fastify 3.29.2 → 3.29.4

package/fastify.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const VERSION = '3.29.2'
+const VERSION = '3.29.4'
 
 const Avvio = require('avvio')
 const http = require('http')

package/lib/contentTypeParser.js

@@ -6,6 +6,7 @@ let lru = require('tiny-lru')
 // See https://github.com/fastify/fastify/issues/2356
 // and https://github.com/fastify/fastify/discussions/2907.
 lru = typeof lru === 'function' ? lru : lru.default
+const { parse: parseContentType } = require('content-type')
 
 const secureJson = require('secure-json-parse')
 const {
@@ -32,10 +33,11 @@ const warning = require('./warnings')
 
 function ContentTypeParser (bodyLimit, onProtoPoisoning, onConstructorPoisoning) {
   this[kDefaultJsonParse] = getDefaultJsonParser(onProtoPoisoning, onConstructorPoisoning)
-  this.customParsers = {}
-  this.customParsers['application/json'] = new Parser(true, false, bodyLimit, this[kDefaultJsonParse])
-  this.customParsers['text/plain'] = new Parser(true, false, bodyLimit, defaultPlainTextParser)
-  this.parserList = ['application/json', 'text/plain']
+  // using a map instead of a plain object to avoid prototype hijack attacks
+  this.customParsers = new Map()
+  this.customParsers.set('application/json', new Parser(true, false, bodyLimit, this[kDefaultJsonParse]))
+  this.customParsers.set('text/plain', new Parser(true, false, bodyLimit, defaultPlainTextParser))
+  this.parserList = [new ParserListItem('application/json'), new ParserListItem('text/plain')]
   this.parserRegExpList = []
   this.cache = lru(100)
 }
@@ -65,38 +67,56 @@ ContentTypeParser.prototype.add = function (contentType, opts, parserFn) {
   )
 
   if (contentTypeIsString && contentType === '*') {
-    this.customParsers[''] = parser
+    this.customParsers.set('', parser)
   } else {
     if (contentTypeIsString) {
-      this.parserList.unshift(contentType)
+      this.parserList.unshift(new ParserListItem(contentType))
     } else {
       this.parserRegExpList.unshift(contentType)
     }
-    this.customParsers[contentType] = parser
+    this.customParsers.set(contentType.toString(), parser)
   }
 }
 
 ContentTypeParser.prototype.hasParser = function (contentType) {
-  return contentType in this.customParsers
+  return this.customParsers.has(typeof contentType === 'string' ? contentType : contentType.toString())
 }
 
 ContentTypeParser.prototype.existingParser = function (contentType) {
-  if (contentType === 'application/json') {
-    return this.customParsers['application/json'] && this.customParsers['application/json'].fn !== this[kDefaultJsonParse]
+  if (contentType === 'application/json' && this.customParsers.has(contentType)) {
+    return this.customParsers.get(contentType).fn !== this[kDefaultJsonParse]
   }
-  if (contentType === 'text/plain') {
-    return this.customParsers['text/plain'] && this.customParsers['text/plain'].fn !== defaultPlainTextParser
+  if (contentType === 'text/plain' && this.customParsers.has(contentType)) {
+    return this.customParsers.get(contentType).fn !== defaultPlainTextParser
   }
 
-  return contentType in this.customParsers
+  return this.hasParser(contentType)
 }
 
 ContentTypeParser.prototype.getParser = function (contentType) {
+  if (this.hasParser(contentType)) {
+    return this.customParsers.get(contentType)
+  }
+
+  const parser = this.cache.get(contentType)
+  // TODO not covered by tests, this is a security backport
+  /* istanbul ignore next */
+  if (parser !== undefined) return parser
+
+  const parsed = safeParseContentType(contentType)
+
+  // dummyContentType always the same object
+  // we can use === for the comparsion and return early
+  if (parsed === dummyContentType) {
+    return this.customParsers.get('')
+  }
+
   // eslint-disable-next-line no-var
   for (var i = 0; i !== this.parserList.length; ++i) {
-    const parserName = this.parserList[i]
-    if (contentType.indexOf(parserName) > -1) {
-      const parser = this.customParsers[parserName]
+    const parserListItem = this.parserList[i]
+    if (compareContentType(parsed, parserListItem)) {
+      const parser = this.customParsers.get(parserListItem.name)
+      // we set request content-type in cache to reduce parsing of MIME type
       this.cache.set(contentType, parser)
       return parser
     }
@@ -105,18 +125,19 @@ ContentTypeParser.prototype.getParser = function (contentType) {
   // eslint-disable-next-line no-var
   for (var j = 0; j !== this.parserRegExpList.length; ++j) {
     const parserRegExp = this.parserRegExpList[j]
-    if (parserRegExp.test(contentType)) {
-      const parser = this.customParsers[parserRegExp]
+    if (compareRegExpContentType(contentType, parsed.type, parserRegExp)) {
+      const parser = this.customParsers.get(parserRegExp.toString())
+      // we set request content-type in cache to reduce parsing of MIME type
       this.cache.set(contentType, parser)
       return parser
     }
   }
 
-  return this.customParsers['']
+  return this.customParsers.get('')
 }
 
 ContentTypeParser.prototype.removeAll = function () {
-  this.customParsers = {}
+  this.customParsers = new Map()
   this.parserRegExpList = []
   this.parserList = []
   this.cache = lru(100)
@@ -125,7 +146,7 @@ ContentTypeParser.prototype.removeAll = function () {
 ContentTypeParser.prototype.remove = function (contentType) {
   if (!(typeof contentType === 'string' || contentType instanceof RegExp)) throw new FST_ERR_CTP_INVALID_TYPE()
 
-  delete this.customParsers[contentType]
+  this.customParsers.delete(contentType.toString())
 
   const parsers = typeof contentType === 'string' ? this.parserList : this.parserRegExpList
 
@@ -290,7 +311,7 @@ function Parser (asString, asBuffer, bodyLimit, fn) {
 function buildContentTypeParser (c) {
   const contentTypeParser = new ContentTypeParser()
   contentTypeParser[kDefaultJsonParse] = c[kDefaultJsonParse]
-  Object.assign(contentTypeParser.customParsers, c.customParsers)
+  contentTypeParser.customParsers = new Map(c.customParsers.entries())
   contentTypeParser.parserList = c.parserList.slice()
   return contentTypeParser
 }
@@ -343,6 +364,63 @@ function removeAllContentTypeParsers () {
   this[kContentTypeParser].removeAll()
 }
 
+// dummy here to prevent repeated object creation
+const dummyContentType = { type: '', parameters: Object.create(null) }
+
+function safeParseContentType (contentType) {
+  try {
+    return parseContentType(contentType)
+  } catch (err) {
+    return dummyContentType
+  }
+}
+
+function compareContentType (contentType, parserListItem) {
+  if (parserListItem.isEssence) {
+    // we do essence check
+    return contentType.type.indexOf(parserListItem) !== -1
+  } else {
+    // when the content-type includes parameters
+    // we do a full-text search
+    // reject essence content-type before checking parameters
+    if (contentType.type.indexOf(parserListItem.type) === -1) return false
+    for (const key of parserListItem.parameterKeys) {
+      // reject when missing parameters
+      if (!(key in contentType.parameters)) return false
+      // reject when parameters do not match
+      if (contentType.parameters[key] !== parserListItem.parameters[key]) return false
+    }
+    return true
+  }
+}
+
+function compareRegExpContentType (contentType, essenceMIMEType, regexp) {
+  if (regexp.source.indexOf(';') === -1) {
+    // we do essence check
+    return regexp.test(essenceMIMEType)
+  } else {
+    // when the content-type includes parameters
+    // we do a full-text match
+    return regexp.test(contentType)
+  }
+}
+
+function ParserListItem (contentType) {
+  this.name = contentType
+  // we pre-calculate all the needed information
+  // before content-type comparsion
+  const parsed = safeParseContentType(contentType)
+  this.type = parsed.type
+  this.parameters = parsed.parameters
+  this.parameterKeys = Object.keys(parsed.parameters)
+  this.isEssence = contentType.indexOf(';') === -1
+}
+
+// used in ContentTypeParser.remove
+ParserListItem.prototype.toString = function () {
+  return this.name
+}
+
 module.exports = ContentTypeParser
 module.exports.helpers = {
   buildContentTypeParser,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fastify",
-  "version": "3.29.2",
+  "version": "3.29.4",
   "description": "Fast and low overhead web framework, for Node.js",
   "main": "fastify.js",
   "type": "commonjs",
@@ -187,6 +187,7 @@
     "light-my-request": "^4.2.0",
     "pino": "^6.13.0",
     "process-warning": "^1.0.0",
+    "content-type": "^1.0.4",
     "proxy-addr": "^2.0.7",
     "rfdc": "^1.1.4",
     "secure-json-parse": "^2.0.0",

package/test/content-parser.test.js

@@ -181,7 +181,7 @@ test('add', t => {
     const contentTypeParser = fastify[keys.kContentTypeParser]
 
     contentTypeParser.add('*', {}, first)
-    t.equal(contentTypeParser.customParsers[''].fn, first)
+    t.equal(contentTypeParser.customParsers.get('').fn, first)
   })
 
   t.end()
@@ -239,7 +239,7 @@ test('remove', t => {
 
     contentTypeParser.remove('image/png')
 
-    t.same(Object.keys(contentTypeParser.customParsers).length, 2)
+    t.same(contentTypeParser.customParsers.size, 2)
   })
 
   t.end()
@@ -262,3 +262,283 @@ test('remove all should remove all existing parsers and reset cache', t => {
   t.same(contentTypeParser.parserRegExpList.length, 0)
   t.same(Object.keys(contentTypeParser.customParsers).length, 0)
 })
+
+test('Safeguard against malicious content-type / 1', async t => {
+  const badNames = Object.getOwnPropertyNames({}.__proto__) // eslint-disable-line
+  t.plan(badNames.length)
+
+  const fastify = Fastify()
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  for (const prop of badNames) {
+    const response = await fastify.inject({
+      method: 'POST',
+      path: '/',
+      headers: {
+        'content-type': prop
+      },
+      body: ''
+    })
+
+    t.same(response.statusCode, 415)
+  }
+})
+
+test('Safeguard against malicious content-type / 2', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  const response = await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': '\\u0063\\u006fnstructor'
+    },
+    body: ''
+  })
+
+  t.same(response.statusCode, 415)
+})
+
+test('Safeguard against malicious content-type / 3', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  const response = await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'constructor; charset=utf-8'
+    },
+    body: ''
+  })
+
+  t.same(response.statusCode, 415)
+})
+
+test('Safeguard against content-type spoofing - string', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser('text/plain', function (request, body, done) {
+    t.pass('should be called')
+    done(null, body)
+  })
+  fastify.addContentTypeParser('application/json', function (request, body, done) {
+    t.fail('shouldn\'t be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'text/plain; content-type="application/json"'
+    },
+    body: ''
+  })
+})
+
+test('Safeguard against content-type spoofing - regexp', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser(/text\/plain/, function (request, body, done) {
+    t.pass('should be called')
+    done(null, body)
+  })
+  fastify.addContentTypeParser(/application\/json/, function (request, body, done) {
+    t.fail('shouldn\'t be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'text/plain; content-type="application/json"'
+    },
+    body: ''
+  })
+})
+
+test('content-type match parameters - string 1', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser('text/plain; charset=utf8', function (request, body, done) {
+    t.fail('shouldn\'t be called')
+    done(null, body)
+  })
+  fastify.addContentTypeParser('application/json; charset=utf8', function (request, body, done) {
+    t.pass('should be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; charset=utf8'
+    },
+    body: ''
+  })
+})
+
+test('content-type match parameters - string 2', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser('application/json; charset=utf8; foo=bar', function (request, body, done) {
+    t.pass('should be called')
+    done(null, body)
+  })
+  fastify.addContentTypeParser('text/plain; charset=utf8; foo=bar', function (request, body, done) {
+    t.fail('shouldn\'t be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; foo=bar; charset=utf8'
+    },
+    body: ''
+  })
+})
+
+test('content-type match parameters - regexp', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser(/application\/json; charset=utf8/, function (request, body, done) {
+    t.pass('should be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; charset=utf8'
+    },
+    body: ''
+  })
+})
+
+test('content-type fail when parameters not match - string 1', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser('application/json; charset=utf8; foo=bar', function (request, body, done) {
+    t.fail('shouldn\'t be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  const response = await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; charset=utf8'
+    },
+    body: ''
+  })
+
+  t.same(response.statusCode, 415)
+})
+
+test('content-type fail when parameters not match - string 2', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser('application/json; charset=utf8; foo=bar', function (request, body, done) {
+    t.fail('shouldn\'t be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  const response = await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; charset=utf8; foo=baz'
+    },
+    body: ''
+  })
+
+  t.same(response.statusCode, 415)
+})
+
+test('content-type fail when parameters not match - regexp', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser(/application\/json; charset=utf8; foo=bar/, function (request, body, done) {
+    t.fail('shouldn\'t be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  const response = await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; charset=utf8'
+    },
+    body: ''
+  })
+
+  t.same(response.statusCode, 415)
+})

package/test/custom-parser.test.js

@@ -1120,7 +1120,7 @@ test('The charset should not interfere with the content type handling', t => {
       url: 'http://localhost:' + fastify.server.address().port,
       body: '{"hello":"world"}',
       headers: {
-        'Content-Type': 'application/json charset=utf-8'
+        'Content-Type': 'application/json; charset=utf-8'
       }
     }, (err, response, body) => {
       t.error(err)
@@ -1303,7 +1303,7 @@ test('contentTypeParser should add a custom parser with RegExp value', t => {
         url: 'http://localhost:' + fastify.server.address().port,
         body: '{"hello":"world"}',
         headers: {
-          'Content-Type': 'weird-content-type+json'
+          'Content-Type': 'weird/content-type+json'
         }
       }, (err, response, body) => {
         t.error(err)
@@ -1333,7 +1333,7 @@ test('contentTypeParser should add multiple custom parsers with RegExp values',
     done(null, 'xml')
   })
 
-  fastify.addContentTypeParser(/.*\+myExtension$/, function (req, payload, done) {
+  fastify.addContentTypeParser(/.*\+myExtension$/i, function (req, payload, done) {
     let data = ''
     payload.on('data', chunk => { data += chunk })
     payload.on('end', () => {