undici 7.16.0 → 7.18.0

package/lib/web/fetch/formdata-parser.js

@@ -1,16 +1,15 @@
 'use strict'
 
 const { bufferToLowerCasedHeaderName } = require('../../core/util')
-const { utf8DecodeBytes } = require('./util')
-const { HTTP_TOKEN_CODEPOINTS, isomorphicDecode } = require('./data-url')
+const { HTTP_TOKEN_CODEPOINTS } = require('./data-url')
 const { makeEntry } = require('./formdata')
 const { webidl } = require('../webidl')
 const assert = require('node:assert')
+const { isomorphicDecode } = require('../infra')
+const { utf8DecodeBytes } = require('../../encoding')
 
-const formDataNameBuffer = Buffer.from('form-data; name="')
-const filenameBuffer = Buffer.from('filename')
 const dd = Buffer.from('--')
-const ddcrlf = Buffer.from('--\r\n')
+const decoder = new TextDecoder()
 
 /**
  * @param {string} chars
@@ -84,20 +83,16 @@ function multipartFormDataParser (input, mimeType) {
   //    the first byte.
   const position = { position: 0 }
 
-  // Note: undici addition, allows leading and trailing CRLFs.
-  while (input[position.position] === 0x0d && input[position.position + 1] === 0x0a) {
-    position.position += 2
-  }
-
-  let trailing = input.length
+  // Note: Per RFC 2046 Section 5.1.1, we must ignore anything before the
+  // first boundary delimiter line (preamble). Search for the first boundary.
+  const firstBoundaryIndex = input.indexOf(boundary)
 
-  while (input[trailing - 1] === 0x0a && input[trailing - 2] === 0x0d) {
-    trailing -= 2
+  if (firstBoundaryIndex === -1) {
+    throw parsingError('no boundary found in multipart body')
   }
 
-  if (trailing !== input.length) {
-    input = input.subarray(0, trailing)
-  }
+  // Start parsing from the first boundary, ignoring any preamble
+  position.position = firstBoundaryIndex
 
   // 5. While true:
   while (true) {
@@ -113,11 +108,11 @@ function multipartFormDataParser (input, mimeType) {
 
     // 5.2. If position points to the sequence of bytes 0x2D 0x2D 0x0D 0x0A
     //      (`--` followed by CR LF) followed by the end of input, return entry list.
-    // Note: a body does NOT need to end with CRLF. It can end with --.
-    if (
-      (position.position === input.length - 2 && bufferStartsWith(input, dd, position)) ||
-      (position.position === input.length - 4 && bufferStartsWith(input, ddcrlf, position))
-    ) {
+    // Note: Per RFC 2046 Section 5.1.1, we must ignore anything after the
+    // final boundary delimiter (epilogue). Check for -- or --CRLF and return
+    // regardless of what follows.
+    if (bufferStartsWith(input, dd, position)) {
+      // Found closing boundary delimiter (--), ignore any epilogue
       return entryList
     }
 
@@ -205,6 +200,113 @@ function multipartFormDataParser (input, mimeType) {
   }
 }
 
+/**
+ * Parses content-disposition attributes (e.g., name="value" or filename*=utf-8''encoded)
+ * @param {Buffer} input
+ * @param {{ position: number }} position
+ * @returns {{ name: string, value: string }}
+ */
+function parseContentDispositionAttribute (input, position) {
+  // Skip leading semicolon and whitespace
+  if (input[position.position] === 0x3b /* ; */) {
+    position.position++
+  }
+
+  // Skip whitespace
+  collectASequenceOfBytes(
+    (char) => char === 0x20 || char === 0x09,
+    input,
+    position
+  )
+
+  // Collect attribute name (token characters)
+  const attributeName = collectASequenceOfBytes(
+    (char) => isToken(char) && char !== 0x3d && char !== 0x2a, // not = or *
+    input,
+    position
+  )
+
+  if (attributeName.length === 0) {
+    return null
+  }
+
+  const attrNameStr = attributeName.toString('ascii').toLowerCase()
+
+  // Check for extended notation (attribute*)
+  const isExtended = input[position.position] === 0x2a /* * */
+  if (isExtended) {
+    position.position++ // skip *
+  }
+
+  // Expect = sign
+  if (input[position.position] !== 0x3d /* = */) {
+    return null
+  }
+  position.position++ // skip =
+
+  // Skip whitespace
+  collectASequenceOfBytes(
+    (char) => char === 0x20 || char === 0x09,
+    input,
+    position
+  )
+
+  let value
+
+  if (isExtended) {
+    // Extended attribute format: charset'language'encoded-value
+    const headerValue = collectASequenceOfBytes(
+      (char) => char !== 0x20 && char !== 0x0d && char !== 0x0a && char !== 0x3b, // not space, CRLF, or ;
+      input,
+      position
+    )
+
+    // Check for utf-8'' prefix (case insensitive)
+    if (
+      (headerValue[0] !== 0x75 && headerValue[0] !== 0x55) || // u or U
+      (headerValue[1] !== 0x74 && headerValue[1] !== 0x54) || // t or T
+      (headerValue[2] !== 0x66 && headerValue[2] !== 0x46) || // f or F
+      headerValue[3] !== 0x2d || // -
+      headerValue[4] !== 0x38 // 8
+    ) {
+      throw parsingError('unknown encoding, expected utf-8\'\'')
+    }
+
+    // Skip utf-8'' and decode the rest
+    value = decodeURIComponent(decoder.decode(headerValue.subarray(7)))
+  } else if (input[position.position] === 0x22 /* " */) {
+    // Quoted string
+    position.position++ // skip opening quote
+
+    const quotedValue = collectASequenceOfBytes(
+      (char) => char !== 0x0a && char !== 0x0d && char !== 0x22, // not LF, CR, or "
+      input,
+      position
+    )
+
+    if (input[position.position] !== 0x22) {
+      throw parsingError('Closing quote not found')
+    }
+    position.position++ // skip closing quote
+
+    value = decoder.decode(quotedValue)
+      .replace(/%0A/ig, '\n')
+      .replace(/%0D/ig, '\r')
+      .replace(/%22/g, '"')
+  } else {
+    // Token value (no quotes)
+    const tokenValue = collectASequenceOfBytes(
+      (char) => isToken(char) && char !== 0x3b, // not ;
+      input,
+      position
+    )
+
+    value = decoder.decode(tokenValue)
+  }
+
+  return { name: attrNameStr, value }
+}
+
 /**
  * @see https://andreubotella.github.io/multipart-form-data/#parse-multipart-form-data-headers
  * @param {Buffer} input
@@ -265,80 +367,40 @@ function parseMultipartFormDataHeaders (input, position) {
     // 2.8. Byte-lowercase header name and switch on the result:
     switch (bufferToLowerCasedHeaderName(headerName)) {
       case 'content-disposition': {
-        // 1. Set name and filename to null.
         name = filename = null
 
-        // 2. If position does not point to a sequence of bytes starting with
-        //    `form-data; name="`, return failure.
-        if (!bufferStartsWith(input, formDataNameBuffer, position)) {
-          throw parsingError('expected form-data; name=" for content-disposition header')
+        // Collect the disposition type (should be "form-data")
+        const dispositionType = collectASequenceOfBytes(
+          (char) => isToken(char),
+          input,
+          position
+        )
+
+        if (dispositionType.toString('ascii').toLowerCase() !== 'form-data') {
+          throw parsingError('expected form-data for content-disposition header')
         }
 
-        // 3. Advance position so it points at the byte after the next 0x22 (")
-        //    byte (the one in the sequence of bytes matched above).
-        position.position += 17
-
-        // 4. Set name to the result of parsing a multipart/form-data name given
-        //    input and position, if the result is not failure. Otherwise, return
-        //    failure.
-        name = parseMultipartFormDataName(input, position)
-
-        // 5. If position points to a sequence of bytes starting with `; filename="`:
-        if (input[position.position] === 0x3b /* ; */ && input[position.position + 1] === 0x20 /* ' ' */) {
-          const at = { position: position.position + 2 }
-
-          if (bufferStartsWith(input, filenameBuffer, at)) {
-            if (input[at.position + 8] === 0x2a /* '*' */) {
-              at.position += 10 // skip past filename*=
-
-              // Remove leading http tab and spaces. See RFC for examples.
-              // https://datatracker.ietf.org/doc/html/rfc6266#section-5
-              collectASequenceOfBytes(
-                (char) => char === 0x20 || char === 0x09,
-                input,
-                at
-              )
-
-              const headerValue = collectASequenceOfBytes(
-                (char) => char !== 0x20 && char !== 0x0d && char !== 0x0a, // ' ' or CRLF
-                input,
-                at
-              )
-
-              if (
-                (headerValue[0] !== 0x75 && headerValue[0] !== 0x55) || // u or U
-                (headerValue[1] !== 0x74 && headerValue[1] !== 0x54) || // t or T
-                (headerValue[2] !== 0x66 && headerValue[2] !== 0x46) || // f or F
-                headerValue[3] !== 0x2d || // -
-                headerValue[4] !== 0x38 // 8
-              ) {
-                throw parsingError('unknown encoding, expected utf-8\'\'')
-              }
-
-              // skip utf-8''
-              filename = decodeURIComponent(new TextDecoder().decode(headerValue.subarray(7)))
-
-              position.position = at.position
-            } else {
-              // 1. Advance position so it points at the byte after the next 0x22 (") byte
-              //    (the one in the sequence of bytes matched above).
-              position.position += 11
-
-              // Remove leading http tab and spaces. See RFC for examples.
-              // https://datatracker.ietf.org/doc/html/rfc6266#section-5
-              collectASequenceOfBytes(
-                (char) => char === 0x20 || char === 0x09,
-                input,
-                position
-              )
-
-              position.position++ // skip past " after removing whitespace
-
-              // 2. Set filename to the result of parsing a multipart/form-data name given
-              //    input and position, if the result is not failure. Otherwise, return failure.
-              filename = parseMultipartFormDataName(input, position)
-            }
+        // Parse attributes recursively until CRLF
+        while (
+          position.position < input.length &&
+          input[position.position] !== 0x0d &&
+          input[position.position + 1] !== 0x0a
+        ) {
+          const attribute = parseContentDispositionAttribute(input, position)
+
+          if (!attribute) {
+            break
           }
+
+          if (attribute.name === 'name') {
+            name = attribute.value
+          } else if (attribute.name === 'filename') {
+            filename = attribute.value
+          }
+        }
+
+        if (name === null) {
+          throw parsingError('name attribute is required in content-disposition header')
         }
 
         break
@@ -394,43 +456,6 @@ function parseMultipartFormDataHeaders (input, position) {
   }
 }
 
-/**
- * @see https://andreubotella.github.io/multipart-form-data/#parse-a-multipart-form-data-name
- * @param {Buffer} input
- * @param {{ position: number }} position
- */
-function parseMultipartFormDataName (input, position) {
-  // 1. Assert: The byte at (position - 1) is 0x22 (").
-  assert(input[position.position - 1] === 0x22)
-
-  // 2. Let name be the result of collecting a sequence of bytes that are not 0x0A (LF), 0x0D (CR) or 0x22 ("), given position.
-  /** @type {string | Buffer} */
-  let name = collectASequenceOfBytes(
-    (char) => char !== 0x0a && char !== 0x0d && char !== 0x22,
-    input,
-    position
-  )
-
-  // 3. If the byte at position is not 0x22 ("), return failure. Otherwise, advance position by 1.
-  if (input[position.position] !== 0x22) {
-    throw parsingError('expected "')
-  } else {
-    position.position++
-  }
-
-  // 4. Replace any occurrence of the following subsequences in name with the given byte:
-  // - `%0A`: 0x0A (LF)
-  // - `%0D`: 0x0D (CR)
-  // - `%22`: 0x22 (")
-  name = new TextDecoder().decode(name)
-    .replace(/%0A/ig, '\n')
-    .replace(/%0D/ig, '\r')
-    .replace(/%22/g, '"')
-
-  // 5. Return the UTF-8 decoding without BOM of name.
-  return name
-}
-
 /**
  * @param {(char: number) => boolean} condition
  * @param {Buffer} input
@@ -492,6 +517,58 @@ function parsingError (cause) {
   return new TypeError('Failed to parse body as FormData.', { cause: new TypeError(cause) })
 }
 
+/**
+ * CTL            = <any US-ASCII control character
+ *                  (octets 0 - 31) and DEL (127)>
+ * @param {number} char
+ */
+function isCTL (char) {
+  return char <= 0x1f || char === 0x7f
+}
+
+/**
+ * tspecials :=  "(" / ")" / "<" / ">" / "@" /
+ *                "," / ";" / ":" / "\" / <">
+ *                "/" / "[" / "]" / "?" / "="
+ *                ; Must be in quoted-string,
+ *                ; to use within parameter values
+ * @param {number} char
+ */
+function isTSpecial (char) {
+  return (
+    char === 0x28 || // (
+    char === 0x29 || // )
+    char === 0x3c || // <
+    char === 0x3e || // >
+    char === 0x40 || // @
+    char === 0x2c || // ,
+    char === 0x3b || // ;
+    char === 0x3a || // :
+    char === 0x5c || // \
+    char === 0x22 || // "
+    char === 0x2f || // /
+    char === 0x5b || // [
+    char === 0x5d || // ]
+    char === 0x3f || // ?
+    char === 0x3d    // +
+  )
+}
+
+/**
+ * token := 1*<any (US-ASCII) CHAR except SPACE, CTLs,
+ *          or tspecials>
+ * @param {number} char
+ */
+function isToken (char) {
+  return (
+    char <= 0x7f &&  // ascii
+    char !== 0x20 && // space
+    char !== 0x09 &&
+    !isCTL(char) &&
+    !isTSpecial(char)
+  )
+}
+
 module.exports = {
   multipartFormDataParser,
   validateBoundary

package/lib/web/fetch/index.js

@@ -35,7 +35,6 @@ const {
   isErrorLike,
   fullyReadBody,
   readableStreamClose,
-  isomorphicEncode,
   urlIsLocal,
   urlIsHttpHttpsScheme,
   urlHasHttpsScheme,
@@ -63,8 +62,11 @@ const { webidl } = require('../webidl')
 const { STATUS_CODES } = require('node:http')
 const { bytesMatch } = require('../subresource-integrity/subresource-integrity')
 const { createDeferredPromise } = require('../../util/promise')
+const { isomorphicEncode } = require('../infra')
+const { runtimeFeatures } = require('../../util/runtime-features')
 
-const hasZstd = typeof zlib.createZstdDecompress === 'function'
+// Node.js v23.8.0+ and v22.15.0+ supports Zstandard
+const hasZstd = runtimeFeatures.has('zstd')
 
 const GET_OR_HEAD = ['GET', 'HEAD']
 
@@ -887,7 +889,7 @@ function schemeFetch (fetchParams) {
 
         // 8. Let slicedBlob be the result of invoking slice blob given blob, rangeStart,
         //    rangeEnd + 1, and type.
-        const slicedBlob = blob.slice(rangeStart, rangeEnd, type)
+        const slicedBlob = blob.slice(rangeStart, rangeEnd + 1, type)
 
         // 9. Let slicedBodyWithType be the result of safely extracting slicedBlob.
         // Note: same reason as mentioned above as to why we use extractBody
@@ -2128,6 +2130,15 @@ async function httpNetworkFetch (
             // "All content-coding values are case-insensitive..."
             /** @type {string[]} */
             const codings = contentEncoding ? contentEncoding.toLowerCase().split(',') : []
+
+            // Limit the number of content-encodings to prevent resource exhaustion.
+            // CVE fix similar to urllib3 (GHSA-gm62-xv2j-4w53) and curl (CVE-2022-32206).
+            const maxContentEncodings = 5
+            if (codings.length > maxContentEncodings) {
+              reject(new Error(`too many content-encodings in response: ${codings.length}, maximum allowed is ${maxContentEncodings}`))
+              return true
+            }
+
             for (let i = codings.length - 1; i >= 0; --i) {
               const coding = codings[i].trim()
               // https://www.rfc-editor.org/rfc/rfc9112.html#section-7.2
@@ -2151,7 +2162,6 @@ async function httpNetworkFetch (
                   finishFlush: zlib.constants.BROTLI_OPERATION_FLUSH
                 }))
               } else if (coding === 'zstd' && hasZstd) {
-              // Node.js v23.8.0+ and v22.15.0+ supports Zstandard
                 decoders.push(zlib.createZstdDecompress({
                   flush: zlib.constants.ZSTD_e_continue,
                   finishFlush: zlib.constants.ZSTD_e_end
@@ -2227,8 +2237,10 @@ async function httpNetworkFetch (
         },
 
         onUpgrade (status, rawHeaders, socket) {
-          if (status !== 101) {
-            return
+          // We need to support 200 for websocket over h2 as per RFC-8441
+          // Absence of session means H1
+          if ((socket.session != null && status !== 200) || (socket.session == null && status !== 101)) {
+            return false
           }
 
           const headersList = new HeadersList()

package/lib/web/fetch/request.js

@@ -1094,6 +1094,12 @@ webidl.converters.RequestInit = webidl.dictionaryConverter([
   {
     key: 'dispatcher', // undici specific option
     converter: webidl.converters.any
+  },
+  {
+    key: 'priority',
+    converter: webidl.converters.DOMString,
+    allowedValues: ['high', 'low', 'auto'],
+    defaultValue: () => 'auto'
   }
 ])
 

package/lib/web/fetch/response.js

@@ -9,9 +9,7 @@ const {
   isValidReasonPhrase,
   isCancelled,
   isAborted,
-  serializeJavascriptValueToJSONString,
   isErrorLike,
-  isomorphicEncode,
   environmentSettingsObject: relevantRealm
 } = require('./util')
 const {
@@ -22,6 +20,7 @@ const { webidl } = require('../webidl')
 const { URLSerializer } = require('./data-url')
 const { kConstruct } = require('../../core/symbols')
 const assert = require('node:assert')
+const { isomorphicEncode, serializeJavascriptValueToJSONString } = require('../infra')
 
 const textEncoder = new TextEncoder('utf-8')
 
@@ -454,7 +453,7 @@ function filterResponse (response, type) {
 
     return makeFilteredResponse(response, {
       type: 'opaque',
-      urlList: Object.freeze([]),
+      urlList: [],
       status: 0,
       statusText: '',
       body: null

package/lib/web/fetch/util.js

@@ -4,12 +4,13 @@ const { Transform } = require('node:stream')
 const zlib = require('node:zlib')
 const { redirectStatusSet, referrerPolicyTokens, badPortsSet } = require('./constants')
 const { getGlobalOrigin } = require('./global')
-const { collectASequenceOfCodePoints, collectAnHTTPQuotedString, removeChars, parseMIMEType } = require('./data-url')
+const { collectAnHTTPQuotedString, parseMIMEType } = require('./data-url')
 const { performance } = require('node:perf_hooks')
 const { ReadableStreamFrom, isValidHTTPToken, normalizedMethodRecordsBase } = require('../../core/util')
 const assert = require('node:assert')
 const { isUint8Array } = require('node:util/types')
 const { webidl } = require('../webidl')
+const { isomorphicEncode, collectASequenceOfCodePoints, removeChars } = require('../infra')
 
 function responseURL (response) {
   // https://fetch.spec.whatwg.org/#responses
@@ -721,23 +722,6 @@ function normalizeMethod (method) {
   return normalizedMethodRecordsBase[method.toLowerCase()] ?? method
 }
 
-// https://infra.spec.whatwg.org/#serialize-a-javascript-value-to-a-json-string
-function serializeJavascriptValueToJSONString (value) {
-  // 1. Let result be ? Call(%JSON.stringify%, undefined, « value »).
-  const result = JSON.stringify(value)
-
-  // 2. If result is undefined, then throw a TypeError.
-  if (result === undefined) {
-    throw new TypeError('Value is not JSON serializable')
-  }
-
-  // 3. Assert: result is a string.
-  assert(typeof result === 'string')
-
-  // 4. Return result.
-  return result
-}
-
 // https://tc39.es/ecma262/#sec-%25iteratorprototype%25-object
 const esIteratorPrototype = Object.getPrototypeOf(Object.getPrototypeOf([][Symbol.iterator]()))
 
@@ -993,22 +977,6 @@ function readableStreamClose (controller) {
   }
 }
 
-const invalidIsomorphicEncodeValueRegex = /[^\x00-\xFF]/ // eslint-disable-line
-
-/**
- * @see https://infra.spec.whatwg.org/#isomorphic-encode
- * @param {string} input
- */
-function isomorphicEncode (input) {
-  // 1. Assert: input contains no code points greater than U+00FF.
-  assert(!invalidIsomorphicEncodeValueRegex.test(input))
-
-  // 2. Return a byte sequence whose length is equal to input’s code
-  //    point length and whose bytes have the same values as the
-  //    values of input’s code points, in the same order
-  return input
-}
-
 /**
  * @see https://streams.spec.whatwg.org/#readablestreamdefaultreader-read-all-bytes
  * @see https://streams.spec.whatwg.org/#read-loop
@@ -1461,34 +1429,6 @@ function getDecodeSplit (name, list) {
   return gettingDecodingSplitting(value)
 }
 
-const textDecoder = new TextDecoder()
-
-/**
- * @see https://encoding.spec.whatwg.org/#utf-8-decode
- * @param {Buffer} buffer
- */
-function utf8DecodeBytes (buffer) {
-  if (buffer.length === 0) {
-    return ''
-  }
-
-  // 1. Let buffer be the result of peeking three bytes from
-  //    ioQueue, converted to a byte sequence.
-
-  // 2. If buffer is 0xEF 0xBB 0xBF, then read three
-  //    bytes from ioQueue. (Do nothing with those bytes.)
-  if (buffer[0] === 0xEF && buffer[1] === 0xBB && buffer[2] === 0xBF) {
-    buffer = buffer.subarray(3)
-  }
-
-  // 3. Process a queue with an instance of UTF-8’s
-  //    decoder, ioQueue, output, and "replacement".
-  const output = textDecoder.decode(buffer)
-
-  // 4. Return output.
-  return output
-}
-
 class EnvironmentSettingsObjectBase {
   get baseUrl () {
     return getGlobalOrigin()
@@ -1534,7 +1474,6 @@ module.exports = {
   isValidReasonPhrase,
   sameOrigin,
   normalizeMethod,
-  serializeJavascriptValueToJSONString,
   iteratorMixin,
   createIterator,
   isValidHeaderName,
@@ -1542,7 +1481,6 @@ module.exports = {
   isErrorLike,
   fullyReadBody,
   readableStreamClose,
-  isomorphicEncode,
   urlIsLocal,
   urlHasHttpsScheme,
   urlIsHttpHttpsScheme,
@@ -1552,7 +1490,6 @@ module.exports = {
   createInflate,
   extractMimeType,
   getDecodeSplit,
-  utf8DecodeBytes,
   environmentSettingsObject,
   isOriginIPPotentiallyTrustworthy
 }