undici 7.15.0 → 7.17.0

package/lib/web/fetch/data-url.js

@@ -1,19 +1,20 @@
 'use strict'
 
 const assert = require('node:assert')
+const { forgivingBase64, collectASequenceOfCodePoints, collectASequenceOfCodePointsFast, isomorphicDecode, removeASCIIWhitespace, removeChars } = require('../infra')
 
 const encoder = new TextEncoder()
 
 /**
  * @see https://mimesniff.spec.whatwg.org/#http-token-code-point
  */
-const HTTP_TOKEN_CODEPOINTS = /^[!#$%&'*+\-.^_|~A-Za-z0-9]+$/
-const HTTP_WHITESPACE_REGEX = /[\u000A\u000D\u0009\u0020]/ // eslint-disable-line
-const ASCII_WHITESPACE_REPLACE_REGEX = /[\u0009\u000A\u000C\u000D\u0020]/g // eslint-disable-line
+const HTTP_TOKEN_CODEPOINTS = /^[-!#$%&'*+.^_|~A-Za-z0-9]+$/u
+const HTTP_WHITESPACE_REGEX = /[\u000A\u000D\u0009\u0020]/u // eslint-disable-line
+
 /**
  * @see https://mimesniff.spec.whatwg.org/#http-quoted-string-token-code-point
  */
-const HTTP_QUOTED_STRING_TOKENS = /^[\u0009\u0020-\u007E\u0080-\u00FF]+$/ // eslint-disable-line
+const HTTP_QUOTED_STRING_TOKENS = /^[\u0009\u0020-\u007E\u0080-\u00FF]+$/u // eslint-disable-line
 
 // https://fetch.spec.whatwg.org/#data-url-processor
 /** @param {URL} dataURL */
@@ -68,7 +69,7 @@ function dataURLProcessor (dataURL) {
   // 11. If mimeType ends with U+003B (;), followed by
   // zero or more U+0020 SPACE, followed by an ASCII
   // case-insensitive match for "base64", then:
-  if (/;(\u0020){0,}base64$/i.test(mimeType)) {
+  if (/;(?:\u0020*)base64$/ui.test(mimeType)) {
     // 1. Let stringBody be the isomorphic decode of body.
     const stringBody = isomorphicDecode(body)
 
@@ -86,7 +87,7 @@ function dataURLProcessor (dataURL) {
 
     // 5. Remove trailing U+0020 SPACE code points from mimeType,
     // if any.
-    mimeType = mimeType.replace(/(\u0020)+$/, '')
+    mimeType = mimeType.replace(/(\u0020+)$/u, '')
 
     // 6. Remove the last U+003B (;) code point from mimeType.
     mimeType = mimeType.slice(0, -1)
@@ -136,49 +137,6 @@ function URLSerializer (url, excludeFragment = false) {
   return serialized
 }
 
-// https://infra.spec.whatwg.org/#collect-a-sequence-of-code-points
-/**
- * @param {(char: string) => boolean} condition
- * @param {string} input
- * @param {{ position: number }} position
- */
-function collectASequenceOfCodePoints (condition, input, position) {
-  // 1. Let result be the empty string.
-  let result = ''
-
-  // 2. While position doesn’t point past the end of input and the
-  // code point at position within input meets the condition condition:
-  while (position.position < input.length && condition(input[position.position])) {
-    // 1. Append that code point to the end of result.
-    result += input[position.position]
-
-    // 2. Advance position by 1.
-    position.position++
-  }
-
-  // 3. Return result.
-  return result
-}
-
-/**
- * A faster collectASequenceOfCodePoints that only works when comparing a single character.
- * @param {string} char
- * @param {string} input
- * @param {{ position: number }} position
- */
-function collectASequenceOfCodePointsFast (char, input, position) {
-  const idx = input.indexOf(char, position.position)
-  const start = position.position
-
-  if (idx === -1) {
-    position.position = input.length
-    return input.slice(start)
-  }
-
-  position.position = idx
-  return input.slice(start, position.position)
-}
-
 // https://url.spec.whatwg.org/#string-percent-decode
 /** @param {string} input */
 function stringPercentDecode (input) {
@@ -219,8 +177,9 @@ function percentDecode (input) {
   /** @type {Uint8Array} */
   const output = new Uint8Array(length)
   let j = 0
+  let i = 0
   // 2. For each byte byte in input:
-  for (let i = 0; i < length; ++i) {
+  while (i < length) {
     const byte = input[i]
 
     // 1. If byte is not 0x25 (%), then append byte to output.
@@ -248,6 +207,7 @@ function percentDecode (input) {
       // 3. Skip the next two bytes in input.
       i += 2
     }
+    ++i
   }
 
   // 3. Return output.
@@ -427,45 +387,6 @@ function parseMIMEType (input) {
   return mimeType
 }
 
-// https://infra.spec.whatwg.org/#forgiving-base64-decode
-/** @param {string} data */
-function forgivingBase64 (data) {
-  // 1. Remove all ASCII whitespace from data.
-  data = data.replace(ASCII_WHITESPACE_REPLACE_REGEX, '')
-
-  let dataLength = data.length
-  // 2. If data’s code point length divides by 4 leaving
-  // no remainder, then:
-  if (dataLength % 4 === 0) {
-    // 1. If data ends with one or two U+003D (=) code points,
-    // then remove them from data.
-    if (data.charCodeAt(dataLength - 1) === 0x003D) {
-      --dataLength
-      if (data.charCodeAt(dataLength - 1) === 0x003D) {
-        --dataLength
-      }
-    }
-  }
-
-  // 3. If data’s code point length divides by 4 leaving
-  // a remainder of 1, then return failure.
-  if (dataLength % 4 === 1) {
-    return 'failure'
-  }
-
-  // 4. If data contains a code point that is not one of
-  //  U+002B (+)
-  //  U+002F (/)
-  //  ASCII alphanumeric
-  // then return failure.
-  if (/[^+/0-9A-Za-z]/.test(data.length === dataLength ? data : data.substring(0, dataLength))) {
-    return 'failure'
-  }
-
-  const buffer = Buffer.from(data, 'base64')
-  return new Uint8Array(buffer.buffer, buffer.byteOffset, buffer.byteLength)
-}
-
 // https://fetch.spec.whatwg.org/#collect-an-http-quoted-string
 // tests: https://fetch.spec.whatwg.org/#example-http-quoted-string
 /**
@@ -572,7 +493,7 @@ function serializeAMimeType (mimeType) {
     if (!HTTP_TOKEN_CODEPOINTS.test(value)) {
       // 1. Precede each occurrence of U+0022 (") or
       //    U+005C (\) in value with U+005C (\).
-      value = value.replace(/(\\|")/g, '\\$1')
+      value = value.replace(/[\\"]/ug, '\\$&')
 
       // 2. Prepend U+0022 (") to value.
       value = '"' + value
@@ -608,71 +529,6 @@ function removeHTTPWhitespace (str, leading = true, trailing = true) {
   return removeChars(str, leading, trailing, isHTTPWhiteSpace)
 }
 
-/**
- * @see https://infra.spec.whatwg.org/#ascii-whitespace
- * @param {number} char
- */
-function isASCIIWhitespace (char) {
-  // "\r\n\t\f "
-  return char === 0x00d || char === 0x00a || char === 0x009 || char === 0x00c || char === 0x020
-}
-
-/**
- * @see https://infra.spec.whatwg.org/#strip-leading-and-trailing-ascii-whitespace
- * @param {string} str
- * @param {boolean} [leading=true]
- * @param {boolean} [trailing=true]
- */
-function removeASCIIWhitespace (str, leading = true, trailing = true) {
-  return removeChars(str, leading, trailing, isASCIIWhitespace)
-}
-
-/**
- * @param {string} str
- * @param {boolean} leading
- * @param {boolean} trailing
- * @param {(charCode: number) => boolean} predicate
- * @returns
- */
-function removeChars (str, leading, trailing, predicate) {
-  let lead = 0
-  let trail = str.length - 1
-
-  if (leading) {
-    while (lead < str.length && predicate(str.charCodeAt(lead))) lead++
-  }
-
-  if (trailing) {
-    while (trail > 0 && predicate(str.charCodeAt(trail))) trail--
-  }
-
-  return lead === 0 && trail === str.length - 1 ? str : str.slice(lead, trail + 1)
-}
-
-/**
- * @see https://infra.spec.whatwg.org/#isomorphic-decode
- * @param {Uint8Array} input
- * @returns {string}
- */
-function isomorphicDecode (input) {
-  // 1. To isomorphic decode a byte sequence input, return a string whose code point
-  //    length is equal to input’s length and whose code points have the same values
-  //    as the values of input’s bytes, in the same order.
-  const length = input.length
-  if ((2 << 15) - 1 > length) {
-    return String.fromCharCode.apply(null, input)
-  }
-  let result = ''; let i = 0
-  let addition = (2 << 15) - 1
-  while (i < length) {
-    if (i + addition > length) {
-      addition = length - i
-    }
-    result += String.fromCharCode.apply(null, input.subarray(i, i += addition))
-  }
-  return result
-}
-
 /**
  * @see https://mimesniff.spec.whatwg.org/#minimize-a-supported-mime-type
  * @param {Exclude<ReturnType<typeof parseMIMEType>, 'failure'>} mimeType
@@ -730,15 +586,11 @@ function minimizeSupportedMimeType (mimeType) {
 module.exports = {
   dataURLProcessor,
   URLSerializer,
-  collectASequenceOfCodePoints,
-  collectASequenceOfCodePointsFast,
   stringPercentDecode,
   parseMIMEType,
   collectAnHTTPQuotedString,
   serializeAMimeType,
-  removeChars,
   removeHTTPWhitespace,
   minimizeSupportedMimeType,
-  HTTP_TOKEN_CODEPOINTS,
-  isomorphicDecode
+  HTTP_TOKEN_CODEPOINTS
 }

package/lib/web/fetch/formdata-parser.js

@@ -1,16 +1,15 @@
 'use strict'
 
 const { bufferToLowerCasedHeaderName } = require('../../core/util')
-const { utf8DecodeBytes } = require('./util')
-const { HTTP_TOKEN_CODEPOINTS, isomorphicDecode } = require('./data-url')
+const { HTTP_TOKEN_CODEPOINTS } = require('./data-url')
 const { makeEntry } = require('./formdata')
 const { webidl } = require('../webidl')
 const assert = require('node:assert')
+const { isomorphicDecode } = require('../infra')
+const { utf8DecodeBytes } = require('../../encoding')
 
-const formDataNameBuffer = Buffer.from('form-data; name="')
-const filenameBuffer = Buffer.from('filename')
 const dd = Buffer.from('--')
-const ddcrlf = Buffer.from('--\r\n')
+const decoder = new TextDecoder()
 
 /**
  * @param {string} chars
@@ -84,20 +83,16 @@ function multipartFormDataParser (input, mimeType) {
   //    the first byte.
   const position = { position: 0 }
 
-  // Note: undici addition, allows leading and trailing CRLFs.
-  while (input[position.position] === 0x0d && input[position.position + 1] === 0x0a) {
-    position.position += 2
-  }
-
-  let trailing = input.length
+  // Note: Per RFC 2046 Section 5.1.1, we must ignore anything before the
+  // first boundary delimiter line (preamble). Search for the first boundary.
+  const firstBoundaryIndex = input.indexOf(boundary)
 
-  while (input[trailing - 1] === 0x0a && input[trailing - 2] === 0x0d) {
-    trailing -= 2
+  if (firstBoundaryIndex === -1) {
+    throw parsingError('no boundary found in multipart body')
   }
 
-  if (trailing !== input.length) {
-    input = input.subarray(0, trailing)
-  }
+  // Start parsing from the first boundary, ignoring any preamble
+  position.position = firstBoundaryIndex
 
   // 5. While true:
   while (true) {
@@ -113,11 +108,11 @@ function multipartFormDataParser (input, mimeType) {
 
     // 5.2. If position points to the sequence of bytes 0x2D 0x2D 0x0D 0x0A
     //      (`--` followed by CR LF) followed by the end of input, return entry list.
-    // Note: a body does NOT need to end with CRLF. It can end with --.
-    if (
-      (position.position === input.length - 2 && bufferStartsWith(input, dd, position)) ||
-      (position.position === input.length - 4 && bufferStartsWith(input, ddcrlf, position))
-    ) {
+    // Note: Per RFC 2046 Section 5.1.1, we must ignore anything after the
+    // final boundary delimiter (epilogue). Check for -- or --CRLF and return
+    // regardless of what follows.
+    if (bufferStartsWith(input, dd, position)) {
+      // Found closing boundary delimiter (--), ignore any epilogue
       return entryList
     }
 
@@ -205,6 +200,113 @@ function multipartFormDataParser (input, mimeType) {
   }
 }
 
+/**
+ * Parses content-disposition attributes (e.g., name="value" or filename*=utf-8''encoded)
+ * @param {Buffer} input
+ * @param {{ position: number }} position
+ * @returns {{ name: string, value: string }}
+ */
+function parseContentDispositionAttribute (input, position) {
+  // Skip leading semicolon and whitespace
+  if (input[position.position] === 0x3b /* ; */) {
+    position.position++
+  }
+
+  // Skip whitespace
+  collectASequenceOfBytes(
+    (char) => char === 0x20 || char === 0x09,
+    input,
+    position
+  )
+
+  // Collect attribute name (token characters)
+  const attributeName = collectASequenceOfBytes(
+    (char) => isToken(char) && char !== 0x3d && char !== 0x2a, // not = or *
+    input,
+    position
+  )
+
+  if (attributeName.length === 0) {
+    return null
+  }
+
+  const attrNameStr = attributeName.toString('ascii').toLowerCase()
+
+  // Check for extended notation (attribute*)
+  const isExtended = input[position.position] === 0x2a /* * */
+  if (isExtended) {
+    position.position++ // skip *
+  }
+
+  // Expect = sign
+  if (input[position.position] !== 0x3d /* = */) {
+    return null
+  }
+  position.position++ // skip =
+
+  // Skip whitespace
+  collectASequenceOfBytes(
+    (char) => char === 0x20 || char === 0x09,
+    input,
+    position
+  )
+
+  let value
+
+  if (isExtended) {
+    // Extended attribute format: charset'language'encoded-value
+    const headerValue = collectASequenceOfBytes(
+      (char) => char !== 0x20 && char !== 0x0d && char !== 0x0a && char !== 0x3b, // not space, CRLF, or ;
+      input,
+      position
+    )
+
+    // Check for utf-8'' prefix (case insensitive)
+    if (
+      (headerValue[0] !== 0x75 && headerValue[0] !== 0x55) || // u or U
+      (headerValue[1] !== 0x74 && headerValue[1] !== 0x54) || // t or T
+      (headerValue[2] !== 0x66 && headerValue[2] !== 0x46) || // f or F
+      headerValue[3] !== 0x2d || // -
+      headerValue[4] !== 0x38 // 8
+    ) {
+      throw parsingError('unknown encoding, expected utf-8\'\'')
+    }
+
+    // Skip utf-8'' and decode the rest
+    value = decodeURIComponent(decoder.decode(headerValue.subarray(7)))
+  } else if (input[position.position] === 0x22 /* " */) {
+    // Quoted string
+    position.position++ // skip opening quote
+
+    const quotedValue = collectASequenceOfBytes(
+      (char) => char !== 0x0a && char !== 0x0d && char !== 0x22, // not LF, CR, or "
+      input,
+      position
+    )
+
+    if (input[position.position] !== 0x22) {
+      throw parsingError('Closing quote not found')
+    }
+    position.position++ // skip closing quote
+
+    value = decoder.decode(quotedValue)
+      .replace(/%0A/ig, '\n')
+      .replace(/%0D/ig, '\r')
+      .replace(/%22/g, '"')
+  } else {
+    // Token value (no quotes)
+    const tokenValue = collectASequenceOfBytes(
+      (char) => isToken(char) && char !== 0x3b, // not ;
+      input,
+      position
+    )
+
+    value = decoder.decode(tokenValue)
+  }
+
+  return { name: attrNameStr, value }
+}
+
 /**
  * @see https://andreubotella.github.io/multipart-form-data/#parse-multipart-form-data-headers
  * @param {Buffer} input
@@ -265,80 +367,40 @@ function parseMultipartFormDataHeaders (input, position) {
     // 2.8. Byte-lowercase header name and switch on the result:
     switch (bufferToLowerCasedHeaderName(headerName)) {
       case 'content-disposition': {
-        // 1. Set name and filename to null.
         name = filename = null
 
-        // 2. If position does not point to a sequence of bytes starting with
-        //    `form-data; name="`, return failure.
-        if (!bufferStartsWith(input, formDataNameBuffer, position)) {
-          throw parsingError('expected form-data; name=" for content-disposition header')
+        // Collect the disposition type (should be "form-data")
+        const dispositionType = collectASequenceOfBytes(
+          (char) => isToken(char),
+          input,
+          position
+        )
+
+        if (dispositionType.toString('ascii').toLowerCase() !== 'form-data') {
+          throw parsingError('expected form-data for content-disposition header')
         }
 
-        // 3. Advance position so it points at the byte after the next 0x22 (")
-        //    byte (the one in the sequence of bytes matched above).
-        position.position += 17
-
-        // 4. Set name to the result of parsing a multipart/form-data name given
-        //    input and position, if the result is not failure. Otherwise, return
-        //    failure.
-        name = parseMultipartFormDataName(input, position)
-
-        // 5. If position points to a sequence of bytes starting with `; filename="`:
-        if (input[position.position] === 0x3b /* ; */ && input[position.position + 1] === 0x20 /* ' ' */) {
-          const at = { position: position.position + 2 }
-
-          if (bufferStartsWith(input, filenameBuffer, at)) {
-            if (input[at.position + 8] === 0x2a /* '*' */) {
-              at.position += 10 // skip past filename*=
-
-              // Remove leading http tab and spaces. See RFC for examples.
-              // https://datatracker.ietf.org/doc/html/rfc6266#section-5
-              collectASequenceOfBytes(
-                (char) => char === 0x20 || char === 0x09,
-                input,
-                at
-              )
-
-              const headerValue = collectASequenceOfBytes(
-                (char) => char !== 0x20 && char !== 0x0d && char !== 0x0a, // ' ' or CRLF
-                input,
-                at
-              )
-
-              if (
-                (headerValue[0] !== 0x75 && headerValue[0] !== 0x55) || // u or U
-                (headerValue[1] !== 0x74 && headerValue[1] !== 0x54) || // t or T
-                (headerValue[2] !== 0x66 && headerValue[2] !== 0x46) || // f or F
-                headerValue[3] !== 0x2d || // -
-                headerValue[4] !== 0x38 // 8
-              ) {
-                throw parsingError('unknown encoding, expected utf-8\'\'')
-              }
-
-              // skip utf-8''
-              filename = decodeURIComponent(new TextDecoder().decode(headerValue.subarray(7)))
-
-              position.position = at.position
-            } else {
-              // 1. Advance position so it points at the byte after the next 0x22 (") byte
-              //    (the one in the sequence of bytes matched above).
-              position.position += 11
-
-              // Remove leading http tab and spaces. See RFC for examples.
-              // https://datatracker.ietf.org/doc/html/rfc6266#section-5
-              collectASequenceOfBytes(
-                (char) => char === 0x20 || char === 0x09,
-                input,
-                position
-              )
-
-              position.position++ // skip past " after removing whitespace
-
-              // 2. Set filename to the result of parsing a multipart/form-data name given
-              //    input and position, if the result is not failure. Otherwise, return failure.
-              filename = parseMultipartFormDataName(input, position)
-            }
+        // Parse attributes recursively until CRLF
+        while (
+          position.position < input.length &&
+          input[position.position] !== 0x0d &&
+          input[position.position + 1] !== 0x0a
+        ) {
+          const attribute = parseContentDispositionAttribute(input, position)
+
+          if (!attribute) {
+            break
           }
+
+          if (attribute.name === 'name') {
+            name = attribute.value
+          } else if (attribute.name === 'filename') {
+            filename = attribute.value
+          }
+        }
+
+        if (name === null) {
+          throw parsingError('name attribute is required in content-disposition header')
         }
 
         break
@@ -394,43 +456,6 @@ function parseMultipartFormDataHeaders (input, position) {
   }
 }
 
-/**
- * @see https://andreubotella.github.io/multipart-form-data/#parse-a-multipart-form-data-name
- * @param {Buffer} input
- * @param {{ position: number }} position
- */
-function parseMultipartFormDataName (input, position) {
-  // 1. Assert: The byte at (position - 1) is 0x22 (").
-  assert(input[position.position - 1] === 0x22)
-
-  // 2. Let name be the result of collecting a sequence of bytes that are not 0x0A (LF), 0x0D (CR) or 0x22 ("), given position.
-  /** @type {string | Buffer} */
-  let name = collectASequenceOfBytes(
-    (char) => char !== 0x0a && char !== 0x0d && char !== 0x22,
-    input,
-    position
-  )
-
-  // 3. If the byte at position is not 0x22 ("), return failure. Otherwise, advance position by 1.
-  if (input[position.position] !== 0x22) {
-    throw parsingError('expected "')
-  } else {
-    position.position++
-  }
-
-  // 4. Replace any occurrence of the following subsequences in name with the given byte:
-  // - `%0A`: 0x0A (LF)
-  // - `%0D`: 0x0D (CR)
-  // - `%22`: 0x22 (")
-  name = new TextDecoder().decode(name)
-    .replace(/%0A/ig, '\n')
-    .replace(/%0D/ig, '\r')
-    .replace(/%22/g, '"')
-
-  // 5. Return the UTF-8 decoding without BOM of name.
-  return name
-}
-
 /**
  * @param {(char: number) => boolean} condition
  * @param {Buffer} input
@@ -492,6 +517,58 @@ function parsingError (cause) {
   return new TypeError('Failed to parse body as FormData.', { cause: new TypeError(cause) })
 }
 
+/**
+ * CTL            = <any US-ASCII control character
+ *                  (octets 0 - 31) and DEL (127)>
+ * @param {number} char
+ */
+function isCTL (char) {
+  return char <= 0x1f || char === 0x7f
+}
+
+/**
+ * tspecials :=  "(" / ")" / "<" / ">" / "@" /
+ *                "," / ";" / ":" / "\" / <">
+ *                "/" / "[" / "]" / "?" / "="
+ *                ; Must be in quoted-string,
+ *                ; to use within parameter values
+ * @param {number} char
+ */
+function isTSpecial (char) {
+  return (
+    char === 0x28 || // (
+    char === 0x29 || // )
+    char === 0x3c || // <
+    char === 0x3e || // >
+    char === 0x40 || // @
+    char === 0x2c || // ,
+    char === 0x3b || // ;
+    char === 0x3a || // :
+    char === 0x5c || // \
+    char === 0x22 || // "
+    char === 0x2f || // /
+    char === 0x5b || // [
+    char === 0x5d || // ]
+    char === 0x3f || // ?
+    char === 0x3d    // +
+  )
+}
+
+/**
+ * token := 1*<any (US-ASCII) CHAR except SPACE, CTLs,
+ *          or tspecials>
+ * @param {number} char
+ */
+function isToken (char) {
+  return (
+    char <= 0x7f &&  // ascii
+    char !== 0x20 && // space
+    char !== 0x09 &&
+    !isCTL(char) &&
+    !isTSpecial(char)
+  )
+}
+
 module.exports = {
   multipartFormDataParser,
   validateBoundary