@zuplo/cli 6.70.71 → 6.71.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/node_modules/@fastify/reply-from/node_modules/undici/docs/docs/api/Client.md +3 -0
- package/node_modules/@fastify/reply-from/node_modules/undici/docs/docs/api/Cookies.md +27 -0
- package/node_modules/@fastify/reply-from/node_modules/undici/docs/docs/api/Socks5ProxyAgent.md +1 -0
- package/node_modules/@fastify/reply-from/node_modules/undici/lib/core/socks5-client.js +14 -4
- package/node_modules/@fastify/reply-from/node_modules/undici/lib/core/socks5-utils.js +18 -4
- package/node_modules/@fastify/reply-from/node_modules/undici/lib/dispatcher/agent.js +1 -1
- package/node_modules/@fastify/reply-from/node_modules/undici/lib/dispatcher/balanced-pool.js +1 -1
- package/node_modules/@fastify/reply-from/node_modules/undici/lib/dispatcher/client-h1.js +69 -1
- package/node_modules/@fastify/reply-from/node_modules/undici/lib/dispatcher/client.js +3 -2
- package/node_modules/@fastify/reply-from/node_modules/undici/lib/dispatcher/dispatcher-base.js +19 -0
- package/node_modules/@fastify/reply-from/node_modules/undici/lib/dispatcher/pool.js +1 -1
- package/node_modules/@fastify/reply-from/node_modules/undici/lib/dispatcher/proxy-agent.js +2 -1
- package/node_modules/@fastify/reply-from/node_modules/undici/lib/dispatcher/socks5-proxy-agent.js +45 -34
- package/node_modules/@fastify/reply-from/node_modules/undici/lib/util/cache.js +8 -2
- package/node_modules/@fastify/reply-from/node_modules/undici/lib/web/cookies/parse.js +17 -25
- package/node_modules/@fastify/reply-from/node_modules/undici/lib/web/websocket/permessage-deflate.js +13 -31
- package/node_modules/@fastify/reply-from/node_modules/undici/lib/web/websocket/receiver.js +80 -23
- package/node_modules/@fastify/reply-from/node_modules/undici/lib/web/websocket/stream/websocketstream.js +8 -1
- package/node_modules/@fastify/reply-from/node_modules/undici/lib/web/websocket/websocket.js +8 -1
- package/node_modules/@fastify/reply-from/node_modules/undici/package.json +1 -1
- package/node_modules/@fastify/reply-from/node_modules/undici/types/client.d.ts +16 -0
- package/node_modules/@zuplo/core/package.json +1 -1
- package/node_modules/@zuplo/graphql/package.json +1 -1
- package/node_modules/@zuplo/openapi-tools/package.json +1 -1
- package/node_modules/@zuplo/otel/package.json +1 -1
- package/node_modules/@zuplo/runtime/package.json +1 -1
- package/node_modules/axios/CHANGELOG.md +52 -1
- package/node_modules/axios/README.md +30 -2
- package/node_modules/axios/dist/axios.js +350 -134
- package/node_modules/axios/dist/axios.min.js +3 -3
- package/node_modules/axios/dist/axios.min.js.map +1 -1
- package/node_modules/axios/dist/browser/axios.cjs +355 -90
- package/node_modules/axios/dist/esm/axios.js +355 -90
- package/node_modules/axios/dist/esm/axios.min.js +2 -2
- package/node_modules/axios/dist/esm/axios.min.js.map +1 -1
- package/node_modules/axios/dist/node/axios.cjs +399 -104
- package/node_modules/axios/index.d.cts +2 -0
- package/node_modules/axios/index.d.ts +2 -0
- package/node_modules/axios/lib/adapters/fetch.js +113 -37
- package/node_modules/axios/lib/adapters/http.js +132 -43
- package/node_modules/axios/lib/core/Axios.js +3 -2
- package/node_modules/axios/lib/core/AxiosHeaders.js +10 -7
- package/node_modules/axios/lib/core/buildFullPath.js +29 -1
- package/node_modules/axios/lib/core/mergeConfig.js +34 -0
- package/node_modules/axios/lib/defaults/transitional.js +1 -0
- package/node_modules/axios/lib/env/data.js +1 -1
- package/node_modules/axios/lib/helpers/buildURL.js +5 -3
- package/node_modules/axios/lib/helpers/estimateDataURLDecodedBytes.js +16 -11
- package/node_modules/axios/lib/helpers/formDataToJSON.js +25 -3
- package/node_modules/axios/lib/helpers/resolveConfig.js +5 -3
- package/node_modules/axios/lib/helpers/shouldBypassProxy.js +33 -1
- package/node_modules/axios/lib/helpers/toFormData.js +40 -10
- package/node_modules/axios/lib/utils.js +75 -11
- package/node_modules/axios/package.json +1 -1
- package/node_modules/body-parser/README.md +16 -1
- package/node_modules/body-parser/index.js +4 -20
- package/node_modules/body-parser/lib/read.js +17 -17
- package/node_modules/body-parser/lib/types/json.js +60 -32
- package/node_modules/body-parser/lib/types/raw.js +3 -3
- package/node_modules/body-parser/lib/types/text.js +3 -3
- package/node_modules/body-parser/lib/types/urlencoded.js +16 -20
- package/node_modules/body-parser/lib/utils.js +18 -16
- package/node_modules/body-parser/node_modules/content-type/LICENSE +22 -0
- package/node_modules/body-parser/node_modules/content-type/README.md +69 -0
- package/node_modules/body-parser/node_modules/content-type/dist/index.d.ts +26 -0
- package/node_modules/body-parser/node_modules/content-type/dist/index.js +170 -0
- package/node_modules/body-parser/node_modules/content-type/dist/index.js.map +1 -0
- package/node_modules/body-parser/node_modules/content-type/package.json +52 -0
- package/node_modules/body-parser/node_modules/http-errors/HISTORY.md +186 -0
- package/node_modules/body-parser/node_modules/http-errors/LICENSE +23 -0
- package/node_modules/body-parser/node_modules/http-errors/README.md +169 -0
- package/node_modules/body-parser/node_modules/http-errors/index.js +290 -0
- package/node_modules/body-parser/node_modules/http-errors/package.json +54 -0
- package/node_modules/body-parser/package.json +23 -10
- package/node_modules/form-data/CHANGELOG.md +29 -2
- package/node_modules/form-data/README.md +4 -4
- package/node_modules/form-data/lib/form_data.js +14 -2
- package/node_modules/form-data/package.json +7 -7
- package/package.json +6 -6
|
@@ -1,8 +1,34 @@
|
|
|
1
1
|
'use strict';
|
|
2
2
|
|
|
3
|
+
import AxiosError from './AxiosError.js';
|
|
3
4
|
import isAbsoluteURL from '../helpers/isAbsoluteURL.js';
|
|
4
5
|
import combineURLs from '../helpers/combineURLs.js';
|
|
5
6
|
|
|
7
|
+
const malformedHttpProtocol = /^https?:(?!\/\/)/i;
|
|
8
|
+
const httpProtocolControlCharacters = /[\t\n\r]/g;
|
|
9
|
+
|
|
10
|
+
function stripLeadingC0ControlOrSpace(url) {
|
|
11
|
+
let i = 0;
|
|
12
|
+
while (i < url.length && url.charCodeAt(i) <= 0x20) {
|
|
13
|
+
i++;
|
|
14
|
+
}
|
|
15
|
+
return url.slice(i);
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
function normalizeURLForProtocolCheck(url) {
|
|
19
|
+
return stripLeadingC0ControlOrSpace(url).replace(httpProtocolControlCharacters, '');
|
|
20
|
+
}
|
|
21
|
+
|
|
22
|
+
function assertValidHttpProtocolURL(url, config) {
|
|
23
|
+
if (typeof url === 'string' && malformedHttpProtocol.test(normalizeURLForProtocolCheck(url))) {
|
|
24
|
+
throw new AxiosError(
|
|
25
|
+
'Invalid URL: missing "//" after protocol',
|
|
26
|
+
AxiosError.ERR_INVALID_URL,
|
|
27
|
+
config
|
|
28
|
+
);
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
|
|
6
32
|
/**
|
|
7
33
|
* Creates a new URL by combining the baseURL with the requestedURL,
|
|
8
34
|
* only when the requestedURL is not already an absolute URL.
|
|
@@ -13,9 +39,11 @@ import combineURLs from '../helpers/combineURLs.js';
|
|
|
13
39
|
*
|
|
14
40
|
* @returns {string} The combined full path
|
|
15
41
|
*/
|
|
16
|
-
export default function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) {
|
|
42
|
+
export default function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls, config) {
|
|
43
|
+
assertValidHttpProtocolURL(requestedURL, config);
|
|
17
44
|
let isRelativeUrl = !isAbsoluteURL(requestedURL);
|
|
18
45
|
if (baseURL && (isRelativeUrl || allowAbsoluteUrls === false)) {
|
|
46
|
+
assertValidHttpProtocolURL(baseURL, config);
|
|
19
47
|
return combineURLs(baseURL, requestedURL);
|
|
20
48
|
}
|
|
21
49
|
return requestedURL;
|
|
@@ -68,6 +68,28 @@ export default function mergeConfig(config1, config2) {
|
|
|
68
68
|
}
|
|
69
69
|
}
|
|
70
70
|
|
|
71
|
+
function getMergedTransitionalOption(prop) {
|
|
72
|
+
const transitional2 = utils.hasOwnProp(config2, 'transitional') ? config2.transitional : undefined;
|
|
73
|
+
|
|
74
|
+
if (!utils.isUndefined(transitional2)) {
|
|
75
|
+
if (utils.isPlainObject(transitional2)) {
|
|
76
|
+
if (utils.hasOwnProp(transitional2, prop)) {
|
|
77
|
+
return transitional2[prop];
|
|
78
|
+
}
|
|
79
|
+
} else {
|
|
80
|
+
return undefined;
|
|
81
|
+
}
|
|
82
|
+
}
|
|
83
|
+
|
|
84
|
+
const transitional1 = utils.hasOwnProp(config1, 'transitional') ? config1.transitional : undefined;
|
|
85
|
+
|
|
86
|
+
if (utils.isPlainObject(transitional1) && utils.hasOwnProp(transitional1, prop)) {
|
|
87
|
+
return transitional1[prop];
|
|
88
|
+
}
|
|
89
|
+
|
|
90
|
+
return undefined;
|
|
91
|
+
}
|
|
92
|
+
|
|
71
93
|
// eslint-disable-next-line consistent-return
|
|
72
94
|
function mergeDirectKeys(a, b, prop) {
|
|
73
95
|
if (utils.hasOwnProp(config2, prop)) {
|
|
@@ -120,5 +142,17 @@ export default function mergeConfig(config1, config2) {
|
|
|
120
142
|
(utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
|
|
121
143
|
});
|
|
122
144
|
|
|
145
|
+
if (
|
|
146
|
+
utils.hasOwnProp(config2, 'validateStatus') &&
|
|
147
|
+
utils.isUndefined(config2.validateStatus) &&
|
|
148
|
+
getMergedTransitionalOption('validateStatusUndefinedResolves') === false
|
|
149
|
+
) {
|
|
150
|
+
if (utils.hasOwnProp(config1, 'validateStatus')) {
|
|
151
|
+
config.validateStatus = getMergedValue(undefined, config1.validateStatus);
|
|
152
|
+
} else {
|
|
153
|
+
delete config.validateStatus;
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
|
|
123
157
|
return config;
|
|
124
158
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
export const VERSION = "1.
|
|
1
|
+
export const VERSION = "1.18.0";
|
|
@@ -33,15 +33,17 @@ export default function buildURL(url, params, options) {
|
|
|
33
33
|
return url;
|
|
34
34
|
}
|
|
35
35
|
|
|
36
|
-
const _encode = (options && options.encode) || encode;
|
|
37
|
-
|
|
38
36
|
const _options = utils.isFunction(options)
|
|
39
37
|
? {
|
|
40
38
|
serialize: options,
|
|
41
39
|
}
|
|
42
40
|
: options;
|
|
43
41
|
|
|
44
|
-
|
|
42
|
+
// Read serializer options pollution-safely: own properties and methods on a
|
|
43
|
+
// class/template prototype are honored, but values injected onto a polluted
|
|
44
|
+
// Object.prototype are ignored.
|
|
45
|
+
const _encode = utils.getSafeProp(_options, 'encode') || encode;
|
|
46
|
+
const serializeFn = utils.getSafeProp(_options, 'serialize');
|
|
45
47
|
|
|
46
48
|
let serializedParams;
|
|
47
49
|
|
|
@@ -2,11 +2,19 @@
|
|
|
2
2
|
* Estimate decoded byte length of a data:// URL *without* allocating large buffers.
|
|
3
3
|
* - For base64: compute exact decoded size using length and padding;
|
|
4
4
|
* handle %XX at the character-count level (no string allocation).
|
|
5
|
-
* - For non-base64:
|
|
5
|
+
* - For non-base64: compute the exact percent-decoded UTF-8 byte length.
|
|
6
6
|
*
|
|
7
7
|
* @param {string} url
|
|
8
8
|
* @returns {number}
|
|
9
9
|
*/
|
|
10
|
+
const isHexDigit = (charCode) =>
|
|
11
|
+
(charCode >= 48 && charCode <= 57) ||
|
|
12
|
+
(charCode >= 65 && charCode <= 70) ||
|
|
13
|
+
(charCode >= 97 && charCode <= 102);
|
|
14
|
+
|
|
15
|
+
const isPercentEncodedByte = (str, i, len) =>
|
|
16
|
+
i + 2 < len && isHexDigit(str.charCodeAt(i + 1)) && isHexDigit(str.charCodeAt(i + 2));
|
|
17
|
+
|
|
10
18
|
export default function estimateDataURLDecodedBytes(url) {
|
|
11
19
|
if (!url || typeof url !== 'string') return 0;
|
|
12
20
|
if (!url.startsWith('data:')) return 0;
|
|
@@ -26,9 +34,7 @@ export default function estimateDataURLDecodedBytes(url) {
|
|
|
26
34
|
if (body.charCodeAt(i) === 37 /* '%' */ && i + 2 < len) {
|
|
27
35
|
const a = body.charCodeAt(i + 1);
|
|
28
36
|
const b = body.charCodeAt(i + 2);
|
|
29
|
-
const isHex =
|
|
30
|
-
((a >= 48 && a <= 57) || (a >= 65 && a <= 70) || (a >= 97 && a <= 102)) &&
|
|
31
|
-
((b >= 48 && b <= 57) || (b >= 65 && b <= 70) || (b >= 97 && b <= 102));
|
|
37
|
+
const isHex = isHexDigit(a) && isHexDigit(b);
|
|
32
38
|
|
|
33
39
|
if (isHex) {
|
|
34
40
|
effectiveLen -= 2;
|
|
@@ -69,18 +75,17 @@ export default function estimateDataURLDecodedBytes(url) {
|
|
|
69
75
|
return bytes > 0 ? bytes : 0;
|
|
70
76
|
}
|
|
71
77
|
|
|
72
|
-
if (typeof Buffer !== 'undefined' && typeof Buffer.byteLength === 'function') {
|
|
73
|
-
return Buffer.byteLength(body, 'utf8');
|
|
74
|
-
}
|
|
75
|
-
|
|
76
78
|
// Compute UTF-8 byte length directly from UTF-16 code units without allocating
|
|
77
79
|
// a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies).
|
|
78
|
-
//
|
|
79
|
-
//
|
|
80
|
+
// Valid %XX triplets count as one decoded byte; this matches the bytes that
|
|
81
|
+
// decodeURIComponent(body) would produce before Buffer re-encodes the string.
|
|
80
82
|
let bytes = 0;
|
|
81
83
|
for (let i = 0, len = body.length; i < len; i++) {
|
|
82
84
|
const c = body.charCodeAt(i);
|
|
83
|
-
if (c
|
|
85
|
+
if (c === 37 /* '%' */ && isPercentEncodedByte(body, i, len)) {
|
|
86
|
+
bytes += 1;
|
|
87
|
+
i += 2;
|
|
88
|
+
} else if (c < 0x80) {
|
|
84
89
|
bytes += 1;
|
|
85
90
|
} else if (c < 0x800) {
|
|
86
91
|
bytes += 2;
|
|
@@ -1,6 +1,19 @@
|
|
|
1
1
|
'use strict';
|
|
2
2
|
|
|
3
3
|
import utils from '../utils.js';
|
|
4
|
+
import AxiosError from '../core/AxiosError.js';
|
|
5
|
+
import { DEFAULT_FORM_DATA_MAX_DEPTH } from './toFormData.js';
|
|
6
|
+
|
|
7
|
+
const MAX_DEPTH = DEFAULT_FORM_DATA_MAX_DEPTH;
|
|
8
|
+
|
|
9
|
+
function throwIfDepthExceeded(index) {
|
|
10
|
+
if (index > MAX_DEPTH) {
|
|
11
|
+
throw new AxiosError(
|
|
12
|
+
'FormData field is too deeply nested (' + index + ' levels). Max depth: ' + MAX_DEPTH,
|
|
13
|
+
AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
|
|
14
|
+
);
|
|
15
|
+
}
|
|
16
|
+
}
|
|
4
17
|
|
|
5
18
|
/**
|
|
6
19
|
* It takes a string like `foo[x][y][z]` and returns an array like `['foo', 'x', 'y', 'z']
|
|
@@ -14,9 +27,16 @@ function parsePropPath(name) {
|
|
|
14
27
|
// foo.x.y.z
|
|
15
28
|
// foo-x-y-z
|
|
16
29
|
// foo x y z
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
30
|
+
const path = [];
|
|
31
|
+
const pattern = /\w+|\[(\w*)]/g;
|
|
32
|
+
let match;
|
|
33
|
+
|
|
34
|
+
while ((match = pattern.exec(name)) !== null) {
|
|
35
|
+
throwIfDepthExceeded(path.length);
|
|
36
|
+
path.push(match[0] === '[]' ? '' : match[1] || match[0]);
|
|
37
|
+
}
|
|
38
|
+
|
|
39
|
+
return path;
|
|
20
40
|
}
|
|
21
41
|
|
|
22
42
|
/**
|
|
@@ -48,6 +68,8 @@ function arrayToObject(arr) {
|
|
|
48
68
|
*/
|
|
49
69
|
function formDataToJSON(formData) {
|
|
50
70
|
function buildPath(path, value, target, index) {
|
|
71
|
+
throwIfDepthExceeded(index);
|
|
72
|
+
|
|
51
73
|
let name = path[index++];
|
|
52
74
|
|
|
53
75
|
if (name === '__proto__') return true;
|
|
@@ -55,17 +55,19 @@ function resolveConfig(config) {
|
|
|
55
55
|
newConfig.headers = headers = AxiosHeaders.from(headers);
|
|
56
56
|
|
|
57
57
|
newConfig.url = buildURL(
|
|
58
|
-
buildFullPath(baseURL, url, allowAbsoluteUrls),
|
|
58
|
+
buildFullPath(baseURL, url, allowAbsoluteUrls, newConfig),
|
|
59
59
|
own('params'),
|
|
60
60
|
own('paramsSerializer')
|
|
61
61
|
);
|
|
62
62
|
|
|
63
63
|
// HTTP basic authentication
|
|
64
64
|
if (auth) {
|
|
65
|
+
const username = utils.getSafeProp(auth, 'username') || '';
|
|
66
|
+
const password = utils.getSafeProp(auth, 'password') || '';
|
|
67
|
+
|
|
65
68
|
headers.set(
|
|
66
69
|
'Authorization',
|
|
67
|
-
'Basic ' +
|
|
68
|
-
btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8(auth.password) : ''))
|
|
70
|
+
'Basic ' + btoa(username + ':' + (password ? encodeUTF8(password) : ''))
|
|
69
71
|
);
|
|
70
72
|
}
|
|
71
73
|
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
const LOOPBACK_HOSTNAMES = new Set(['localhost']);
|
|
1
|
+
const LOOPBACK_HOSTNAMES = new Set(['localhost', '0.0.0.0']);
|
|
2
2
|
|
|
3
3
|
const isIPv4Loopback = (host) => {
|
|
4
4
|
const parts = host.split('.');
|
|
@@ -7,6 +7,37 @@ const isIPv4Loopback = (host) => {
|
|
|
7
7
|
return parts.every((p) => /^\d+$/.test(p) && Number(p) >= 0 && Number(p) <= 255);
|
|
8
8
|
};
|
|
9
9
|
|
|
10
|
+
const isIPv6ZeroGroup = (group) => /^0{1,4}$/.test(group);
|
|
11
|
+
|
|
12
|
+
// The unspecified address (IPv4 0.0.0.0 / IPv6 ::) resolves to the local host
|
|
13
|
+
// for outbound connections, so treat it as loopback-equivalent for NO_PROXY
|
|
14
|
+
// matching. 0.0.0.0 is covered by LOOPBACK_HOSTNAMES; this handles compressed
|
|
15
|
+
// and full IPv6 all-zero forms so both families bypass symmetrically.
|
|
16
|
+
const isIPv6Unspecified = (host) => {
|
|
17
|
+
if (host === '::') return true;
|
|
18
|
+
|
|
19
|
+
const compressionIndex = host.indexOf('::');
|
|
20
|
+
|
|
21
|
+
if (compressionIndex !== -1) {
|
|
22
|
+
if (compressionIndex !== host.lastIndexOf('::')) return false;
|
|
23
|
+
|
|
24
|
+
const left = host.slice(0, compressionIndex);
|
|
25
|
+
const right = host.slice(compressionIndex + 2);
|
|
26
|
+
const leftGroups = left ? left.split(':') : [];
|
|
27
|
+
const rightGroups = right ? right.split(':') : [];
|
|
28
|
+
const explicitGroups = leftGroups.length + rightGroups.length;
|
|
29
|
+
|
|
30
|
+
return (
|
|
31
|
+
explicitGroups < 8 &&
|
|
32
|
+
leftGroups.every(isIPv6ZeroGroup) &&
|
|
33
|
+
rightGroups.every(isIPv6ZeroGroup)
|
|
34
|
+
);
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
const groups = host.split(':');
|
|
38
|
+
return groups.length === 8 && groups.every(isIPv6ZeroGroup);
|
|
39
|
+
};
|
|
40
|
+
|
|
10
41
|
const isIPv6Loopback = (host) => {
|
|
11
42
|
// Collapse all-zero groups: any form of ::1 / 0:0:...:0:1
|
|
12
43
|
// First, strip any leading "::" by normalising with Set lookup of common forms,
|
|
@@ -42,6 +73,7 @@ const isLoopback = (host) => {
|
|
|
42
73
|
if (!host) return false;
|
|
43
74
|
if (LOOPBACK_HOSTNAMES.has(host)) return true;
|
|
44
75
|
if (isIPv4Loopback(host)) return true;
|
|
76
|
+
if (isIPv6Unspecified(host)) return true;
|
|
45
77
|
return isIPv6Loopback(host);
|
|
46
78
|
};
|
|
47
79
|
|
|
@@ -5,6 +5,10 @@ import AxiosError from '../core/AxiosError.js';
|
|
|
5
5
|
// temporary hotfix to avoid circular references until AxiosURLSearchParams is refactored
|
|
6
6
|
import PlatformFormData from '../platform/node/classes/FormData.js';
|
|
7
7
|
|
|
8
|
+
// Default nesting limit shared with the inverse transform (formDataToJSON) so
|
|
9
|
+
// the FormData <-> JSON round-trip stays symmetric.
|
|
10
|
+
export const DEFAULT_FORM_DATA_MAX_DEPTH = 100;
|
|
11
|
+
|
|
8
12
|
/**
|
|
9
13
|
* Determines if the given thing is a array or js object.
|
|
10
14
|
*
|
|
@@ -115,8 +119,9 @@ function toFormData(obj, formData, options) {
|
|
|
115
119
|
const dots = options.dots;
|
|
116
120
|
const indexes = options.indexes;
|
|
117
121
|
const _Blob = options.Blob || (typeof Blob !== 'undefined' && Blob);
|
|
118
|
-
const maxDepth = options.maxDepth === undefined ?
|
|
122
|
+
const maxDepth = options.maxDepth === undefined ? DEFAULT_FORM_DATA_MAX_DEPTH : options.maxDepth;
|
|
119
123
|
const useBlob = _Blob && utils.isSpecCompliantForm(formData);
|
|
124
|
+
const stack = [];
|
|
120
125
|
|
|
121
126
|
if (!utils.isFunction(visitor)) {
|
|
122
127
|
throw new TypeError('visitor must be a function');
|
|
@@ -144,6 +149,38 @@ function toFormData(obj, formData, options) {
|
|
|
144
149
|
return value;
|
|
145
150
|
}
|
|
146
151
|
|
|
152
|
+
function throwIfMaxDepthExceeded(depth) {
|
|
153
|
+
if (depth > maxDepth) {
|
|
154
|
+
throw new AxiosError(
|
|
155
|
+
'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
|
|
156
|
+
AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
|
|
157
|
+
);
|
|
158
|
+
}
|
|
159
|
+
}
|
|
160
|
+
|
|
161
|
+
function stringifyWithDepthLimit(value, depth) {
|
|
162
|
+
if (maxDepth === Infinity) {
|
|
163
|
+
return JSON.stringify(value);
|
|
164
|
+
}
|
|
165
|
+
|
|
166
|
+
const ancestors = [];
|
|
167
|
+
|
|
168
|
+
return JSON.stringify(value, function limitDepth(_key, currentValue) {
|
|
169
|
+
if (!utils.isObject(currentValue)) {
|
|
170
|
+
return currentValue;
|
|
171
|
+
}
|
|
172
|
+
|
|
173
|
+
while (ancestors.length && ancestors[ancestors.length - 1] !== this) {
|
|
174
|
+
ancestors.pop();
|
|
175
|
+
}
|
|
176
|
+
|
|
177
|
+
ancestors.push(currentValue);
|
|
178
|
+
throwIfMaxDepthExceeded(depth + ancestors.length - 1);
|
|
179
|
+
|
|
180
|
+
return currentValue;
|
|
181
|
+
});
|
|
182
|
+
}
|
|
183
|
+
|
|
147
184
|
/**
|
|
148
185
|
* Default visitor.
|
|
149
186
|
*
|
|
@@ -167,7 +204,7 @@ function toFormData(obj, formData, options) {
|
|
|
167
204
|
// eslint-disable-next-line no-param-reassign
|
|
168
205
|
key = metaTokens ? key : key.slice(0, -2);
|
|
169
206
|
// eslint-disable-next-line no-param-reassign
|
|
170
|
-
value =
|
|
207
|
+
value = stringifyWithDepthLimit(value, 1);
|
|
171
208
|
} else if (
|
|
172
209
|
(utils.isArray(value) && isFlatArray(value)) ||
|
|
173
210
|
((utils.isFileList(value) || utils.endsWith(key, '[]')) && (arr = utils.toArray(value)))
|
|
@@ -200,8 +237,6 @@ function toFormData(obj, formData, options) {
|
|
|
200
237
|
return false;
|
|
201
238
|
}
|
|
202
239
|
|
|
203
|
-
const stack = [];
|
|
204
|
-
|
|
205
240
|
const exposedHelpers = Object.assign(predicates, {
|
|
206
241
|
defaultVisitor,
|
|
207
242
|
convertValue,
|
|
@@ -211,12 +246,7 @@ function toFormData(obj, formData, options) {
|
|
|
211
246
|
function build(value, path, depth = 0) {
|
|
212
247
|
if (utils.isUndefined(value)) return;
|
|
213
248
|
|
|
214
|
-
|
|
215
|
-
throw new AxiosError(
|
|
216
|
-
'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
|
|
217
|
-
AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
|
|
218
|
-
);
|
|
219
|
-
}
|
|
249
|
+
throwIfMaxDepthExceeded(depth);
|
|
220
250
|
|
|
221
251
|
if (stack.indexOf(value) !== -1) {
|
|
222
252
|
throw new Error('Circular reference detected in ' + path.join('.'));
|
|
@@ -8,6 +8,57 @@ const { toString } = Object.prototype;
|
|
|
8
8
|
const { getPrototypeOf } = Object;
|
|
9
9
|
const { iterator, toStringTag } = Symbol;
|
|
10
10
|
|
|
11
|
+
/* Creating a function that will check if an object has a property. */
|
|
12
|
+
const hasOwnProperty = (
|
|
13
|
+
({ hasOwnProperty }) =>
|
|
14
|
+
(obj, prop) =>
|
|
15
|
+
hasOwnProperty.call(obj, prop)
|
|
16
|
+
)(Object.prototype);
|
|
17
|
+
|
|
18
|
+
/**
|
|
19
|
+
* Walk the prototype chain (excluding the shared Object.prototype) looking for
|
|
20
|
+
* an own `prop`. This distinguishes genuine own/inherited members — including
|
|
21
|
+
* class accessors and template prototypes — from members injected via
|
|
22
|
+
* Object.prototype pollution (e.g. `Object.prototype.username = '...'`), which
|
|
23
|
+
* live on Object.prototype itself and are therefore never matched.
|
|
24
|
+
*
|
|
25
|
+
* @param {*} thing The value whose chain to inspect
|
|
26
|
+
* @param {string|symbol} prop The property key to look for
|
|
27
|
+
*
|
|
28
|
+
* @returns {boolean} True when `prop` is owned below Object.prototype
|
|
29
|
+
*/
|
|
30
|
+
const hasOwnInPrototypeChain = (thing, prop) => {
|
|
31
|
+
let obj = thing;
|
|
32
|
+
const seen = [];
|
|
33
|
+
|
|
34
|
+
while (obj != null && obj !== Object.prototype) {
|
|
35
|
+
if (seen.indexOf(obj) !== -1) {
|
|
36
|
+
return false;
|
|
37
|
+
}
|
|
38
|
+
seen.push(obj);
|
|
39
|
+
|
|
40
|
+
if (hasOwnProperty(obj, prop)) {
|
|
41
|
+
return true;
|
|
42
|
+
}
|
|
43
|
+
obj = getPrototypeOf(obj);
|
|
44
|
+
}
|
|
45
|
+
return false;
|
|
46
|
+
};
|
|
47
|
+
|
|
48
|
+
/**
|
|
49
|
+
* Read `obj[prop]` only when it is safe from Object.prototype pollution. Own
|
|
50
|
+
* properties and members inherited from a non-Object.prototype source (a class
|
|
51
|
+
* instance or template object) are honored; a value reachable only through a
|
|
52
|
+
* polluted Object.prototype is ignored and `undefined` is returned.
|
|
53
|
+
*
|
|
54
|
+
* @param {*} obj The source object
|
|
55
|
+
* @param {string|symbol} prop The property key to read
|
|
56
|
+
*
|
|
57
|
+
* @returns {*} The resolved value, or undefined when unsafe/absent
|
|
58
|
+
*/
|
|
59
|
+
const getSafeProp = (obj, prop) =>
|
|
60
|
+
obj != null && hasOwnInPrototypeChain(obj, prop) ? obj[prop] : undefined;
|
|
61
|
+
|
|
11
62
|
const kindOf = ((cache) => (thing) => {
|
|
12
63
|
const str = toString.call(thing);
|
|
13
64
|
return cache[str] || (cache[str] = str.slice(8, -1).toLowerCase());
|
|
@@ -133,7 +184,7 @@ const isBoolean = (thing) => thing === true || thing === false;
|
|
|
133
184
|
* @returns {boolean} True if value is a plain Object, otherwise false
|
|
134
185
|
*/
|
|
135
186
|
const isPlainObject = (val) => {
|
|
136
|
-
if (
|
|
187
|
+
if (!isObject(val)) {
|
|
137
188
|
return false;
|
|
138
189
|
}
|
|
139
190
|
|
|
@@ -141,9 +192,12 @@ const isPlainObject = (val) => {
|
|
|
141
192
|
return (
|
|
142
193
|
(prototype === null ||
|
|
143
194
|
prototype === Object.prototype ||
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
195
|
+
getPrototypeOf(prototype) === null) &&
|
|
196
|
+
// Treat any genuine (non-Object.prototype-polluted) Symbol.toStringTag or
|
|
197
|
+
// Symbol.iterator as evidence the value is a tagged/iterable type rather
|
|
198
|
+
// than a plain object, while ignoring keys injected onto Object.prototype.
|
|
199
|
+
!hasOwnInPrototypeChain(val, toStringTag) &&
|
|
200
|
+
!hasOwnInPrototypeChain(val, iterator)
|
|
147
201
|
);
|
|
148
202
|
};
|
|
149
203
|
|
|
@@ -670,13 +724,6 @@ const toCamelCase = (str) => {
|
|
|
670
724
|
});
|
|
671
725
|
};
|
|
672
726
|
|
|
673
|
-
/* Creating a function that will check if an object has a property. */
|
|
674
|
-
const hasOwnProperty = (
|
|
675
|
-
({ hasOwnProperty }) =>
|
|
676
|
-
(obj, prop) =>
|
|
677
|
-
hasOwnProperty.call(obj, prop)
|
|
678
|
-
)(Object.prototype);
|
|
679
|
-
|
|
680
727
|
const { propertyIsEnumerable } = Object.prototype;
|
|
681
728
|
|
|
682
729
|
/**
|
|
@@ -890,6 +937,20 @@ const asap =
|
|
|
890
937
|
|
|
891
938
|
const isIterable = (thing) => thing != null && isFunction(thing[iterator]);
|
|
892
939
|
|
|
940
|
+
/**
|
|
941
|
+
* Determine if a value is iterable via an iterator that is NOT sourced solely
|
|
942
|
+
* from a polluted Object.prototype. Use this instead of `isIterable` whenever
|
|
943
|
+
* the iterable comes from untrusted input (e.g. user-supplied header sources),
|
|
944
|
+
* so `Object.prototype[Symbol.iterator] = ...` cannot turn an ordinary object
|
|
945
|
+
* into an attacker-controlled entries iterator.
|
|
946
|
+
*
|
|
947
|
+
* @param {*} thing The value to test
|
|
948
|
+
*
|
|
949
|
+
* @returns {boolean} True if value has a non-polluted iterator
|
|
950
|
+
*/
|
|
951
|
+
const isSafeIterable = (thing) =>
|
|
952
|
+
thing != null && hasOwnInPrototypeChain(thing, iterator) && isIterable(thing);
|
|
953
|
+
|
|
893
954
|
export default {
|
|
894
955
|
isArray,
|
|
895
956
|
isArrayBuffer,
|
|
@@ -934,6 +995,8 @@ export default {
|
|
|
934
995
|
isHTMLForm,
|
|
935
996
|
hasOwnProperty,
|
|
936
997
|
hasOwnProp: hasOwnProperty, // an alias to avoid ESLint no-prototype-builtins detection
|
|
998
|
+
hasOwnInPrototypeChain,
|
|
999
|
+
getSafeProp,
|
|
937
1000
|
reduceDescriptors,
|
|
938
1001
|
freezeMethods,
|
|
939
1002
|
toObjectSet,
|
|
@@ -950,4 +1013,5 @@ export default {
|
|
|
950
1013
|
setImmediate: _setImmediate,
|
|
951
1014
|
asap,
|
|
952
1015
|
isIterable,
|
|
1016
|
+
isSafeIterable,
|
|
953
1017
|
};
|
|
@@ -51,7 +51,14 @@ $ npm install body-parser
|
|
|
51
51
|
## API
|
|
52
52
|
|
|
53
53
|
```js
|
|
54
|
+
// Import all parsers
|
|
54
55
|
const bodyParser = require('body-parser')
|
|
56
|
+
|
|
57
|
+
// Or import individual parsers directly
|
|
58
|
+
const json = require('body-parser/json')
|
|
59
|
+
const urlencoded = require('body-parser/urlencoded')
|
|
60
|
+
const raw = require('body-parser/raw')
|
|
61
|
+
const text = require('body-parser/text')
|
|
55
62
|
```
|
|
56
63
|
|
|
57
64
|
The `bodyParser` object exposes various factories to create middlewares. All
|
|
@@ -93,11 +100,13 @@ specifies the number of bytes; if it is a string, the value is passed to the
|
|
|
93
100
|
[bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults
|
|
94
101
|
to `'100kb'`.
|
|
95
102
|
|
|
103
|
+
> It’s recommended not to configure a very high limit and to use the default value whenever possible. Allowing larger payloads increases memory usage because of the resources required for decoding and transformations, and it can also lead to longer response times as more data is processed. By ‘very high’, we mean values above the default, for example payloads of 5 MB or more can already start to introduce these risks. With the default limits, these issues do not occur.
|
|
104
|
+
|
|
96
105
|
##### reviver
|
|
97
106
|
|
|
98
107
|
The `reviver` option is passed directly to `JSON.parse` as the second
|
|
99
108
|
argument. You can find more information on this argument
|
|
100
|
-
[in the MDN documentation about JSON.parse](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse#
|
|
109
|
+
[in the MDN documentation about JSON.parse](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse#the_reviver_parameter).
|
|
101
110
|
|
|
102
111
|
##### strict
|
|
103
112
|
|
|
@@ -149,6 +158,8 @@ specifies the number of bytes; if it is a string, the value is passed to the
|
|
|
149
158
|
[bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults
|
|
150
159
|
to `'100kb'`.
|
|
151
160
|
|
|
161
|
+
> It’s recommended not to configure a very high limit and to use the default value whenever possible. Allowing larger payloads increases memory usage because of the resources required for decoding and transformations, and it can also lead to longer response times as more data is processed. By ‘very high’, we mean values above the default, for example payloads of 5 MB or more can already start to introduce these risks. With the default limits, these issues do not occur.
|
|
162
|
+
|
|
152
163
|
##### type
|
|
153
164
|
|
|
154
165
|
The `type` option is used to determine what media type the middleware will
|
|
@@ -200,6 +211,8 @@ specifies the number of bytes; if it is a string, the value is passed to the
|
|
|
200
211
|
[bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults
|
|
201
212
|
to `'100kb'`.
|
|
202
213
|
|
|
214
|
+
> It’s recommended not to configure a very high limit and to use the default value whenever possible. Allowing larger payloads increases memory usage because of the resources required for decoding and transformations, and it can also lead to longer response times as more data is processed. By ‘very high’, we mean values above the default, for example payloads of 5 MB or more can already start to introduce these risks. With the default limits, these issues do not occur.
|
|
215
|
+
|
|
203
216
|
##### type
|
|
204
217
|
|
|
205
218
|
The `type` option is used to determine what media type the middleware will
|
|
@@ -255,6 +268,8 @@ specifies the number of bytes; if it is a string, the value is passed to the
|
|
|
255
268
|
[bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults
|
|
256
269
|
to `'100kb'`.
|
|
257
270
|
|
|
271
|
+
> It’s recommended not to configure a very high limit and to use the default value whenever possible. Allowing larger payloads increases memory usage because of the resources required for decoding and transformations, and it can also lead to longer response times as more data is processed. By ‘very high’, we mean values above the default, for example payloads of 5 MB or more can already start to introduce these risks. With the default limits, these issues do not occur.
|
|
272
|
+
|
|
258
273
|
##### parameterLimit
|
|
259
274
|
|
|
260
275
|
The `parameterLimit` option controls the maximum number of parameters that
|
|
@@ -24,41 +24,25 @@ exports = module.exports = bodyParser
|
|
|
24
24
|
* JSON parser.
|
|
25
25
|
* @public
|
|
26
26
|
*/
|
|
27
|
-
|
|
28
|
-
configurable: true,
|
|
29
|
-
enumerable: true,
|
|
30
|
-
get: () => require('./lib/types/json')
|
|
31
|
-
})
|
|
27
|
+
exports.json = require('./lib/types/json')
|
|
32
28
|
|
|
33
29
|
/**
|
|
34
30
|
* Raw parser.
|
|
35
31
|
* @public
|
|
36
32
|
*/
|
|
37
|
-
|
|
38
|
-
configurable: true,
|
|
39
|
-
enumerable: true,
|
|
40
|
-
get: () => require('./lib/types/raw')
|
|
41
|
-
})
|
|
33
|
+
exports.raw = require('./lib/types/raw')
|
|
42
34
|
|
|
43
35
|
/**
|
|
44
36
|
* Text parser.
|
|
45
37
|
* @public
|
|
46
38
|
*/
|
|
47
|
-
|
|
48
|
-
configurable: true,
|
|
49
|
-
enumerable: true,
|
|
50
|
-
get: () => require('./lib/types/text')
|
|
51
|
-
})
|
|
39
|
+
exports.text = require('./lib/types/text')
|
|
52
40
|
|
|
53
41
|
/**
|
|
54
42
|
* URL-encoded parser.
|
|
55
43
|
* @public
|
|
56
44
|
*/
|
|
57
|
-
|
|
58
|
-
configurable: true,
|
|
59
|
-
enumerable: true,
|
|
60
|
-
get: () => require('./lib/types/urlencoded')
|
|
61
|
-
})
|
|
45
|
+
exports.urlencoded = require('./lib/types/urlencoded')
|
|
62
46
|
|
|
63
47
|
/**
|
|
64
48
|
* Create a middleware to parse json and urlencoded bodies.
|