npm - h3 - Versions diffs - 1.6.0 → 1.6.2 - Mend

h3 1.6.0 → 1.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.cjs CHANGED Viewed

@@ -108,10 +108,10 @@ class H3Error extends Error {
   toJSON() {
     const obj = {
       message: this.message,
-      statusCode: this.statusCode
+      statusCode: sanitizeStatusCode(this.statusCode, 500)
     };
     if (this.statusMessage) {
-      obj.statusMessage = this.statusMessage;
+      obj.statusMessage = sanitizeStatusMessage(this.statusMessage);
     }
     if (this.data !== void 0) {
       obj.data = this.data;
@@ -150,15 +150,24 @@ function createError(input) {
     err.data = input.data;
   }
   if (input.statusCode) {
-    err.statusCode = input.statusCode;
+    err.statusCode = sanitizeStatusCode(input.statusCode, err.statusCode);
   } else if (input.status) {
-    err.statusCode = input.status;
+    err.statusCode = sanitizeStatusCode(input.status, err.statusCode);
   }
   if (input.statusMessage) {
     err.statusMessage = input.statusMessage;
   } else if (input.statusText) {
     err.statusMessage = input.statusText;
   }
+  if (err.statusMessage) {
+    const originalMessage = err.statusMessage;
+    const sanitizedMessage = sanitizeStatusMessage(err.statusMessage);
+    if (sanitizedMessage !== originalMessage) {
+      console.warn(
+        "[h3] Please prefer using `message` for longer error messages instead of `statusMessage`. In the future `statusMessage` will be sanitized by default."
+      );
+    }
+  }
   if (input.fatal !== void 0) {
     err.fatal = input.fatal;
   }
@@ -185,12 +194,7 @@ function sendError(event, error, debug) {
     return;
   }
   const _code = Number.parseInt(h3Error.statusCode);
-  if (_code) {
-    event.node.res.statusCode = _code;
-  }
-  if (h3Error.statusMessage) {
-    event.node.res.statusMessage = h3Error.statusMessage;
-  }
+  setResponseStatus(event, _code, h3Error.statusMessage);
   event.node.res.setHeader("content-type", MIMES.json);
   event.node.res.end(JSON.stringify(responseBody, void 0, 2));
 }
@@ -451,6 +455,23 @@ function splitCookiesString(cookiesString) {
   return cookiesStrings;
 }
+const DISALLOWED_STATUS_CHARS = /[^\u0009\u0020-\u007E]/g;
+function sanitizeStatusMessage(statusMessage = "") {
+  return statusMessage.replace(DISALLOWED_STATUS_CHARS, "");
+}
+function sanitizeStatusCode(statusCode, defaultStatusCode = 200) {
+  if (!statusCode) {
+    return defaultStatusCode;
+  }
+  if (typeof statusCode === "string") {
+    statusCode = Number.parseInt(statusCode, 10);
+  }
+  if (statusCode < 100 || statusCode > 999) {
+    return defaultStatusCode;
+  }
+  return statusCode;
+}
 const PayloadMethods = /* @__PURE__ */ new Set(["PATCH", "POST", "PUT", "DELETE"]);
 const ignoredHeaders = /* @__PURE__ */ new Set([
   "transfer-encoding",
@@ -488,8 +509,11 @@ async function sendProxy(event, target, opts = {}) {
     headers: opts.headers,
     ...opts.fetchOptions
   });
-  event.node.res.statusCode = response.status;
-  event.node.res.statusMessage = response.statusText;
+  event.node.res.statusCode = sanitizeStatusCode(
+    response.status,
+    event.node.res.statusCode
+  );
+  event.node.res.statusMessage = sanitizeStatusMessage(response.statusText);
   for (const [key, value] of response.headers.entries()) {
     if (key === "content-encoding") {
       continue;
@@ -594,16 +618,21 @@ function send(event, data, type) {
   });
 }
 function sendNoContent(event, code = 204) {
-  event.node.res.statusCode = code;
+  event.node.res.statusCode = sanitizeStatusCode(code, 204);
   if (event.node.res.statusCode === 204) {
     event.node.res.removeHeader("content-length");
   }
   event.node.res.end();
 }
 function setResponseStatus(event, code, text) {
-  event.node.res.statusCode = code;
+  if (code) {
+    event.node.res.statusCode = sanitizeStatusCode(
+      code,
+      event.node.res.statusCode
+    );
+  }
   if (text) {
-    event.node.res.statusMessage = text;
+    event.node.res.statusMessage = sanitizeStatusMessage(text);
   }
 }
 function getResponseStatus(event) {
@@ -618,7 +647,10 @@ function defaultContentType(event, type) {
   }
 }
 function sendRedirect(event, location, code = 302) {
-  event.node.res.statusCode = code;
+  event.node.res.statusCode = sanitizeStatusCode(
+    code,
+    event.node.res.statusCode
+  );
   event.node.res.setHeader("location", location);
   const encodedLoc = location.replace(/"/g, "%22");
   const html = `<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0; url=${encodedLoc}"></head></html>`;
@@ -1069,10 +1101,13 @@ class H3Event {
         this.res.setHeader(key, value);
       }
       if (response.status) {
-        this.res.statusCode = response.status;
+        this.res.statusCode = sanitizeStatusCode(
+          response.status,
+          this.res.statusCode
+        );
       }
       if (response.statusText) {
-        this.res.statusMessage = response.statusText;
+        this.res.statusMessage = sanitizeStatusMessage(response.statusText);
       }
       if (response.redirected) {
         this.res.setHeader("location", response.url);
@@ -1464,6 +1499,8 @@ exports.proxyRequest = proxyRequest;
 exports.readBody = readBody;
 exports.readMultipartFormData = readMultipartFormData;
 exports.readRawBody = readRawBody;
+exports.sanitizeStatusCode = sanitizeStatusCode;
+exports.sanitizeStatusMessage = sanitizeStatusMessage;
 exports.sealSession = sealSession;
 exports.send = send;
 exports.sendError = sendError;

package/dist/index.d.ts CHANGED Viewed

@@ -346,7 +346,7 @@ declare function send(event: H3Event, data?: any, type?: string): Promise<void>;
  * @param code status code to be send. By default, it is `204 No Content`.
  */
 declare function sendNoContent(event: H3Event, code?: number): void;
-declare function setResponseStatus(event: H3Event, code: number, text?: string): void;
+declare function setResponseStatus(event: H3Event, code?: number, text?: string): void;
 declare function getResponseStatus(event: H3Event): number;
 declare function getResponseStatusText(event: H3Event): string;
 declare function defaultContentType(event: H3Event, type?: string): void;
@@ -384,6 +384,9 @@ declare function isCorsOriginAllowed(origin: ReturnType<typeof getRequestHeaders
 declare function appendCorsPreflightHeaders(event: H3Event, options: H3CorsOptions): void;
 declare function appendCorsHeaders(event: H3Event, options: H3CorsOptions): void;
+declare function sanitizeStatusMessage(statusMessage?: string): string;
+declare function sanitizeStatusCode(statusCode: string | number, defaultStatusCode?: number): number;
 type RouterMethod = Lowercase<HTTPMethod>;
 type RouterUse = (path: string, handler: EventHandler, method?: RouterMethod | RouterMethod[]) => Router;
 type AddRouteShortcuts = Record<RouterMethod, RouterUse>;
@@ -399,4 +402,4 @@ interface CreateRouterOptions {
 }
 declare function createRouter(opts?: CreateRouterOptions): Router;
-export { AddRouteShortcuts, App, AppOptions, AppUse, CacheConditions, CreateRouterOptions, DynamicEventHandler, Encoding, EventHandler, EventHandlerResponse, H3CorsOptions, H3Error, H3Event, H3EventContext, H3Headers, H3Response, HTTPMethod, InputLayer, InputStack, Layer, LazyEventHandler, MIMES, Matcher, MultiPartData, NodeEventContext, NodeListener, NodeMiddleware, NodePromisifiedHandler, ProxyOptions, RequestHeaders, Router, RouterMethod, RouterUse, Session, SessionConfig, SessionData, Stack, appendCorsHeaders, appendCorsPreflightHeaders, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getRequestHost, getRequestProtocol, getRequestURL, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, handleCors, isCorsOriginAllowed, isError, isEvent, isEventHandler, isMethod, isPreflightRequest, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, sealSession, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, splitCookiesString, toEventHandler, toNodeListener, unsealSession, updateSession, use, useBase, useSession, writeEarlyHints };
+export { AddRouteShortcuts, App, AppOptions, AppUse, CacheConditions, CreateRouterOptions, DynamicEventHandler, Encoding, EventHandler, EventHandlerResponse, H3CorsOptions, H3Error, H3Event, H3EventContext, H3Headers, H3Response, HTTPMethod, InputLayer, InputStack, Layer, LazyEventHandler, MIMES, Matcher, MultiPartData, NodeEventContext, NodeListener, NodeMiddleware, NodePromisifiedHandler, ProxyOptions, RequestHeaders, Router, RouterMethod, RouterUse, Session, SessionConfig, SessionData, Stack, appendCorsHeaders, appendCorsPreflightHeaders, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getRequestHost, getRequestProtocol, getRequestURL, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, handleCors, isCorsOriginAllowed, isError, isEvent, isEventHandler, isMethod, isPreflightRequest, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, sanitizeStatusCode, sanitizeStatusMessage, sealSession, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, splitCookiesString, toEventHandler, toNodeListener, unsealSession, updateSession, use, useBase, useSession, writeEarlyHints };

package/dist/index.mjs CHANGED Viewed

@@ -106,10 +106,10 @@ class H3Error extends Error {
   toJSON() {
     const obj = {
       message: this.message,
-      statusCode: this.statusCode
+      statusCode: sanitizeStatusCode(this.statusCode, 500)
     };
     if (this.statusMessage) {
-      obj.statusMessage = this.statusMessage;
+      obj.statusMessage = sanitizeStatusMessage(this.statusMessage);
     }
     if (this.data !== void 0) {
       obj.data = this.data;
@@ -148,15 +148,24 @@ function createError(input) {
     err.data = input.data;
   }
   if (input.statusCode) {
-    err.statusCode = input.statusCode;
+    err.statusCode = sanitizeStatusCode(input.statusCode, err.statusCode);
   } else if (input.status) {
-    err.statusCode = input.status;
+    err.statusCode = sanitizeStatusCode(input.status, err.statusCode);
   }
   if (input.statusMessage) {
     err.statusMessage = input.statusMessage;
   } else if (input.statusText) {
     err.statusMessage = input.statusText;
   }
+  if (err.statusMessage) {
+    const originalMessage = err.statusMessage;
+    const sanitizedMessage = sanitizeStatusMessage(err.statusMessage);
+    if (sanitizedMessage !== originalMessage) {
+      console.warn(
+        "[h3] Please prefer using `message` for longer error messages instead of `statusMessage`. In the future `statusMessage` will be sanitized by default."
+      );
+    }
+  }
   if (input.fatal !== void 0) {
     err.fatal = input.fatal;
   }
@@ -183,12 +192,7 @@ function sendError(event, error, debug) {
     return;
   }
   const _code = Number.parseInt(h3Error.statusCode);
-  if (_code) {
-    event.node.res.statusCode = _code;
-  }
-  if (h3Error.statusMessage) {
-    event.node.res.statusMessage = h3Error.statusMessage;
-  }
+  setResponseStatus(event, _code, h3Error.statusMessage);
   event.node.res.setHeader("content-type", MIMES.json);
   event.node.res.end(JSON.stringify(responseBody, void 0, 2));
 }
@@ -449,6 +453,23 @@ function splitCookiesString(cookiesString) {
   return cookiesStrings;
 }
+const DISALLOWED_STATUS_CHARS = /[^\u0009\u0020-\u007E]/g;
+function sanitizeStatusMessage(statusMessage = "") {
+  return statusMessage.replace(DISALLOWED_STATUS_CHARS, "");
+}
+function sanitizeStatusCode(statusCode, defaultStatusCode = 200) {
+  if (!statusCode) {
+    return defaultStatusCode;
+  }
+  if (typeof statusCode === "string") {
+    statusCode = Number.parseInt(statusCode, 10);
+  }
+  if (statusCode < 100 || statusCode > 999) {
+    return defaultStatusCode;
+  }
+  return statusCode;
+}
 const PayloadMethods = /* @__PURE__ */ new Set(["PATCH", "POST", "PUT", "DELETE"]);
 const ignoredHeaders = /* @__PURE__ */ new Set([
   "transfer-encoding",
@@ -486,8 +507,11 @@ async function sendProxy(event, target, opts = {}) {
     headers: opts.headers,
     ...opts.fetchOptions
   });
-  event.node.res.statusCode = response.status;
-  event.node.res.statusMessage = response.statusText;
+  event.node.res.statusCode = sanitizeStatusCode(
+    response.status,
+    event.node.res.statusCode
+  );
+  event.node.res.statusMessage = sanitizeStatusMessage(response.statusText);
   for (const [key, value] of response.headers.entries()) {
     if (key === "content-encoding") {
       continue;
@@ -592,16 +616,21 @@ function send(event, data, type) {
   });
 }
 function sendNoContent(event, code = 204) {
-  event.node.res.statusCode = code;
+  event.node.res.statusCode = sanitizeStatusCode(code, 204);
   if (event.node.res.statusCode === 204) {
     event.node.res.removeHeader("content-length");
   }
   event.node.res.end();
 }
 function setResponseStatus(event, code, text) {
-  event.node.res.statusCode = code;
+  if (code) {
+    event.node.res.statusCode = sanitizeStatusCode(
+      code,
+      event.node.res.statusCode
+    );
+  }
   if (text) {
-    event.node.res.statusMessage = text;
+    event.node.res.statusMessage = sanitizeStatusMessage(text);
   }
 }
 function getResponseStatus(event) {
@@ -616,7 +645,10 @@ function defaultContentType(event, type) {
   }
 }
 function sendRedirect(event, location, code = 302) {
-  event.node.res.statusCode = code;
+  event.node.res.statusCode = sanitizeStatusCode(
+    code,
+    event.node.res.statusCode
+  );
   event.node.res.setHeader("location", location);
   const encodedLoc = location.replace(/"/g, "%22");
   const html = `<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0; url=${encodedLoc}"></head></html>`;
@@ -1067,10 +1099,13 @@ class H3Event {
         this.res.setHeader(key, value);
       }
       if (response.status) {
-        this.res.statusCode = response.status;
+        this.res.statusCode = sanitizeStatusCode(
+          response.status,
+          this.res.statusCode
+        );
       }
       if (response.statusText) {
-        this.res.statusMessage = response.statusText;
+        this.res.statusMessage = sanitizeStatusMessage(response.statusText);
       }
       if (response.redirected) {
         this.res.setHeader("location", response.url);
@@ -1399,4 +1434,4 @@ function createRouter(opts = {}) {
   return router;
 }
-export { H3Error, H3Event, H3Headers, H3Response, MIMES, appendCorsHeaders, appendCorsPreflightHeaders, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getRequestHost, getRequestProtocol, getRequestURL, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, handleCors, isCorsOriginAllowed, isError, isEvent, isEventHandler, isMethod, isPreflightRequest, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, sealSession, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, splitCookiesString, toEventHandler, toNodeListener, unsealSession, updateSession, use, useBase, useSession, writeEarlyHints };
+export { H3Error, H3Event, H3Headers, H3Response, MIMES, appendCorsHeaders, appendCorsPreflightHeaders, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getRequestHost, getRequestProtocol, getRequestURL, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, handleCors, isCorsOriginAllowed, isError, isEvent, isEventHandler, isMethod, isPreflightRequest, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, sanitizeStatusCode, sanitizeStatusMessage, sealSession, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, splitCookiesString, toEventHandler, toNodeListener, unsealSession, updateSession, use, useBase, useSession, writeEarlyHints };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "h3",
-  "version": "1.6.0",
+  "version": "1.6.2",
   "description": "Tiny JavaScript Server",
   "repository": "unjs/h3",
   "license": "MIT",
@@ -23,7 +23,7 @@
     "cookie-es": "^0.5.0",
     "defu": "^6.1.2",
     "destr": "^1.2.2",
-    "iron-webcrypto": "^0.5.0",
+    "iron-webcrypto": "^0.6.0",
     "radix3": "^1.0.0",
     "ufo": "^1.1.1",
     "uncrypto": "^0.1.2"
@@ -31,18 +31,18 @@
   "devDependencies": {
     "0x": "^5.5.0",
     "@types/express": "^4.17.17",
-    "@types/node": "^18.15.0",
+    "@types/node": "^18.15.3",
     "@types/supertest": "^2.0.12",
     "@vitest/coverage-c8": "^0.29.2",
     "autocannon": "^7.10.0",
     "changelogen": "^0.5.1",
     "connect": "^3.7.0",
-    "eslint": "^8.35.0",
+    "eslint": "^8.36.0",
     "eslint-config-unjs": "^0.1.0",
     "express": "^4.18.2",
     "get-port": "^6.1.2",
-    "jiti": "^1.17.2",
-    "listhen": "^1.0.3",
+    "jiti": "^1.18.2",
+    "listhen": "^1.0.4",
     "node-fetch-native": "^1.0.2",
     "prettier": "^2.8.4",
     "supertest": "^6.3.3",
@@ -50,7 +50,7 @@
     "unbuild": "^1.1.2",
     "vitest": "^0.29.2"
   },
-  "packageManager": "pnpm@7.29.0",
+  "packageManager": "pnpm@7.29.3",
   "scripts": {
     "build": "unbuild",
     "dev": "vitest",