h3 1.6.1 → 1.6.3

package/README.md

@@ -98,7 +98,7 @@ Routes are internally stored in a [Radix Tree](https://en.wikipedia.org/wiki/Rad
 
 ```js
 // Handle can directly return object or Promise<object> for JSON response
-app.use('/api', eventHandler((event) => ({ url: event.node.req.url }))
+app.use('/api', eventHandler((event) => ({ url: event.node.req.url })))
 
 // We can have better matching other than quick prefix match
 app.use('/odd', eventHandler(() => 'Is odd!'), { match: url => url.substr(1) % 2 })
@@ -121,7 +121,7 @@ app.use('/api', eventHandler((event) => proxyRequest('https://example.com', {
   cookiePathRewrite: {
     "/": "/api"
   },
-}))
+})))
 
 // Legacy middleware with 3rd argument are automatically promisified
 app.use(fromNodeMiddleware((req, res, next) => { req.setHeader('x-foo', 'bar'); next() }))

package/dist/index.cjs

@@ -108,10 +108,10 @@ class H3Error extends Error {
   toJSON() {
     const obj = {
       message: this.message,
-      statusCode: this.statusCode
+      statusCode: sanitizeStatusCode(this.statusCode, 500)
     };
     if (this.statusMessage) {
-      obj.statusMessage = this.statusMessage;
+      obj.statusMessage = sanitizeStatusMessage(this.statusMessage);
     }
     if (this.data !== void 0) {
       obj.data = this.data;
@@ -150,15 +150,24 @@ function createError(input) {
     err.data = input.data;
   }
   if (input.statusCode) {
-    err.statusCode = input.statusCode;
+    err.statusCode = sanitizeStatusCode(input.statusCode, err.statusCode);
   } else if (input.status) {
-    err.statusCode = input.status;
+    err.statusCode = sanitizeStatusCode(input.status, err.statusCode);
   }
   if (input.statusMessage) {
     err.statusMessage = input.statusMessage;
   } else if (input.statusText) {
     err.statusMessage = input.statusText;
   }
+  if (err.statusMessage) {
+    const originalMessage = err.statusMessage;
+    const sanitizedMessage = sanitizeStatusMessage(err.statusMessage);
+    if (sanitizedMessage !== originalMessage) {
+      console.warn(
+        "[h3] Please prefer using `message` for longer error messages instead of `statusMessage`. In the future `statusMessage` will be sanitized by default."
+      );
+    }
+  }
   if (input.fatal !== void 0) {
     err.fatal = input.fatal;
   }
@@ -267,13 +276,11 @@ const ParsedBodySymbol = Symbol.for("h3ParsedBody");
 const PayloadMethods$1 = ["PATCH", "POST", "PUT", "DELETE"];
 function readRawBody(event, encoding = "utf8") {
   assertMethod(event, PayloadMethods$1);
-  if (RawBodySymbol in event.node.req) {
-    const promise2 = Promise.resolve(event.node.req[RawBodySymbol]);
+  const _rawBody = event.node.req[RawBodySymbol] || event.node.req.body;
+  if (_rawBody) {
+    const promise2 = Promise.resolve(_rawBody);
     return encoding ? promise2.then((buff) => buff.toString(encoding)) : promise2;
   }
-  if ("body" in event.node.req) {
-    return Promise.resolve(event.node.req.body);
-  }
   if (!Number.parseInt(event.node.req.headers["content-length"] || "")) {
     return Promise.resolve(void 0);
   }
@@ -296,7 +303,7 @@ async function readBody(event) {
   if (ParsedBodySymbol in event.node.req) {
     return event.node.req[ParsedBodySymbol];
   }
-  const body = await readRawBody(event);
+  const body = await readRawBody(event, "utf8");
   if (event.node.req.headers["content-type"] === "application/x-www-form-urlencoded") {
     const form = new URLSearchParams(body);
     const parsedForm = /* @__PURE__ */ Object.create(null);
@@ -446,6 +453,23 @@ function splitCookiesString(cookiesString) {
   return cookiesStrings;
 }
 
+const DISALLOWED_STATUS_CHARS = /[^\u0009\u0020-\u007E]/g;
+function sanitizeStatusMessage(statusMessage = "") {
+  return statusMessage.replace(DISALLOWED_STATUS_CHARS, "");
+}
+function sanitizeStatusCode(statusCode, defaultStatusCode = 200) {
+  if (!statusCode) {
+    return defaultStatusCode;
+  }
+  if (typeof statusCode === "string") {
+    statusCode = Number.parseInt(statusCode, 10);
+  }
+  if (statusCode < 100 || statusCode > 999) {
+    return defaultStatusCode;
+  }
+  return statusCode;
+}
+
 const PayloadMethods = /* @__PURE__ */ new Set(["PATCH", "POST", "PUT", "DELETE"]);
 const ignoredHeaders = /* @__PURE__ */ new Set([
   "transfer-encoding",
@@ -483,8 +507,11 @@ async function sendProxy(event, target, opts = {}) {
     headers: opts.headers,
     ...opts.fetchOptions
   });
-  event.node.res.statusCode = response.status;
-  event.node.res.statusMessage = response.statusText;
+  event.node.res.statusCode = sanitizeStatusCode(
+    response.status,
+    event.node.res.statusCode
+  );
+  event.node.res.statusMessage = sanitizeStatusMessage(response.statusText);
   for (const [key, value] of response.headers.entries()) {
     if (key === "content-encoding") {
       continue;
@@ -589,7 +616,7 @@ function send(event, data, type) {
   });
 }
 function sendNoContent(event, code = 204) {
-  event.node.res.statusCode = code;
+  event.node.res.statusCode = sanitizeStatusCode(code, 204);
   if (event.node.res.statusCode === 204) {
     event.node.res.removeHeader("content-length");
   }
@@ -597,14 +624,13 @@ function sendNoContent(event, code = 204) {
 }
 function setResponseStatus(event, code, text) {
   if (code) {
-    event.node.res.statusCode = code;
+    event.node.res.statusCode = sanitizeStatusCode(
+      code,
+      event.node.res.statusCode
+    );
   }
   if (text) {
-    event.node.res.statusMessage = text.replace(
-      // eslint-disable-next-line no-control-regex
-      /[^\u0009\u0020-\u007E]/g,
-      ""
-    );
+    event.node.res.statusMessage = sanitizeStatusMessage(text);
   }
 }
 function getResponseStatus(event) {
@@ -619,7 +645,10 @@ function defaultContentType(event, type) {
   }
 }
 function sendRedirect(event, location, code = 302) {
-  event.node.res.statusCode = code;
+  event.node.res.statusCode = sanitizeStatusCode(
+    code,
+    event.node.res.statusCode
+  );
   event.node.res.setHeader("location", location);
   const encodedLoc = location.replace(/"/g, "%22");
   const html = `<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0; url=${encodedLoc}"></head></html>`;
@@ -1070,10 +1099,13 @@ class H3Event {
         this.res.setHeader(key, value);
       }
       if (response.status) {
-        this.res.statusCode = response.status;
+        this.res.statusCode = sanitizeStatusCode(
+          response.status,
+          this.res.statusCode
+        );
       }
       if (response.statusText) {
-        this.res.statusMessage = response.statusText;
+        this.res.statusMessage = sanitizeStatusMessage(response.statusText);
       }
       if (response.redirected) {
         this.res.setHeader("location", response.url);
@@ -1465,6 +1497,8 @@ exports.proxyRequest = proxyRequest;
 exports.readBody = readBody;
 exports.readMultipartFormData = readMultipartFormData;
 exports.readRawBody = readRawBody;
+exports.sanitizeStatusCode = sanitizeStatusCode;
+exports.sanitizeStatusMessage = sanitizeStatusMessage;
 exports.sealSession = sealSession;
 exports.send = send;
 exports.sendError = sendError;

package/dist/index.d.ts

@@ -346,7 +346,7 @@ declare function send(event: H3Event, data?: any, type?: string): Promise<void>;
  * @param code status code to be send. By default, it is `204 No Content`.
  */
 declare function sendNoContent(event: H3Event, code?: number): void;
-declare function setResponseStatus(event: H3Event, code: number, text?: string): void;
+declare function setResponseStatus(event: H3Event, code?: number, text?: string): void;
 declare function getResponseStatus(event: H3Event): number;
 declare function getResponseStatusText(event: H3Event): string;
 declare function defaultContentType(event: H3Event, type?: string): void;
@@ -384,6 +384,9 @@ declare function isCorsOriginAllowed(origin: ReturnType<typeof getRequestHeaders
 declare function appendCorsPreflightHeaders(event: H3Event, options: H3CorsOptions): void;
 declare function appendCorsHeaders(event: H3Event, options: H3CorsOptions): void;
 
+declare function sanitizeStatusMessage(statusMessage?: string): string;
+declare function sanitizeStatusCode(statusCode: string | number, defaultStatusCode?: number): number;
+
 type RouterMethod = Lowercase<HTTPMethod>;
 type RouterUse = (path: string, handler: EventHandler, method?: RouterMethod | RouterMethod[]) => Router;
 type AddRouteShortcuts = Record<RouterMethod, RouterUse>;
@@ -399,4 +402,4 @@ interface CreateRouterOptions {
 }
 declare function createRouter(opts?: CreateRouterOptions): Router;
 
-export { AddRouteShortcuts, App, AppOptions, AppUse, CacheConditions, CreateRouterOptions, DynamicEventHandler, Encoding, EventHandler, EventHandlerResponse, H3CorsOptions, H3Error, H3Event, H3EventContext, H3Headers, H3Response, HTTPMethod, InputLayer, InputStack, Layer, LazyEventHandler, MIMES, Matcher, MultiPartData, NodeEventContext, NodeListener, NodeMiddleware, NodePromisifiedHandler, ProxyOptions, RequestHeaders, Router, RouterMethod, RouterUse, Session, SessionConfig, SessionData, Stack, appendCorsHeaders, appendCorsPreflightHeaders, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getRequestHost, getRequestProtocol, getRequestURL, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, handleCors, isCorsOriginAllowed, isError, isEvent, isEventHandler, isMethod, isPreflightRequest, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, sealSession, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, splitCookiesString, toEventHandler, toNodeListener, unsealSession, updateSession, use, useBase, useSession, writeEarlyHints };
+export { AddRouteShortcuts, App, AppOptions, AppUse, CacheConditions, CreateRouterOptions, DynamicEventHandler, Encoding, EventHandler, EventHandlerResponse, H3CorsOptions, H3Error, H3Event, H3EventContext, H3Headers, H3Response, HTTPMethod, InputLayer, InputStack, Layer, LazyEventHandler, MIMES, Matcher, MultiPartData, NodeEventContext, NodeListener, NodeMiddleware, NodePromisifiedHandler, ProxyOptions, RequestHeaders, Router, RouterMethod, RouterUse, Session, SessionConfig, SessionData, Stack, appendCorsHeaders, appendCorsPreflightHeaders, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getRequestHost, getRequestProtocol, getRequestURL, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, handleCors, isCorsOriginAllowed, isError, isEvent, isEventHandler, isMethod, isPreflightRequest, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, sanitizeStatusCode, sanitizeStatusMessage, sealSession, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, splitCookiesString, toEventHandler, toNodeListener, unsealSession, updateSession, use, useBase, useSession, writeEarlyHints };

package/dist/index.mjs

@@ -106,10 +106,10 @@ class H3Error extends Error {
   toJSON() {
     const obj = {
       message: this.message,
-      statusCode: this.statusCode
+      statusCode: sanitizeStatusCode(this.statusCode, 500)
     };
     if (this.statusMessage) {
-      obj.statusMessage = this.statusMessage;
+      obj.statusMessage = sanitizeStatusMessage(this.statusMessage);
     }
     if (this.data !== void 0) {
       obj.data = this.data;
@@ -148,15 +148,24 @@ function createError(input) {
     err.data = input.data;
   }
   if (input.statusCode) {
-    err.statusCode = input.statusCode;
+    err.statusCode = sanitizeStatusCode(input.statusCode, err.statusCode);
   } else if (input.status) {
-    err.statusCode = input.status;
+    err.statusCode = sanitizeStatusCode(input.status, err.statusCode);
   }
   if (input.statusMessage) {
     err.statusMessage = input.statusMessage;
   } else if (input.statusText) {
     err.statusMessage = input.statusText;
   }
+  if (err.statusMessage) {
+    const originalMessage = err.statusMessage;
+    const sanitizedMessage = sanitizeStatusMessage(err.statusMessage);
+    if (sanitizedMessage !== originalMessage) {
+      console.warn(
+        "[h3] Please prefer using `message` for longer error messages instead of `statusMessage`. In the future `statusMessage` will be sanitized by default."
+      );
+    }
+  }
   if (input.fatal !== void 0) {
     err.fatal = input.fatal;
   }
@@ -265,13 +274,11 @@ const ParsedBodySymbol = Symbol.for("h3ParsedBody");
 const PayloadMethods$1 = ["PATCH", "POST", "PUT", "DELETE"];
 function readRawBody(event, encoding = "utf8") {
   assertMethod(event, PayloadMethods$1);
-  if (RawBodySymbol in event.node.req) {
-    const promise2 = Promise.resolve(event.node.req[RawBodySymbol]);
+  const _rawBody = event.node.req[RawBodySymbol] || event.node.req.body;
+  if (_rawBody) {
+    const promise2 = Promise.resolve(_rawBody);
     return encoding ? promise2.then((buff) => buff.toString(encoding)) : promise2;
   }
-  if ("body" in event.node.req) {
-    return Promise.resolve(event.node.req.body);
-  }
   if (!Number.parseInt(event.node.req.headers["content-length"] || "")) {
     return Promise.resolve(void 0);
   }
@@ -294,7 +301,7 @@ async function readBody(event) {
   if (ParsedBodySymbol in event.node.req) {
     return event.node.req[ParsedBodySymbol];
   }
-  const body = await readRawBody(event);
+  const body = await readRawBody(event, "utf8");
   if (event.node.req.headers["content-type"] === "application/x-www-form-urlencoded") {
     const form = new URLSearchParams(body);
     const parsedForm = /* @__PURE__ */ Object.create(null);
@@ -444,6 +451,23 @@ function splitCookiesString(cookiesString) {
   return cookiesStrings;
 }
 
+const DISALLOWED_STATUS_CHARS = /[^\u0009\u0020-\u007E]/g;
+function sanitizeStatusMessage(statusMessage = "") {
+  return statusMessage.replace(DISALLOWED_STATUS_CHARS, "");
+}
+function sanitizeStatusCode(statusCode, defaultStatusCode = 200) {
+  if (!statusCode) {
+    return defaultStatusCode;
+  }
+  if (typeof statusCode === "string") {
+    statusCode = Number.parseInt(statusCode, 10);
+  }
+  if (statusCode < 100 || statusCode > 999) {
+    return defaultStatusCode;
+  }
+  return statusCode;
+}
+
 const PayloadMethods = /* @__PURE__ */ new Set(["PATCH", "POST", "PUT", "DELETE"]);
 const ignoredHeaders = /* @__PURE__ */ new Set([
   "transfer-encoding",
@@ -481,8 +505,11 @@ async function sendProxy(event, target, opts = {}) {
     headers: opts.headers,
     ...opts.fetchOptions
   });
-  event.node.res.statusCode = response.status;
-  event.node.res.statusMessage = response.statusText;
+  event.node.res.statusCode = sanitizeStatusCode(
+    response.status,
+    event.node.res.statusCode
+  );
+  event.node.res.statusMessage = sanitizeStatusMessage(response.statusText);
   for (const [key, value] of response.headers.entries()) {
     if (key === "content-encoding") {
       continue;
@@ -587,7 +614,7 @@ function send(event, data, type) {
   });
 }
 function sendNoContent(event, code = 204) {
-  event.node.res.statusCode = code;
+  event.node.res.statusCode = sanitizeStatusCode(code, 204);
   if (event.node.res.statusCode === 204) {
     event.node.res.removeHeader("content-length");
   }
@@ -595,14 +622,13 @@ function sendNoContent(event, code = 204) {
 }
 function setResponseStatus(event, code, text) {
   if (code) {
-    event.node.res.statusCode = code;
+    event.node.res.statusCode = sanitizeStatusCode(
+      code,
+      event.node.res.statusCode
+    );
   }
   if (text) {
-    event.node.res.statusMessage = text.replace(
-      // eslint-disable-next-line no-control-regex
-      /[^\u0009\u0020-\u007E]/g,
-      ""
-    );
+    event.node.res.statusMessage = sanitizeStatusMessage(text);
   }
 }
 function getResponseStatus(event) {
@@ -617,7 +643,10 @@ function defaultContentType(event, type) {
   }
 }
 function sendRedirect(event, location, code = 302) {
-  event.node.res.statusCode = code;
+  event.node.res.statusCode = sanitizeStatusCode(
+    code,
+    event.node.res.statusCode
+  );
   event.node.res.setHeader("location", location);
   const encodedLoc = location.replace(/"/g, "%22");
   const html = `<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0; url=${encodedLoc}"></head></html>`;
@@ -1068,10 +1097,13 @@ class H3Event {
         this.res.setHeader(key, value);
       }
       if (response.status) {
-        this.res.statusCode = response.status;
+        this.res.statusCode = sanitizeStatusCode(
+          response.status,
+          this.res.statusCode
+        );
       }
       if (response.statusText) {
-        this.res.statusMessage = response.statusText;
+        this.res.statusMessage = sanitizeStatusMessage(response.statusText);
       }
       if (response.redirected) {
         this.res.setHeader("location", response.url);
@@ -1400,4 +1432,4 @@ function createRouter(opts = {}) {
   return router;
 }
 
-export { H3Error, H3Event, H3Headers, H3Response, MIMES, appendCorsHeaders, appendCorsPreflightHeaders, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getRequestHost, getRequestProtocol, getRequestURL, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, handleCors, isCorsOriginAllowed, isError, isEvent, isEventHandler, isMethod, isPreflightRequest, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, sealSession, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, splitCookiesString, toEventHandler, toNodeListener, unsealSession, updateSession, use, useBase, useSession, writeEarlyHints };
+export { H3Error, H3Event, H3Headers, H3Response, MIMES, appendCorsHeaders, appendCorsPreflightHeaders, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getRequestHost, getRequestProtocol, getRequestURL, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, handleCors, isCorsOriginAllowed, isError, isEvent, isEventHandler, isMethod, isPreflightRequest, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, sanitizeStatusCode, sanitizeStatusMessage, sealSession, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, splitCookiesString, toEventHandler, toNodeListener, unsealSession, updateSession, use, useBase, useSession, writeEarlyHints };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "h3",
-  "version": "1.6.1",
+  "version": "1.6.3",
   "description": "Tiny JavaScript Server",
   "repository": "unjs/h3",
   "license": "MIT",
@@ -24,16 +24,16 @@
     "defu": "^6.1.2",
     "destr": "^1.2.2",
     "iron-webcrypto": "^0.6.0",
-    "radix3": "^1.0.0",
+    "radix3": "^1.0.1",
     "ufo": "^1.1.1",
     "uncrypto": "^0.1.2"
   },
   "devDependencies": {
     "0x": "^5.5.0",
     "@types/express": "^4.17.17",
-    "@types/node": "^18.15.3",
+    "@types/node": "^18.15.10",
     "@types/supertest": "^2.0.12",
-    "@vitest/coverage-c8": "^0.29.2",
+    "@vitest/coverage-c8": "^0.29.7",
     "autocannon": "^7.10.0",
     "changelogen": "^0.5.1",
     "connect": "^3.7.0",
@@ -44,13 +44,13 @@
     "jiti": "^1.18.2",
     "listhen": "^1.0.4",
     "node-fetch-native": "^1.0.2",
-    "prettier": "^2.8.4",
+    "prettier": "^2.8.7",
     "supertest": "^6.3.3",
-    "typescript": "^4.9.5",
+    "typescript": "^5.0.2",
     "unbuild": "^1.1.2",
-    "vitest": "^0.29.2"
+    "vitest": "^0.29.7"
   },
-  "packageManager": "pnpm@7.29.3",
+  "packageManager": "pnpm@8.0.0",
   "scripts": {
     "build": "unbuild",
     "dev": "vitest",