fastify
Advanced tools
Comparing version 3.29.2 to 3.29.3
'use strict' | ||
const VERSION = '3.29.2' | ||
const VERSION = '3.29.3' | ||
@@ -5,0 +5,0 @@ const Avvio = require('avvio') |
@@ -35,5 +35,6 @@ 'use strict' | ||
this[kDefaultJsonParse] = getDefaultJsonParser(onProtoPoisoning, onConstructorPoisoning) | ||
this.customParsers = {} | ||
this.customParsers['application/json'] = new Parser(true, false, bodyLimit, this[kDefaultJsonParse]) | ||
this.customParsers['text/plain'] = new Parser(true, false, bodyLimit, defaultPlainTextParser) | ||
// using a map instead of a plain object to avoid prototype hijack attacks | ||
this.customParsers = new Map() | ||
this.customParsers.set('application/json', new Parser(true, false, bodyLimit, this[kDefaultJsonParse])) | ||
this.customParsers.set('text/plain', new Parser(true, false, bodyLimit, defaultPlainTextParser)) | ||
this.parserList = ['application/json', 'text/plain'] | ||
@@ -69,3 +70,3 @@ this.parserRegExpList = [] | ||
if (contentTypeIsString && contentType === '*') { | ||
this.customParsers[''] = parser | ||
this.customParsers.set('', parser) | ||
} else { | ||
@@ -77,3 +78,3 @@ if (contentTypeIsString) { | ||
} | ||
this.customParsers[contentType] = parser | ||
this.customParsers.set(contentType.toString(), parser) | ||
} | ||
@@ -83,22 +84,26 @@ } | ||
ContentTypeParser.prototype.hasParser = function (contentType) { | ||
return contentType in this.customParsers | ||
return this.customParsers.has(typeof contentType === 'string' ? contentType : contentType.toString()) | ||
} | ||
ContentTypeParser.prototype.existingParser = function (contentType) { | ||
if (contentType === 'application/json') { | ||
return this.customParsers['application/json'] && this.customParsers['application/json'].fn !== this[kDefaultJsonParse] | ||
if (contentType === 'application/json' && this.customParsers.has(contentType)) { | ||
return this.customParsers.get(contentType).fn !== this[kDefaultJsonParse] | ||
} | ||
if (contentType === 'text/plain') { | ||
return this.customParsers['text/plain'] && this.customParsers['text/plain'].fn !== defaultPlainTextParser | ||
if (contentType === 'text/plain' && this.customParsers.has(contentType)) { | ||
return this.customParsers.get(contentType).fn !== defaultPlainTextParser | ||
} | ||
return contentType in this.customParsers | ||
return this.hasParser(contentType) | ||
} | ||
ContentTypeParser.prototype.getParser = function (contentType) { | ||
if (this.hasParser(contentType)) { | ||
return this.customParsers.get(contentType) | ||
} | ||
// eslint-disable-next-line no-var | ||
for (var i = 0; i !== this.parserList.length; ++i) { | ||
const parserName = this.parserList[i] | ||
if (contentType.indexOf(parserName) > -1) { | ||
const parser = this.customParsers[parserName] | ||
if (contentType.indexOf(parserName) !== -1) { | ||
const parser = this.customParsers.get(parserName) | ||
this.cache.set(contentType, parser) | ||
@@ -113,3 +118,3 @@ return parser | ||
if (parserRegExp.test(contentType)) { | ||
const parser = this.customParsers[parserRegExp] | ||
const parser = this.customParsers.get(parserRegExp.toString()) | ||
this.cache.set(contentType, parser) | ||
@@ -120,7 +125,7 @@ return parser | ||
return this.customParsers[''] | ||
return this.customParsers.get('') | ||
} | ||
ContentTypeParser.prototype.removeAll = function () { | ||
this.customParsers = {} | ||
this.customParsers = new Map() | ||
this.parserRegExpList = [] | ||
@@ -134,3 +139,3 @@ this.parserList = [] | ||
delete this.customParsers[contentType] | ||
this.customParsers.delete(contentType.toString()) | ||
@@ -300,3 +305,3 @@ const parsers = typeof contentType === 'string' ? this.parserList : this.parserRegExpList | ||
contentTypeParser[kDefaultJsonParse] = c[kDefaultJsonParse] | ||
Object.assign(contentTypeParser.customParsers, c.customParsers) | ||
contentTypeParser.customParsers = new Map(c.customParsers.entries()) | ||
contentTypeParser.parserList = c.parserList.slice() | ||
@@ -303,0 +308,0 @@ return contentTypeParser |
{ | ||
"name": "fastify", | ||
"version": "3.29.2", | ||
"version": "3.29.3", | ||
"description": "Fast and low overhead web framework, for Node.js", | ||
@@ -5,0 +5,0 @@ "main": "fastify.js", |
@@ -184,3 +184,3 @@ 'use strict' | ||
contentTypeParser.add('*', {}, first) | ||
t.equal(contentTypeParser.customParsers[''].fn, first) | ||
t.equal(contentTypeParser.customParsers.get('').fn, first) | ||
}) | ||
@@ -243,3 +243,3 @@ | ||
t.same(Object.keys(contentTypeParser.customParsers).length, 2) | ||
t.same(contentTypeParser.customParsers.size, 2) | ||
}) | ||
@@ -267,1 +267,67 @@ | ||
}) | ||
test('Safeguard against malicious content-type / 1', async t => { | ||
const badNames = Object.getOwnPropertyNames({}.__proto__) // eslint-disable-line | ||
t.plan(badNames.length) | ||
const fastify = Fastify() | ||
fastify.post('/', async () => { | ||
return 'ok' | ||
}) | ||
for (const prop of badNames) { | ||
const response = await fastify.inject({ | ||
method: 'POST', | ||
path: '/', | ||
headers: { | ||
'content-type': prop | ||
}, | ||
body: '' | ||
}) | ||
t.same(response.statusCode, 415) | ||
} | ||
}) | ||
test('Safeguard against malicious content-type / 2', async t => { | ||
t.plan(1) | ||
const fastify = Fastify() | ||
fastify.post('/', async () => { | ||
return 'ok' | ||
}) | ||
const response = await fastify.inject({ | ||
method: 'POST', | ||
path: '/', | ||
headers: { | ||
'content-type': '\\u0063\\u006fnstructor' | ||
}, | ||
body: '' | ||
}) | ||
t.same(response.statusCode, 415) | ||
}) | ||
test('Safeguard against malicious content-type / 3', async t => { | ||
t.plan(1) | ||
const fastify = Fastify() | ||
fastify.post('/', async () => { | ||
return 'ok' | ||
}) | ||
const response = await fastify.inject({ | ||
method: 'POST', | ||
path: '/', | ||
headers: { | ||
'content-type': 'constructor; charset=utf-8' | ||
}, | ||
body: '' | ||
}) | ||
t.same(response.statusCode, 415) | ||
}) |
1653841
39769