fastify 4.10.0 → 4.10.2

package/docs/Guides/Ecosystem.md

@@ -265,6 +265,8 @@ section.
 - [`fastify-cockroachdb`](https://github.com/alex-ppg/fastify-cockroachdb)
   Fastify plugin to connect to a CockroachDB PostgreSQL instance via the
   Sequelize ORM.
+- [`fastify-constraints`](https://github.com/nearform/fastify-constraints)
+  Fastify plugin to add constraints to multiple routes
 - [`fastify-couchdb`](https://github.com/nigelhanlon/fastify-couchdb) Fastify
   plugin to add CouchDB support via [nano](https://github.com/apache/nano).
 - [`fastify-crud-generator`](https://github.com/beliven-it/fastify-crud-generator)

package/fastify.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const VERSION = '4.10.0'
+const VERSION = '4.10.2'
 
 const Avvio = require('avvio')
 const http = require('http')

package/lib/contentTypeParser.js

@@ -2,6 +2,8 @@
 
 const { AsyncResource } = require('async_hooks')
 const lru = require('tiny-lru').lru
+// TODO: find more perforamant solution
+const { parse: parseContentType } = require('content-type')
 
 const secureJson = require('secure-json-parse')
 const {
@@ -33,7 +35,7 @@ function ContentTypeParser (bodyLimit, onProtoPoisoning, onConstructorPoisoning)
   this.customParsers = new Map()
   this.customParsers.set('application/json', new Parser(true, false, bodyLimit, this[kDefaultJsonParse]))
   this.customParsers.set('text/plain', new Parser(true, false, bodyLimit, defaultPlainTextParser))
-  this.parserList = ['application/json', 'text/plain']
+  this.parserList = [new ParserListItem('application/json'), new ParserListItem('text/plain')]
   this.parserRegExpList = []
   this.cache = lru(100)
 }
@@ -66,7 +68,7 @@ ContentTypeParser.prototype.add = function (contentType, opts, parserFn) {
     this.customParsers.set('', parser)
   } else {
     if (contentTypeIsString) {
-      this.parserList.unshift(contentType)
+      this.parserList.unshift(new ParserListItem(contentType))
     } else {
       this.parserRegExpList.unshift(contentType)
     }
@@ -97,11 +99,20 @@ ContentTypeParser.prototype.getParser = function (contentType) {
   const parser = this.cache.get(contentType)
   if (parser !== undefined) return parser
 
+  const parsed = safeParseContentType(contentType)
+
+  // dummyContentType always the same object
+  // we can use === for the comparsion and return early
+  if (parsed === dummyContentType) {
+    return this.customParsers.get('')
+  }
+
   // eslint-disable-next-line no-var
   for (var i = 0; i !== this.parserList.length; ++i) {
-    const parserName = this.parserList[i]
-    if (contentType.indexOf(parserName) !== -1) {
-      const parser = this.customParsers.get(parserName)
+    const parserListItem = this.parserList[i]
+    if (compareContentType(parsed, parserListItem)) {
+      const parser = this.customParsers.get(parserListItem.name)
+      // we set request content-type in cache to reduce parsing of MIME type
       this.cache.set(contentType, parser)
       return parser
     }
@@ -110,8 +121,9 @@ ContentTypeParser.prototype.getParser = function (contentType) {
   // eslint-disable-next-line no-var
   for (var j = 0; j !== this.parserRegExpList.length; ++j) {
     const parserRegExp = this.parserRegExpList[j]
-    if (parserRegExp.test(contentType)) {
+    if (compareRegExpContentType(contentType, parsed.type, parserRegExp)) {
       const parser = this.customParsers.get(parserRegExp.toString())
+      // we set request content-type in cache to reduce parsing of MIME type
       this.cache.set(contentType, parser)
       return parser
     }
@@ -346,6 +358,63 @@ function removeAllContentTypeParsers () {
   this[kContentTypeParser].removeAll()
 }
 
+// dummy here to prevent repeated object creation
+const dummyContentType = { type: '', parameters: Object.create(null) }
+
+function safeParseContentType (contentType) {
+  try {
+    return parseContentType(contentType)
+  } catch (err) {
+    return dummyContentType
+  }
+}
+
+function compareContentType (contentType, parserListItem) {
+  if (parserListItem.isEssence) {
+    // we do essence check
+    return contentType.type.indexOf(parserListItem) !== -1
+  } else {
+    // when the content-type includes parameters
+    // we do a full-text search
+    // reject essence content-type before checking parameters
+    if (contentType.type.indexOf(parserListItem.type) === -1) return false
+    for (const key of parserListItem.parameterKeys) {
+      // reject when missing parameters
+      if (!(key in contentType.parameters)) return false
+      // reject when parameters do not match
+      if (contentType.parameters[key] !== parserListItem.parameters[key]) return false
+    }
+    return true
+  }
+}
+
+function compareRegExpContentType (contentType, essenceMIMEType, regexp) {
+  if (regexp.source.indexOf(';') === -1) {
+    // we do essence check
+    return regexp.test(essenceMIMEType)
+  } else {
+    // when the content-type includes parameters
+    // we do a full-text match
+    return regexp.test(contentType)
+  }
+}
+
+function ParserListItem (contentType) {
+  this.name = contentType
+  // we pre-calculate all the needed information
+  // before content-type comparsion
+  const parsed = safeParseContentType(contentType)
+  this.type = parsed.type
+  this.parameters = parsed.parameters
+  this.parameterKeys = Object.keys(parsed.parameters)
+  this.isEssence = contentType.indexOf(';') === -1
+}
+
+// used in ContentTypeParser.remove
+ParserListItem.prototype.toString = function () {
+  return this.name
+}
+
 module.exports = ContentTypeParser
 module.exports.helpers = {
   buildContentTypeParser,

package/package.json

@@ -1,10 +1,32 @@
 {
   "name": "fastify",
-  "version": "4.10.0",
+  "version": "4.10.2",
   "description": "Fast and low overhead web framework, for Node.js",
   "main": "fastify.js",
   "type": "commonjs",
   "types": "fastify.d.ts",
+  "scripts": {
+    "bench": "branchcmp -r 2 -g -s \"npm run benchmark\"",
+    "benchmark": "npx concurrently -k -s first \"node ./examples/benchmark/simple.js\" \"npx autocannon -c 100 -d 30 -p 10 localhost:3000/\"",
+    "coverage": "npm run unit -- --cov --coverage-report=html",
+    "coverage:ci": "npm run unit -- --cov --coverage-report=html --no-browser --no-check-coverage -R terse",
+    "coverage:ci-check-coverage": "nyc check-coverage --branches 100 --functions 100 --lines 100 --statements 100",
+    "license-checker": "license-checker --production --onlyAllow=\"MIT;ISC;BSD-3-Clause;BSD-2-Clause\"",
+    "lint": "npm run lint:standard && npm run lint:typescript && npm run lint:markdown",
+    "lint:fix": "standard --fix",
+    "lint:markdown": "markdownlint-cli2",
+    "lint:standard": "standard | snazzy",
+    "lint:typescript": "eslint -c types/.eslintrc.json types/**/*.d.ts test/types/**/*.test-d.ts",
+    "prepublishOnly": "PREPUBLISH=true tap --no-check-coverage test/build/**.test.js",
+    "test": "npm run lint && npm run unit && npm run test:typescript",
+    "test:ci": "npm run unit -- -R terse --cov --coverage-report=lcovonly && npm run test:typescript",
+    "test:report": "npm run lint && npm run unit:report && npm run test:typescript",
+    "test:typescript": "tsc test/types/import.ts && tsd",
+    "test:watch": "npm run unit -- -w --no-coverage-report -R terse",
+    "unit": "tap",
+    "unit:junit": "tap-mocha-reporter xunit < out.tap > test/junit-testresults.xml",
+    "unit:report": "tap --cov --coverage-report=html --coverage-report=cobertura | tee out.tap"
+  },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/fastify/fastify.git"
@@ -105,7 +127,7 @@
   "devDependencies": {
     "@fastify/pre-commit": "^2.0.2",
     "@sinclair/typebox": "^0.25.2",
-    "@sinonjs/fake-timers": "^9.1.2",
+    "@sinonjs/fake-timers": "^10.0.0",
     "@types/node": "^18.7.18",
     "@typescript-eslint/eslint-plugin": "^5.37.0",
     "@typescript-eslint/parser": "^5.37.0",
@@ -154,6 +176,7 @@
     "@fastify/fast-json-stringify-compiler": "^4.1.0",
     "abstract-logging": "^2.0.1",
     "avvio": "^8.2.0",
+    "content-type": "^1.0.4",
     "find-my-way": "^7.3.0",
     "light-my-request": "^5.6.1",
     "pino": "^8.5.0",
@@ -176,26 +199,5 @@
   },
   "tsd": {
     "directory": "test/types"
-  },
-  "scripts": {
-    "bench": "branchcmp -r 2 -g -s \"npm run benchmark\"",
-    "benchmark": "npx concurrently -k -s first \"node ./examples/benchmark/simple.js\" \"npx autocannon -c 100 -d 30 -p 10 localhost:3000/\"",
-    "coverage": "npm run unit -- --cov --coverage-report=html",
-    "coverage:ci": "npm run unit -- --cov --coverage-report=html --no-browser --no-check-coverage -R terse",
-    "coverage:ci-check-coverage": "nyc check-coverage --branches 100 --functions 100 --lines 100 --statements 100",
-    "license-checker": "license-checker --production --onlyAllow=\"MIT;ISC;BSD-3-Clause;BSD-2-Clause\"",
-    "lint": "npm run lint:standard && npm run lint:typescript && npm run lint:markdown",
-    "lint:fix": "standard --fix",
-    "lint:markdown": "markdownlint-cli2",
-    "lint:standard": "standard | snazzy",
-    "lint:typescript": "eslint -c types/.eslintrc.json types/**/*.d.ts test/types/**/*.test-d.ts",
-    "test": "npm run lint && npm run unit && npm run test:typescript",
-    "test:ci": "npm run unit -- -R terse --cov --coverage-report=lcovonly && npm run test:typescript",
-    "test:report": "npm run lint && npm run unit:report && npm run test:typescript",
-    "test:typescript": "tsc test/types/import.ts && tsd",
-    "test:watch": "npm run unit -- -w --no-coverage-report -R terse",
-    "unit": "tap",
-    "unit:junit": "tap-mocha-reporter xunit < out.tap > test/junit-testresults.xml",
-    "unit:report": "tap --cov --coverage-report=html --coverage-report=cobertura | tee out.tap"
   }
-}
+}

package/test/content-parser.test.js

@@ -395,3 +395,217 @@ test('Safeguard against malicious content-type / 3', async t => {
 
   t.same(response.statusCode, 415)
 })
+
+test('Safeguard against content-type spoofing - string', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser('text/plain', function (request, body, done) {
+    t.pass('should be called')
+    done(null, body)
+  })
+  fastify.addContentTypeParser('application/json', function (request, body, done) {
+    t.fail('shouldn\'t be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'text/plain; content-type="application/json"'
+    },
+    body: ''
+  })
+})
+
+test('Safeguard against content-type spoofing - regexp', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser(/text\/plain/, function (request, body, done) {
+    t.pass('should be called')
+    done(null, body)
+  })
+  fastify.addContentTypeParser(/application\/json/, function (request, body, done) {
+    t.fail('shouldn\'t be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'text/plain; content-type="application/json"'
+    },
+    body: ''
+  })
+})
+
+test('content-type match parameters - string 1', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser('text/plain; charset=utf8', function (request, body, done) {
+    t.fail('shouldn\'t be called')
+    done(null, body)
+  })
+  fastify.addContentTypeParser('application/json; charset=utf8', function (request, body, done) {
+    t.pass('should be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; charset=utf8'
+    },
+    body: ''
+  })
+})
+
+test('content-type match parameters - string 2', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser('application/json; charset=utf8; foo=bar', function (request, body, done) {
+    t.pass('should be called')
+    done(null, body)
+  })
+  fastify.addContentTypeParser('text/plain; charset=utf8; foo=bar', function (request, body, done) {
+    t.fail('shouldn\'t be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; foo=bar; charset=utf8'
+    },
+    body: ''
+  })
+})
+
+test('content-type match parameters - regexp', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser(/application\/json; charset=utf8/, function (request, body, done) {
+    t.pass('should be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; charset=utf8'
+    },
+    body: ''
+  })
+})
+
+test('content-type fail when parameters not match - string 1', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser('application/json; charset=utf8; foo=bar', function (request, body, done) {
+    t.fail('shouldn\'t be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  const response = await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; charset=utf8'
+    },
+    body: ''
+  })
+
+  t.same(response.statusCode, 415)
+})
+
+test('content-type fail when parameters not match - string 2', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser('application/json; charset=utf8; foo=bar', function (request, body, done) {
+    t.fail('shouldn\'t be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  const response = await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; charset=utf8; foo=baz'
+    },
+    body: ''
+  })
+
+  t.same(response.statusCode, 415)
+})
+
+test('content-type fail when parameters not match - regexp', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser(/application\/json; charset=utf8; foo=bar/, function (request, body, done) {
+    t.fail('shouldn\'t be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  const response = await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; charset=utf8'
+    },
+    body: ''
+  })
+
+  t.same(response.statusCode, 415)
+})

package/test/custom-parser.test.js

@@ -1053,7 +1053,7 @@ test('The charset should not interfere with the content type handling', t => {
       url: getUrl(fastify),
       body: '{"hello":"world"}',
       headers: {
-        'Content-Type': 'application/json charset=utf-8'
+        'Content-Type': 'application/json; charset=utf-8'
       }
     }, (err, response, body) => {
       t.error(err)
@@ -1236,7 +1236,7 @@ test('contentTypeParser should add a custom parser with RegExp value', t => {
         url: getUrl(fastify),
         body: '{"hello":"world"}',
         headers: {
-          'Content-Type': 'weird-content-type+json'
+          'Content-Type': 'weird/content-type+json'
         }
       }, (err, response, body) => {
         t.error(err)
@@ -1266,7 +1266,7 @@ test('contentTypeParser should add multiple custom parsers with RegExp values',
     done(null, 'xml')
   })
 
-  fastify.addContentTypeParser(/.*\+myExtension$/, function (req, payload, done) {
+  fastify.addContentTypeParser(/.*\+myExtension$/i, function (req, payload, done) {
     let data = ''
     payload.on('data', chunk => { data += chunk })
     payload.on('end', () => {

package/test/server.test.js

@@ -36,19 +36,18 @@ test('listen should accept stringified number port', t => {
 
 test('listen should reject string port', async (t) => {
   t.plan(2)
-
   const fastify = Fastify()
   t.teardown(fastify.close.bind(fastify))
 
   try {
     await fastify.listen({ port: 'hello-world' })
   } catch (error) {
-    t.same(error.message, 'options.port should be >= 0 and < 65536. Received hello-world.')
+    t.equal(error.code, 'ERR_SOCKET_BAD_PORT')
   }
 
   try {
     await fastify.listen({ port: '1234hello' })
   } catch (error) {
-    t.same(error.message, 'options.port should be >= 0 and < 65536. Received 1234hello.')
+    t.equal(error.code, 'ERR_SOCKET_BAD_PORT')
   }
 })

package/test/types/logger.test-d.ts

@@ -183,6 +183,7 @@ expectDeprecated({} as FastifyLoggerInstance)
 const childParent = fastify().log
 // we test different option variant here
 expectType<FastifyLoggerInstance>(childParent.child({}, { level: 'info' }))
+expectType<FastifyLoggerInstance>(childParent.child({}, { level: 'silent' }))
 expectType<FastifyLoggerInstance>(childParent.child({}, { redact: ['pass', 'pin'] }))
 expectType<FastifyLoggerInstance>(childParent.child({}, { serializers: { key: () => {} } }))
 expectType<FastifyLoggerInstance>(childParent.child({}, { level: 'info', redact: ['pass', 'pin'], serializers: { key: () => {} } }))

package/types/logger.d.ts

@@ -13,7 +13,7 @@ import pino from 'pino'
  */
 export type FastifyLogFn = pino.LogFn
 
-export type LogLevel = pino.Level
+export type LogLevel = pino.LevelWithSilent
 
 export type Bindings = pino.Bindings