fastify 5.8.0 → 5.8.1

package/fastify.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const VERSION = '5.7.4'
+const VERSION = '5.8.1'
 
 const Avvio = require('avvio')
 const http = require('node:http')

package/lib/content-type.js

@@ -11,7 +11,9 @@ const keyValuePairsReg = /([\w!#$%&'*+.^`|~-]+)=([^;]*)/gm
 
 /**
  * typeNameReg is used to validate that the first part of the media-type
- * does not use disallowed characters.
+ * does not use disallowed characters. Types must consist solely of
+ * characters that match the specified character class. It must terminate
+ * with a matching character.
  *
  * @see https://httpwg.org/specs/rfc9110.html#rule.token.separators
  * @type {RegExp}
@@ -20,12 +22,16 @@ const typeNameReg = /^[\w!#$%&'*+.^`|~-]+$/
 
 /**
  * subtypeNameReg is used to validate that the second part of the media-type
- * does not use disallowed characters.
+ * does not use disallowed characters. Subtypes must consist solely of
+ * characters that match the specified character class, and optionally
+ * terminated with any amount of whitespace characters. Without the terminating
+ * anchor (`$`), the regular expression will match the leading portion of a
+ * string instead of the whole string.
  *
  * @see https://httpwg.org/specs/rfc9110.html#rule.token.separators
  * @type {RegExp}
  */
-const subtypeNameReg = /^[\w!#$%&'*+.^`|~-]+\s*/
+const subtypeNameReg = /^[\w!#$%&'*+.^`|~-]+\s*$/
 
 /**
  * ContentType parses and represents the value of the content-type header.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fastify",
-  "version": "5.8.0",
+  "version": "5.8.1",
   "description": "Fast and low overhead web framework, for Node.js",
   "main": "fastify.js",
   "type": "commonjs",

package/test/content-type.test.js

@@ -74,6 +74,44 @@ describe('ContentType class', () => {
     found = new ContentType('foo/π; param=1')
     t.assert.equal(found.isEmpty, true)
     t.assert.equal(found.isValid, false)
+
+    found = new ContentType('application/json<script>alert(1)</script>')
+    t.assert.equal(found.isEmpty, true)
+    t.assert.equal(found.isValid, false)
+
+    found = new ContentType('application/json/extra/slashes')
+    t.assert.equal(found.isEmpty, true)
+    t.assert.equal(found.isValid, false)
+
+    found = new ContentType('application/json(garbage)')
+    t.assert.equal(found.isEmpty, true)
+    t.assert.equal(found.isValid, false)
+
+    found = new ContentType('application/json@evil')
+    t.assert.equal(found.isEmpty, true)
+    t.assert.equal(found.isValid, false)
+
+    found = new ContentType('application/json\x00garbage')
+    t.assert.equal(found.isEmpty, true)
+    t.assert.equal(found.isValid, false)
+  })
+
+  test('subtype with multiple fields validates as incorrect', (t) => {
+    let found = new ContentType('application/json whatever')
+    t.assert.equal(found.isValid, false)
+    t.assert.equal(found.isEmpty, true)
+
+    found = new ContentType('application/    json whatever')
+    t.assert.equal(found.isValid, false)
+    t.assert.equal(found.isEmpty, true)
+
+    found = new ContentType('application/json whatever; foo=bar')
+    t.assert.equal(found.isValid, false)
+    t.assert.equal(found.isEmpty, true)
+
+    found = new ContentType('application/    json whatever; foo=bar')
+    t.assert.equal(found.isValid, false)
+    t.assert.equal(found.isEmpty, true)
   })
 
   test('returns a plain media type instance', (t) => {