/config/browser#browser-provider), not just playwright.
+The locator API uses a fork of [Playwright's locators](https://playwright.dev/docs/api/class-locator) called [Ivya](https://npmjs.com/ivya). However, Vitest provides this API to every [provider](/config/browser/provider), not just playwright.
 
 ::: tip
 This page covers API usage. To better understand locators and their usage, read [Playwright's "Locators" documentation](https://playwright.dev/docs/locators).

docs/config/api.md

@@ -5,8 +5,28 @@ outline: deep
 
 # api
 
-- **Type:** `boolean | number`
+- **Type:** `boolean | number | object`
 - **Default:** `false`
 - **CLI:** `--api`, `--api.port`, `--api.host`, `--api.strictPort`
 
 Listen to port and serve API for [the UI](/guide/ui) or [browser server](/guide/browser/). When set to `true`, the default port is `51204`.
+
+## api.allowWrite <Version>4.1.0</Version> {#api-allowwrite}
+
+- **Type:** `boolean`
+- **Default:** `true` if not exposed to the network, `false` otherwise
+
+Vitest server can save test files or snapshot files via the API. This allows anyone who can connect to the API the ability to run any arbitary code on your machine.
+
+::: danger SECURITY ADVICE
+Vitest does not expose the API to the internet by default and only listens on `localhost`. However if `host` is manually exposed to the network, anyone who connects to it can run arbitrary code on your machine, unless `api.allowWrite` and `api.allowExec` are set to `false`.
+
+If the host is set to anything other than `localhost` or `127.0.0.1`, Vitest will set `api.allowWrite` and `api.allowExec` to `false` by default. This means that any write operations (like changing the code in the UI) will not work. However, if you understand the security implications, you can override them.
+:::
+
+## api.allowExec <Version>4.1.0</Version> {#api-allowexec}
+
+- **Type:** `boolean`
+- **Default:** `true` if not exposed to the network, `false` otherwise
+
+Allows running any test file via the API. See the security advice in [`api.allowWrite`](#api-allowwrite).