fastify 3.29.1 → 3.29.3

package/fastify.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const VERSION = '3.29.1'
+const VERSION = '3.29.3'
 
 const Avvio = require('avvio')
 const http = require('http')
@@ -584,7 +584,7 @@ function fastify (options) {
     // https://github.com/nodejs/node/blob/6ca23d7846cb47e84fd344543e394e50938540be/lib/_http_server.js#L666
 
     // If the socket is not writable, there is no reason to try to send data.
-    if (socket.writable && socket.bytesWritten === 0) {
+    if (socket.writable) {
       socket.write(`HTTP/1.1 400 Bad Request\r\nContent-Length: ${body.length}\r\nContent-Type: application/json\r\n\r\n${body}`)
     }
     socket.destroy(err)

package/lib/contentTypeParser.js

@@ -32,9 +32,10 @@ const warning = require('./warnings')
 
 function ContentTypeParser (bodyLimit, onProtoPoisoning, onConstructorPoisoning) {
   this[kDefaultJsonParse] = getDefaultJsonParser(onProtoPoisoning, onConstructorPoisoning)
-  this.customParsers = {}
-  this.customParsers['application/json'] = new Parser(true, false, bodyLimit, this[kDefaultJsonParse])
-  this.customParsers['text/plain'] = new Parser(true, false, bodyLimit, defaultPlainTextParser)
+  // using a map instead of a plain object to avoid prototype hijack attacks
+  this.customParsers = new Map()
+  this.customParsers.set('application/json', new Parser(true, false, bodyLimit, this[kDefaultJsonParse]))
+  this.customParsers.set('text/plain', new Parser(true, false, bodyLimit, defaultPlainTextParser))
   this.parserList = ['application/json', 'text/plain']
   this.parserRegExpList = []
   this.cache = lru(100)
@@ -65,38 +66,42 @@ ContentTypeParser.prototype.add = function (contentType, opts, parserFn) {
   )
 
   if (contentTypeIsString && contentType === '*') {
-    this.customParsers[''] = parser
+    this.customParsers.set('', parser)
   } else {
     if (contentTypeIsString) {
       this.parserList.unshift(contentType)
     } else {
       this.parserRegExpList.unshift(contentType)
     }
-    this.customParsers[contentType] = parser
+    this.customParsers.set(contentType.toString(), parser)
   }
 }
 
 ContentTypeParser.prototype.hasParser = function (contentType) {
-  return contentType in this.customParsers
+  return this.customParsers.has(typeof contentType === 'string' ? contentType : contentType.toString())
 }
 
 ContentTypeParser.prototype.existingParser = function (contentType) {
-  if (contentType === 'application/json') {
-    return this.customParsers['application/json'] && this.customParsers['application/json'].fn !== this[kDefaultJsonParse]
+  if (contentType === 'application/json' && this.customParsers.has(contentType)) {
+    return this.customParsers.get(contentType).fn !== this[kDefaultJsonParse]
   }
-  if (contentType === 'text/plain') {
-    return this.customParsers['text/plain'] && this.customParsers['text/plain'].fn !== defaultPlainTextParser
+  if (contentType === 'text/plain' && this.customParsers.has(contentType)) {
+    return this.customParsers.get(contentType).fn !== defaultPlainTextParser
   }
 
-  return contentType in this.customParsers
+  return this.hasParser(contentType)
 }
 
 ContentTypeParser.prototype.getParser = function (contentType) {
+  if (this.hasParser(contentType)) {
+    return this.customParsers.get(contentType)
+  }
+
   // eslint-disable-next-line no-var
   for (var i = 0; i !== this.parserList.length; ++i) {
     const parserName = this.parserList[i]
-    if (contentType.indexOf(parserName) > -1) {
-      const parser = this.customParsers[parserName]
+    if (contentType.indexOf(parserName) !== -1) {
+      const parser = this.customParsers.get(parserName)
       this.cache.set(contentType, parser)
       return parser
     }
@@ -106,17 +111,17 @@ ContentTypeParser.prototype.getParser = function (contentType) {
   for (var j = 0; j !== this.parserRegExpList.length; ++j) {
     const parserRegExp = this.parserRegExpList[j]
     if (parserRegExp.test(contentType)) {
-      const parser = this.customParsers[parserRegExp]
+      const parser = this.customParsers.get(parserRegExp.toString())
       this.cache.set(contentType, parser)
       return parser
     }
   }
 
-  return this.customParsers['']
+  return this.customParsers.get('')
 }
 
 ContentTypeParser.prototype.removeAll = function () {
-  this.customParsers = {}
+  this.customParsers = new Map()
   this.parserRegExpList = []
   this.parserList = []
   this.cache = lru(100)
@@ -125,7 +130,7 @@ ContentTypeParser.prototype.removeAll = function () {
 ContentTypeParser.prototype.remove = function (contentType) {
   if (!(typeof contentType === 'string' || contentType instanceof RegExp)) throw new FST_ERR_CTP_INVALID_TYPE()
 
-  delete this.customParsers[contentType]
+  this.customParsers.delete(contentType.toString())
 
   const parsers = typeof contentType === 'string' ? this.parserList : this.parserRegExpList
 
@@ -290,7 +295,7 @@ function Parser (asString, asBuffer, bodyLimit, fn) {
 function buildContentTypeParser (c) {
   const contentTypeParser = new ContentTypeParser()
   contentTypeParser[kDefaultJsonParse] = c[kDefaultJsonParse]
-  Object.assign(contentTypeParser.customParsers, c.customParsers)
+  contentTypeParser.customParsers = new Map(c.customParsers.entries())
   contentTypeParser.parserList = c.parserList.slice()
   return contentTypeParser
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fastify",
-  "version": "3.29.1",
+  "version": "3.29.3",
   "description": "Fast and low overhead web framework, for Node.js",
   "main": "fastify.js",
   "type": "commonjs",

package/test/content-parser.test.js

@@ -181,7 +181,7 @@ test('add', t => {
     const contentTypeParser = fastify[keys.kContentTypeParser]
 
     contentTypeParser.add('*', {}, first)
-    t.equal(contentTypeParser.customParsers[''].fn, first)
+    t.equal(contentTypeParser.customParsers.get('').fn, first)
   })
 
   t.end()
@@ -239,7 +239,7 @@ test('remove', t => {
 
     contentTypeParser.remove('image/png')
 
-    t.same(Object.keys(contentTypeParser.customParsers).length, 2)
+    t.same(contentTypeParser.customParsers.size, 2)
   })
 
   t.end()
@@ -262,3 +262,69 @@ test('remove all should remove all existing parsers and reset cache', t => {
   t.same(contentTypeParser.parserRegExpList.length, 0)
   t.same(Object.keys(contentTypeParser.customParsers).length, 0)
 })
+
+test('Safeguard against malicious content-type / 1', async t => {
+  const badNames = Object.getOwnPropertyNames({}.__proto__) // eslint-disable-line
+  t.plan(badNames.length)
+
+  const fastify = Fastify()
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  for (const prop of badNames) {
+    const response = await fastify.inject({
+      method: 'POST',
+      path: '/',
+      headers: {
+        'content-type': prop
+      },
+      body: ''
+    })
+
+    t.same(response.statusCode, 415)
+  }
+})
+
+test('Safeguard against malicious content-type / 2', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  const response = await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': '\\u0063\\u006fnstructor'
+    },
+    body: ''
+  })
+
+  t.same(response.statusCode, 415)
+})
+
+test('Safeguard against malicious content-type / 3', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  const response = await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'constructor; charset=utf-8'
+    },
+    body: ''
+  })
+
+  t.same(response.statusCode, 415)
+})

package/test/request-error.test.js

@@ -2,6 +2,7 @@
 
 const { connect } = require('net')
 const t = require('tap')
+const semver = require('semver')
 const test = t.test
 const Fastify = require('..')
 const { kRequest } = require('../lib/symbols.js')
@@ -153,7 +154,7 @@ test('default clientError handler ignores sockets in destroyed state', t => {
 })
 
 test('default clientError handler destroys sockets in writable state', t => {
-  t.plan(1)
+  t.plan(2)
 
   const fastify = Fastify({
     bodyLimit: 1,
@@ -169,6 +170,9 @@ test('default clientError handler destroys sockets in writable state', t => {
     },
     destroy () {
       t.pass('destroy should be called')
+    },
+    write (response) {
+      t.match(response, /^HTTP\/1.1 400 Bad Request/)
     }
   })
 })
@@ -189,6 +193,9 @@ test('default clientError handler destroys http sockets in non-writable state',
     },
     destroy () {
       t.pass('destroy should be called')
+    },
+    write (response) {
+      t.fail('write should not be called')
     }
   })
 })
@@ -273,3 +280,42 @@ test('encapsulated error handler binding', t => {
     t.equal(fastify.hello, undefined)
   })
 })
+
+const skip = semver.lt(process.versions.node, '11.0.0')
+
+test('default clientError replies with bad request on reused keep-alive connection', { skip }, t => {
+  t.plan(2)
+
+  let response = ''
+
+  const fastify = Fastify({
+    bodyLimit: 1,
+    keepAliveTimeout: 100
+  })
+
+  fastify.get('/', (request, reply) => {
+    reply.send('OK\n')
+  })
+
+  fastify.listen({ port: 0 }, function (err) {
+    t.error(err)
+    fastify.server.unref()
+
+    const client = connect(fastify.server.address().port)
+
+    client.on('data', chunk => {
+      response += chunk.toString('utf-8')
+    })
+
+    client.on('end', () => {
+      t.match(response, /^HTTP\/1.1 200 OK.*HTTP\/1.1 400 Bad Request/s)
+    })
+
+    client.resume()
+    client.write('GET / HTTP/1.1\r\n')
+    client.write('\r\n\r\n')
+    client.write('GET /?a b HTTP/1.1\r\n')
+    client.write('Connection: close\r\n')
+    client.write('\r\n\r\n')
+  })
+})