http-proxy-middleware 2.0.7 → 2.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +1 -1
  2. package/dist/handlers/fix-request-body.d.ts +1 -1
  3. package/dist/handlers/fix-request-body.js +25 -3
  4. package/package.json +1 -1
package/README.md CHANGED
@@ -595,4 +595,4 @@ $ yarn spellcheck
595
595
 
596
596
  The MIT License (MIT)
597
597
 
598
- Copyright (c) 2015-2022 Steven Chim
598
+ Copyright (c) 2015-2025 Steven Chim
package/dist/handlers/fix-request-body.d.ts CHANGED
@@ -3,4 +3,4 @@ import type * as http from 'http';
3
3
  /**
4
4
  * Fix proxied body if bodyParser is involved.
5
5
  */
6
- export declare function fixRequestBody(proxyReq: http.ClientRequest, req: http.IncomingMessage): void;
6
+ export declare function fixRequestBody(proxyReq: http.ClientRequest, req: http.IncomingMessage, res: http.ServerResponse): void;
package/dist/handlers/fix-request-body.js CHANGED
@@ -5,22 +5,44 @@ const querystring = require("querystring");
5
5
  /**
6
6
  * Fix proxied body if bodyParser is involved.
7
7
  */
8
- function fixRequestBody(proxyReq, req) {
8
+ function fixRequestBody(proxyReq, req, res) {
9
9
  const requestBody = req.body;
10
10
  if (!requestBody) {
11
11
  return;
12
12
  }
13
13
  const contentType = proxyReq.getHeader('Content-Type');
14
+ if (!contentType) {
15
+ return;
16
+ }
17
+ // Handle bad request when unexpected "Connect: Upgrade" header is provided
18
+ if (/upgrade/gi.test(proxyReq.getHeader('Connection'))) {
19
+ handleBadRequest({ proxyReq, req, res });
20
+ return;
21
+ }
22
+ // Handle bad request when invalid request body is provided
23
+ if (hasInvalidKeys(requestBody)) {
24
+ handleBadRequest({ proxyReq, req, res });
25
+ return;
26
+ }
14
27
  const writeBody = (bodyData) => {
15
28
  // deepcode ignore ContentLengthInCode: bodyParser fix
16
29
  proxyReq.setHeader('Content-Length', Buffer.byteLength(bodyData));
17
30
  proxyReq.write(bodyData);
18
31
  };
19
- if (contentType && contentType.includes('application/json')) {
32
+ if (contentType.includes('application/json')) {
20
33
  writeBody(JSON.stringify(requestBody));
21
34
  }
22
- if (contentType && contentType.includes('application/x-www-form-urlencoded')) {
35
+ else if (contentType.includes('application/x-www-form-urlencoded')) {
23
36
  writeBody(querystring.stringify(requestBody));
24
37
  }
25
38
  }
26
39
  exports.fixRequestBody = fixRequestBody;
40
+ function hasInvalidKeys(obj) {
41
+ return Object.keys(obj).some((key) => /[\n\r]/.test(key));
42
+ }
43
+ function handleBadRequest({ proxyReq, req, res }) {
44
+ res.writeHead(400);
45
+ res.end('Bad Request');
46
+ proxyReq.destroy();
47
+ req.destroy();
48
+ }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "http-proxy-middleware",
3
- "version": "2.0.7",
3
+ "version": "2.0.8",
4
4
  "description": "The one-liner node.js proxy middleware for connect, express and browser-sync",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",