Comparing version 4.8.0 to 4.8.1
'use strict' | ||
const VERSION = '4.8.0' | ||
const VERSION = '4.8.1' | ||
@@ -5,0 +5,0 @@ const Avvio = require('avvio') |
@@ -32,5 +32,6 @@ 'use strict' | ||
this[kDefaultJsonParse] = getDefaultJsonParser(onProtoPoisoning, onConstructorPoisoning) | ||
this.customParsers = {} | ||
this.customParsers['application/json'] = new Parser(true, false, bodyLimit, this[kDefaultJsonParse]) | ||
this.customParsers['text/plain'] = new Parser(true, false, bodyLimit, defaultPlainTextParser) | ||
// using a map instead of a plain object to avoid prototype hijack attacks | ||
this.customParsers = new Map() | ||
this.customParsers.set('application/json', new Parser(true, false, bodyLimit, this[kDefaultJsonParse])) | ||
this.customParsers.set('text/plain', new Parser(true, false, bodyLimit, defaultPlainTextParser)) | ||
this.parserList = ['application/json', 'text/plain'] | ||
@@ -66,3 +67,3 @@ this.parserRegExpList = [] | ||
if (contentTypeIsString && contentType === '*') { | ||
this.customParsers[''] = parser | ||
this.customParsers.set('', parser) | ||
} else { | ||
@@ -74,3 +75,3 @@ if (contentTypeIsString) { | ||
} | ||
this.customParsers[contentType] = parser | ||
this.customParsers.set(contentType.toString(), parser) | ||
} | ||
@@ -80,19 +81,19 @@ } | ||
ContentTypeParser.prototype.hasParser = function (contentType) { | ||
return contentType in this.customParsers | ||
return this.customParsers.has(typeof contentType === 'string' ? contentType : contentType.toString()) | ||
} | ||
ContentTypeParser.prototype.existingParser = function (contentType) { | ||
if (contentType === 'application/json') { | ||
return this.customParsers['application/json'] && this.customParsers['application/json'].fn !== this[kDefaultJsonParse] | ||
if (contentType === 'application/json' && this.customParsers.has(contentType)) { | ||
return this.customParsers.get(contentType).fn !== this[kDefaultJsonParse] | ||
} | ||
if (contentType === 'text/plain') { | ||
return this.customParsers['text/plain'] && this.customParsers['text/plain'].fn !== defaultPlainTextParser | ||
if (contentType === 'text/plain' && this.customParsers.has(contentType)) { | ||
return this.customParsers.get(contentType).fn !== defaultPlainTextParser | ||
} | ||
return contentType in this.customParsers | ||
return this.hasParser(contentType) | ||
} | ||
ContentTypeParser.prototype.getParser = function (contentType) { | ||
if (contentType in this.customParsers) { | ||
return this.customParsers[contentType] | ||
if (this.hasParser(contentType)) { | ||
return this.customParsers.get(contentType) | ||
} | ||
@@ -108,3 +109,3 @@ | ||
if (contentType.indexOf(parserName) !== -1) { | ||
const parser = this.customParsers[parserName] | ||
const parser = this.customParsers.get(parserName) | ||
this.cache.set(contentType, parser) | ||
@@ -119,3 +120,3 @@ return parser | ||
if (parserRegExp.test(contentType)) { | ||
const parser = this.customParsers[parserRegExp] | ||
const parser = this.customParsers.get(parserRegExp.toString()) | ||
this.cache.set(contentType, parser) | ||
@@ -126,7 +127,7 @@ return parser | ||
return this.customParsers[''] | ||
return this.customParsers.get('') | ||
} | ||
ContentTypeParser.prototype.removeAll = function () { | ||
this.customParsers = {} | ||
this.customParsers = new Map() | ||
this.parserRegExpList = [] | ||
@@ -140,3 +141,3 @@ this.parserList = [] | ||
delete this.customParsers[contentType] | ||
this.customParsers.delete(contentType.toString()) | ||
@@ -300,3 +301,3 @@ const parsers = typeof contentType === 'string' ? this.parserList : this.parserRegExpList | ||
contentTypeParser[kDefaultJsonParse] = c[kDefaultJsonParse] | ||
Object.assign(contentTypeParser.customParsers, c.customParsers) | ||
contentTypeParser.customParsers = new Map(c.customParsers.entries()) | ||
contentTypeParser.parserList = c.parserList.slice() | ||
@@ -303,0 +304,0 @@ return contentTypeParser |
{ | ||
"name": "fastify", | ||
"version": "4.8.0", | ||
"version": "4.8.1", | ||
"description": "Fast and low overhead web framework, for Node.js", | ||
@@ -5,0 +5,0 @@ "main": "fastify.js", |
@@ -199,3 +199,3 @@ 'use strict' | ||
contentTypeParser.add('*', {}, first) | ||
t.equal(contentTypeParser.customParsers[''].fn, first) | ||
t.equal(contentTypeParser.customParsers.get('').fn, first) | ||
}) | ||
@@ -310,3 +310,3 @@ | ||
t.same(Object.keys(contentTypeParser.customParsers).length, 2) | ||
t.same(contentTypeParser.customParsers.size, 2) | ||
}) | ||
@@ -334,1 +334,67 @@ | ||
}) | ||
test('Safeguard against malicious content-type / 1', async t => { | ||
const badNames = Object.getOwnPropertyNames({}.__proto__) // eslint-disable-line | ||
t.plan(badNames.length) | ||
const fastify = Fastify() | ||
fastify.post('/', async () => { | ||
return 'ok' | ||
}) | ||
for (const prop of badNames) { | ||
const response = await fastify.inject({ | ||
method: 'POST', | ||
path: '/', | ||
headers: { | ||
'content-type': prop | ||
}, | ||
body: '' | ||
}) | ||
t.same(response.statusCode, 415) | ||
} | ||
}) | ||
test('Safeguard against malicious content-type / 2', async t => { | ||
t.plan(1) | ||
const fastify = Fastify() | ||
fastify.post('/', async () => { | ||
return 'ok' | ||
}) | ||
const response = await fastify.inject({ | ||
method: 'POST', | ||
path: '/', | ||
headers: { | ||
'content-type': '\\u0063\\u006fnstructor' | ||
}, | ||
body: '' | ||
}) | ||
t.same(response.statusCode, 415) | ||
}) | ||
test('Safeguard against malicious content-type / 3', async t => { | ||
t.plan(1) | ||
const fastify = Fastify() | ||
fastify.post('/', async () => { | ||
return 'ok' | ||
}) | ||
const response = await fastify.inject({ | ||
method: 'POST', | ||
path: '/', | ||
headers: { | ||
'content-type': 'constructor; charset=utf-8' | ||
}, | ||
body: '' | ||
}) | ||
t.same(response.statusCode, 415) | ||
}) |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
1948067
46691