		@@ -32,5 +32,6 @@ 'use strict'
		this[kDefaultJsonParse] = getDefaultJsonParser(onProtoPoisoning, onConstructorPoisoning)
		this.customParsers = {}
		this.customParsers['application/json'] = new Parser(true, false, bodyLimit, this[kDefaultJsonParse])
		this.customParsers['text/plain'] = new Parser(true, false, bodyLimit, defaultPlainTextParser)
		// using a map instead of a plain object to avoid prototype hijack attacks
		this.customParsers = new Map()
		this.customParsers.set('application/json', new Parser(true, false, bodyLimit, this[kDefaultJsonParse]))
		this.customParsers.set('text/plain', new Parser(true, false, bodyLimit, defaultPlainTextParser))
		this.parserList = ['application/json', 'text/plain']
		@@ -66,3 +67,3 @@ this.parserRegExpList = []
		if (contentTypeIsString && contentType === '*') {
		this.customParsers[''] = parser
		this.customParsers.set('', parser)
		} else {
		@@ -74,3 +75,3 @@ if (contentTypeIsString) {
		}
		this.customParsers[contentType] = parser
		this.customParsers.set(contentType.toString(), parser)
		}
		@@ -80,19 +81,19 @@ }
		ContentTypeParser.prototype.hasParser = function (contentType) {
		return contentType in this.customParsers
		return this.customParsers.has(typeof contentType === 'string' ? contentType : contentType.toString())
		}

		ContentTypeParser.prototype.existingParser = function (contentType) {
		if (contentType === 'application/json') {
		return this.customParsers['application/json'] && this.customParsers['application/json'].fn !== this[kDefaultJsonParse]
		if (contentType === 'application/json' && this.customParsers.has(contentType)) {
		return this.customParsers.get(contentType).fn !== this[kDefaultJsonParse]
		}
		if (contentType === 'text/plain') {
		return this.customParsers['text/plain'] && this.customParsers['text/plain'].fn !== defaultPlainTextParser
		if (contentType === 'text/plain' && this.customParsers.has(contentType)) {
		return this.customParsers.get(contentType).fn !== defaultPlainTextParser
		}

		return contentType in this.customParsers
		return this.hasParser(contentType)
		}

		ContentTypeParser.prototype.getParser = function (contentType) {
		if (contentType in this.customParsers) {
		return this.customParsers[contentType]
		if (this.hasParser(contentType)) {
		return this.customParsers.get(contentType)
		}
		@@ -108,3 +109,3 @@
		if (contentType.indexOf(parserName) !== -1) {
		const parser = this.customParsers[parserName]
		const parser = this.customParsers.get(parserName)
		this.cache.set(contentType, parser)
		@@ -119,3 +120,3 @@ return parser
		if (parserRegExp.test(contentType)) {
		const parser = this.customParsers[parserRegExp]
		const parser = this.customParsers.get(parserRegExp.toString())
		this.cache.set(contentType, parser)
		@@ -126,7 +127,7 @@ return parser

		return this.customParsers['']
		return this.customParsers.get('')
		}

		ContentTypeParser.prototype.removeAll = function () {
		this.customParsers = {}
		this.customParsers = new Map()
		this.parserRegExpList = []
		@@ -140,3 +141,3 @@ this.parserList = []

		delete this.customParsers[contentType]
		this.customParsers.delete(contentType.toString())

		@@ -300,3 +301,3 @@ const parsers = typeof contentType === 'string' ? this.parserList : this.parserRegExpList
		contentTypeParser[kDefaultJsonParse] = c[kDefaultJsonParse]
		Object.assign(contentTypeParser.customParsers, c.customParsers)
		contentTypeParser.customParsers = new Map(c.customParsers.entries())
		contentTypeParser.parserList = c.parserList.slice()
		@@ -303,0 +304,0 @@ return contentTypeParser

package.json

		{
		"name": "fastify",
		"version": "4.8.0",
		"version": "4.8.1",
		"description": "Fast and low overhead web framework, for Node.js",
		@@ -5,0 +5,0 @@ "main": "fastify.js",

test/content-parser.test.js

		@@ -199,3 +199,3 @@ 'use strict'
		contentTypeParser.add('*', {}, first)
		t.equal(contentTypeParser.customParsers[''].fn, first)
		t.equal(contentTypeParser.customParsers.get('').fn, first)
		})
		@@ -310,3 +310,3 @@

		t.same(Object.keys(contentTypeParser.customParsers).length, 2)
		t.same(contentTypeParser.customParsers.size, 2)
		})
		@@ -334,1 +334,67 @@
		})

		test('Safeguard against malicious content-type / 1', async t => {
		const badNames = Object.getOwnPropertyNames({}.__proto__) // eslint-disable-line
		t.plan(badNames.length)

		const fastify = Fastify()

		fastify.post('/', async () => {
		return 'ok'
		})

		for (const prop of badNames) {
		const response = await fastify.inject({
		method: 'POST',
		path: '/',
		headers: {
		'content-type': prop
		},
		body: ''
		})

		t.same(response.statusCode, 415)
		}
		})

		test('Safeguard against malicious content-type / 2', async t => {
		t.plan(1)

		const fastify = Fastify()

		fastify.post('/', async () => {
		return 'ok'
		})

		const response = await fastify.inject({
		method: 'POST',
		path: '/',
		headers: {
		'content-type': '\\u0063\\u006fnstructor'
		},
		body: ''
		})

		t.same(response.statusCode, 415)
		})

		test('Safeguard against malicious content-type / 3', async t => {
		t.plan(1)

		const fastify = Fastify()

		fastify.post('/', async () => {
		return 'ok'
		})

		const response = await fastify.inject({
		method: 'POST',
		path: '/',
		headers: {
		'content-type': 'constructor; charset=utf-8'
		},
		body: ''
		})

		t.same(response.statusCode, 415)
		})

fastify - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics