zero-http 0.2.5 → 0.3.1

package/documentation/public/vendor/icons/validate.svg

@@ -0,0 +1,17 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" width="64" height="64" aria-hidden="true">
+  <defs>
+    <linearGradient id="g-val" x1="0" x2="1">
+      <stop offset="0" stop-color="#7b61ff"/>
+      <stop offset="1" stop-color="#3ec6ff"/>
+    </linearGradient>
+  </defs>
+  <rect width="64" height="64" rx="8" fill="transparent"/>
+  <!-- Rounded rectangle (form/clipboard) -->
+  <rect x="12" y="6" width="40" height="52" rx="6" fill="url(#g-val)" opacity="0.25"/>
+  <rect x="16" y="10" width="32" height="44" rx="4" fill="url(#g-val)" opacity="0.4"/>
+  <!-- Lines (form fields) -->
+  <line x1="22" y1="22" x2="36" y2="22" stroke="rgba(255,255,255,0.5)" stroke-width="2" stroke-linecap="round"/>
+  <line x1="22" y1="30" x2="34" y2="30" stroke="rgba(255,255,255,0.35)" stroke-width="2" stroke-linecap="round"/>
+  <!-- Large checkmark overlay -->
+  <path d="M22 38l8 8 14-18" fill="none" stroke="#ffffff" stroke-width="3.5" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

package/documentation/routes/api.js

@@ -0,0 +1,41 @@
+const { Router, validate, fetch } = require('../..');
+const proxyController = require('../controllers/proxy');
+
+/**
+ * Mount the /api sub-router, validation demo, proxy, and debug routes.
+ */
+function mountApiRoutes(app)
+{
+    // --- Router Demo (sub-app) ---
+    const apiRouter = Router();
+    apiRouter.get('/health', (req, res) => res.json({ status: 'ok', uptime: process.uptime() }));
+    apiRouter.get('/info', (req, res) => res.json({
+        secure: req.secure,
+        protocol: req.protocol,
+        ip: req.ip,
+        method: req.method,
+        url: req.url,
+    }));
+    app.use('/api', apiRouter);
+
+    // --- Validation Demo ---
+    app.post('/demo/validate', validate({
+        body: {
+            name: { type: 'string', required: true, min: 1, max: 100 },
+            age:  { type: 'number', min: 0, max: 150 },
+        },
+    }), (req, res) => res.json({ ok: true, data: req.body }));
+
+    // --- Proxy ---
+    const proxyFetch = (typeof globalThis !== 'undefined' && globalThis.fetch) || fetch;
+    app.get('/proxy', proxyController.proxy(proxyFetch));
+
+    // --- Route introspection ---
+    app.get('/debug/routes', (req, res) =>
+    {
+        res.set('Content-Type', 'application/json');
+        res.send(JSON.stringify(app.routes(), null, 2));
+    });
+}
+
+module.exports = mountApiRoutes;

package/documentation/routes/core.js

@@ -0,0 +1,20 @@
+const { raw } = require('../..');
+const rootController    = require('../controllers/root');
+const headersController = require('../controllers/headers');
+const echoController    = require('../controllers/echo');
+
+/**
+ * Mount core routes: root, headers, echo parsers.
+ */
+function mountCoreRoutes(app)
+{
+    app.get('/',                rootController.getRoot);
+    app.get('/headers',         headersController.getHeaders);
+    app.post('/echo-json',      echoController.echoJson);
+    app.post('/echo',           echoController.echo);
+    app.post('/echo-urlencoded', echoController.echoUrlencoded);
+    app.post('/echo-text',      echoController.echoText);
+    app.post('/echo-raw',       raw(), echoController.echoRaw);
+}
+
+module.exports = mountCoreRoutes;

package/documentation/routes/playground.js

@@ -0,0 +1,29 @@
+const { initDatabase } = require('../config/db');
+const tasksController = require('../controllers/tasks');
+const cookiesController = require('../controllers/cookies');
+
+/**
+ * Register the ORM database and mount all playground API routes onto the app.
+ * @param {import('../../lib/app').App} app
+ */
+function mountPlaygroundRoutes(app)
+{
+    // --- ORM setup ---
+    initDatabase();
+
+    // --- Task CRUD ---
+    app.get('/api/tasks',              tasksController.list);
+    app.get('/api/tasks/stats',        tasksController.stats);
+    app.post('/api/tasks',             tasksController.create);
+    app.put('/api/tasks/:id',          tasksController.update);
+    app.delete('/api/tasks/:id',       tasksController.remove);
+    app.post('/api/tasks/:id/restore', tasksController.restore);
+    app.delete('/api/tasks',           tasksController.removeAll);
+
+    // --- Cookies ---
+    app.get('/api/cookies',            cookiesController.list);
+    app.post('/api/cookies',           cookiesController.set);
+    app.delete('/api/cookies/:name',   cookiesController.clear);
+}
+
+module.exports = mountPlaygroundRoutes;

package/documentation/routes/realtime.js

@@ -0,0 +1,49 @@
+const { WebSocketPool } = require('../..');
+
+/**
+ * Mount WebSocket and SSE real-time routes.
+ */
+function mountRealtimeRoutes(app)
+{
+    // --- WebSocket Chat ---
+    const pool = new WebSocketPool();
+
+    app.ws('/ws/chat', { maxPayload: 64 * 1024, pingInterval: 25000 }, (ws, req) =>
+    {
+        ws.data.name = ws.query.name || 'anon';
+        pool.add(ws);
+        ws.send(JSON.stringify({ type: 'system', text: 'Welcome, ' + ws.data.name + '!' }));
+        pool.broadcast(JSON.stringify({ type: 'system', text: ws.data.name + ' joined' }), ws);
+
+        ws.on('message', (msg) =>
+        {
+            pool.broadcastJSON({ type: 'message', name: ws.data.name, text: String(msg) });
+        });
+
+        ws.on('close', () =>
+        {
+            pool.remove(ws);
+            pool.broadcastJSON({ type: 'system', text: ws.data.name + ' left' });
+        });
+    });
+
+    // --- Server-Sent Events ---
+    const sseClients = new Set();
+
+    app.get('/sse/events', (req, res) =>
+    {
+        const sse = res.sse({ retry: 5000, autoId: true, keepAlive: 30000 });
+        sseClients.add(sse);
+        sse.send({ type: 'connected', clients: sseClients.size });
+        sse.on('close', () => sseClients.delete(sse));
+    });
+
+    app.post('/sse/broadcast', (req, res) =>
+    {
+        const data = req.body || {};
+        for (const sse of sseClients) sse.event('broadcast', data);
+        res.json({ sent: sseClients.size });
+    });
+}
+
+module.exports = mountRealtimeRoutes;

package/documentation/routes/uploads.js

@@ -0,0 +1,71 @@
+const path = require('path');
+const fs   = require('fs');
+const { multipart, static: serveStatic } = require('../..');
+const uploadsController = require('../controllers/uploads');
+
+/**
+ * Mount upload, trash, and file-listing routes.
+ * Also starts the automatic trash retention cleanup.
+ */
+function mountUploadRoutes(app)
+{
+    const uploadsDir = path.join(__dirname, '..', 'uploads');
+    uploadsController.ensureUploadsDir(uploadsDir);
+
+    // Serve uploaded files
+    app.use('/uploads', serveStatic(uploadsDir));
+
+    // Upload & CRUD
+    app.post('/upload', multipart({ maxFileSize: 5 * 1024 * 1024, dir: uploadsDir }), uploadsController.upload(uploadsDir));
+    app.delete('/uploads/:name', uploadsController.deleteUpload(uploadsDir));
+    app.delete('/uploads',       uploadsController.deleteAllUploads(uploadsDir));
+    app.post('/uploads/:name/restore', uploadsController.restoreUpload(uploadsDir));
+
+    // Trash
+    app.get('/uploads-trash-list',      uploadsController.listTrash(uploadsDir));
+    app.delete('/uploads-trash/:name',  uploadsController.deleteTrashItem(uploadsDir));
+    app.delete('/uploads-trash',        uploadsController.emptyTrash(uploadsDir));
+
+    // Listings
+    app.get('/uploads-list', uploadsController.listUploads(uploadsDir));
+    app.get('/uploads-all',  uploadsController.listAll(uploadsDir));
+
+    // Trash retention
+    const RETENTION_MS = Number(process.env.TRASH_RETENTION_DAYS || 7) * 86400000;
+
+    function autoEmptyTrash()
+    {
+        try
+        {
+            const trash = path.join(uploadsDir, '.trash');
+            if (!fs.existsSync(trash)) return;
+            const now = Date.now();
+            const removed = [];
+            for (const f of fs.readdirSync(trash))
+            {
+                try
+                {
+                    const p  = path.join(trash, f);
+                    const st = fs.statSync(p);
+                    if (now - st.mtimeMs > RETENTION_MS)
+                    {
+                        fs.unlinkSync(p);
+                        removed.push(f);
+                        try { fs.unlinkSync(path.join(trash, '.thumbs', f + '-thumb.svg')); } catch (_) { }
+                    }
+                } catch (_) { }
+            }
+            if (removed.length) console.log(`autoEmptyTrash: removed ${removed.length} file(s)`);
+        } catch (e) { console.error('autoEmptyTrash error:', e); }
+    }
+
+    autoEmptyTrash();
+    setInterval(autoEmptyTrash, 86400000).unref();
+
+    // Temp cleanup
+    const os = require('os');
+    const cleanupController = require('../controllers/cleanup');
+    app.post('/cleanup', cleanupController.cleanup(path.join(os.tmpdir(), 'zero-http-uploads')));
+}
+
+module.exports = mountUploadRoutes;

package/index.js

@@ -12,8 +12,19 @@ const serveStatic = require('./lib/middleware/static');
 const rateLimit = require('./lib/middleware/rateLimit');
 const logger = require('./lib/middleware/logger');
 const compress = require('./lib/middleware/compress');
-const { WebSocketConnection } = require('./lib/ws');
+const helmet = require('./lib/middleware/helmet');
+const timeout = require('./lib/middleware/timeout');
+const requestId = require('./lib/middleware/requestId');
+const cookieParser = require('./lib/middleware/cookieParser');
+const csrf = require('./lib/middleware/csrf');
+const validate = require('./lib/middleware/validator');
+const errorHandler = require('./lib/middleware/errorHandler');
+const { WebSocketConnection, WebSocketPool } = require('./lib/ws');
 const { SSEStream } = require('./lib/sse');
+const env = require('./lib/env');
+const { Database, Model, TYPES, Query } = require('./lib/orm');
+const errors = require('./lib/errors');
+const debug = require('./lib/debug');
 
 module.exports = {
     /**
@@ -52,9 +63,59 @@ module.exports = {
     logger,
     /** @see module:compress */
     compress,
+    /** @see module:helmet */
+    helmet,
+    /** @see module:timeout */
+    timeout,
+    /** @see module:requestId */
+    requestId,
+    /** @see module:cookieParser */
+    cookieParser,
+    /** @see module:csrf */
+    csrf,
+    /** @see module:validator */
+    validate,
+    /** @see module:middleware/errorHandler */
+    errorHandler,
+    // env
+    /** @see module:env */
+    env,
+    // ORM
+    /** @see module:orm */
+    Database,
+    /** @see module:orm/model */
+    Model,
+    /** @see module:orm/schema */
+    TYPES,
+    /** @see module:orm/query */
+    Query,
+    // Error handling & debugging
+    /** @see module:errors */
+    HttpError: errors.HttpError,
+    BadRequestError: errors.BadRequestError,
+    UnauthorizedError: errors.UnauthorizedError,
+    ForbiddenError: errors.ForbiddenError,
+    NotFoundError: errors.NotFoundError,
+    MethodNotAllowedError: errors.MethodNotAllowedError,
+    ConflictError: errors.ConflictError,
+    GoneError: errors.GoneError,
+    PayloadTooLargeError: errors.PayloadTooLargeError,
+    UnprocessableEntityError: errors.UnprocessableEntityError,
+    ValidationError: errors.ValidationError,
+    TooManyRequestsError: errors.TooManyRequestsError,
+    InternalError: errors.InternalError,
+    NotImplementedError: errors.NotImplementedError,
+    BadGatewayError: errors.BadGatewayError,
+    ServiceUnavailableError: errors.ServiceUnavailableError,
+    createError: errors.createError,
+    isHttpError: errors.isHttpError,
+    /** @see module:debug */
+    debug,
     // classes (for advanced / direct usage)
     /** @see module:ws/connection */
     WebSocketConnection,
+    /** @see module:ws/room */
+    WebSocketPool,
     /** @see module:sse/stream */
     SSEStream,
 };

package/lib/app.js

@@ -10,6 +10,7 @@ const https = require('https');
 const Router = require('./router');
 const { Request, Response } = require('./http');
 const { handleUpgrade } = require('./ws');
+const log = require('./debug')('zero:app');
 
 class App
 {
@@ -33,10 +34,96 @@ class App
         /** @type {import('http').Server|import('https').Server|null} */
         this._server = null;
 
+        /**
+         * Application-level settings store.
+         * @type {Object<string, *>}
+         * @private
+         */
+        this._settings = {};
+
+        /**
+         * Application-level locals — persistent across the app lifecycle.
+         * Merged into every `req.locals` and `res.locals` on every request.
+         * @type {Object<string, *>}
+         */
+        this.locals = {};
+
+        /**
+         * Parameter pre-processing handlers.
+         * @type {Object<string, Function[]>}
+         * @private
+         */
+        this._paramHandlers = {};
+
         // Bind for use as `http.createServer(app.handler)`
         this.handler = (req, res) => this.handle(req, res);
     }
 
+    // -- Settings ------------------------------------
+
+    /**
+     * Set an application setting, or retrieve one when called with a single argument.
+     *
+     * When called with two arguments, sets the value and returns `this` for chaining.
+     * When called with one argument, returns the stored value.
+     *
+     * Common settings: `'trust proxy'`, `'env'`, `'json spaces'`, `'etag'`,
+     *                  `'view engine'`, `'views'`, `'case sensitive routing'`.
+     *
+     * @param {string} key   - Setting name.
+     * @param {*}      [val] - Setting value.
+     * @returns {*|App}       The stored value (getter) or `this` (setter).
+     *
+     * @example
+     *   app.set('trust proxy', true);
+     *   app.set('json spaces', 2);
+     *   app.set('env');             // => undefined (or previously set value)
+     */
+    set(key, val)
+    {
+        if (arguments.length === 1) return this._settings[key];
+        this._settings[key] = val;
+        return this;
+    }
+
+    /**
+     * Set a boolean setting to `true`.
+     *
+     * @param {string} key - Setting name.
+     * @returns {App} `this` for chaining.
+     *
+     * @example
+     *   app.enable('trust proxy');
+     */
+    enable(key)  { this._settings[key] = true;  return this; }
+
+    /**
+     * Set a boolean setting to `false`.
+     *
+     * @param {string} key - Setting name.
+     * @returns {App} `this` for chaining.
+     *
+     * @example
+     *   app.disable('etag');
+     */
+    disable(key) { this._settings[key] = false; return this; }
+
+    /**
+     * Check if a setting is truthy.
+     *
+     * @param {string} key - Setting name.
+     * @returns {boolean}
+     */
+    enabled(key)  { return !!this._settings[key]; }
+
+    /**
+     * Check if a setting is falsy.
+     *
+     * @param {string} key - Setting name.
+     * @returns {boolean}
+     */
+    disabled(key) { return !this._settings[key]; }
+
     // -- Middleware -------------------------------------
 
     /**
@@ -93,6 +180,29 @@ class App
         this._errorHandler = fn;
     }
 
+    /**
+     * Register a parameter pre-processing handler.
+     * Runs before route handlers for any route containing a `:name` parameter.
+     *
+     * @param {string}   name - Parameter name.
+     * @param {Function} fn   - `(req, res, next, value) => void`.
+     * @returns {App} `this` for chaining.
+     *
+     * @example
+     *   app.param('userId', async (req, res, next, id) => {
+     *       req.locals.user = await db.users.findById(id);
+     *       if (!req.locals.user) return res.status(404).json({ error: 'User not found' });
+     *       next();
+     *   });
+     */
+    param(name, fn)
+    {
+        if (!this._paramHandlers[name]) this._paramHandlers[name] = [];
+        this._paramHandlers[name].push(fn);
+        this.router._paramHandlers = this._paramHandlers;
+        return this;
+    }
+
     // -- Request Handling ------------------------------
 
     /**
@@ -108,11 +218,25 @@ class App
         const request = new Request(req);
         const response = new Response(res);
 
+        // Inject app reference into request and response
+        request.app = this;
+        response.app = this;
+        response._req = request;
+        request._res = response;
+
+        // Preserve original URL before any middleware rewrites
+        request.originalUrl = request.url;
+
+        // Merge app.locals into request/response locals via prototype chain (avoids copy per request)
+        request.locals = Object.create(this.locals);
+        response.locals = Object.create(this.locals);
+
         let idx = 0;
         const run = (err) =>
         {
             if (err)
             {
+                log.error('middleware error: %s', err.message || err);
                 if (this._errorHandler) return this._errorHandler(err, request, response, run);
                 response.status(500).json({ error: err.message || 'Internal Server Error' });
                 return;
@@ -170,6 +294,7 @@ class App
             : http.createServer(this.handler);
 
         this._server = server;
+        log.info('starting %s server on port %d', isHTTPS ? 'HTTPS' : 'HTTP', port);
 
         // Always attach WebSocket upgrade handling so ws() works
         // regardless of registration order (before or after listen).
@@ -287,14 +412,81 @@ class App
      */
     route(method, path, ...fns) { const o = this._extractOpts(fns); this.router.add(method, path, fns, o); }
 
-    /** @see App#route — shortcut for GET requests.    */ get(path, ...fns) { this.route('GET', path, ...fns); }
-    /** @see App#route — shortcut for POST requests.   */ post(path, ...fns) { this.route('POST', path, ...fns); }
-    /** @see App#route — shortcut for PUT requests.    */ put(path, ...fns) { this.route('PUT', path, ...fns); }
-    /** @see App#route — shortcut for DELETE requests. */ delete(path, ...fns) { this.route('DELETE', path, ...fns); }
-    /** @see App#route — shortcut for PATCH requests.  */ patch(path, ...fns) { this.route('PATCH', path, ...fns); }
-    /** @see App#route — shortcut for OPTIONS requests.*/ options(path, ...fns) { this.route('OPTIONS', path, ...fns); }
-    /** @see App#route — shortcut for HEAD requests.   */ head(path, ...fns) { this.route('HEAD', path, ...fns); }
-    /** @see App#route — matches every HTTP method.    */ all(path, ...fns) { this.route('ALL', path, ...fns); }
+    /** @see App#route — shortcut for GET requests.    */ get(path, ...fns) { if (arguments.length === 1 && typeof path === 'string' && fns.length === 0) return this.set(path); this.route('GET', path, ...fns); return this; }
+    /** @see App#route — shortcut for POST requests.   */ post(path, ...fns) { this.route('POST', path, ...fns); return this; }
+    /** @see App#route — shortcut for PUT requests.    */ put(path, ...fns) { this.route('PUT', path, ...fns); return this; }
+    /** @see App#route — shortcut for DELETE requests. */ delete(path, ...fns) { this.route('DELETE', path, ...fns); return this; }
+    /** @see App#route — shortcut for PATCH requests.  */ patch(path, ...fns) { this.route('PATCH', path, ...fns); return this; }
+    /** @see App#route — shortcut for OPTIONS requests.*/ options(path, ...fns) { this.route('OPTIONS', path, ...fns); return this; }
+    /** @see App#route — shortcut for HEAD requests.   */ head(path, ...fns) { this.route('HEAD', path, ...fns); return this; }
+    /** @see App#route — matches every HTTP method.    */ all(path, ...fns) { this.route('ALL', path, ...fns); return this; }
+
+    /**
+     * Chainable route builder — register multiple methods on the same path.
+     *
+     * @param {string} path - Route pattern.
+     * @returns {object} Chain object with HTTP verb methods.
+     *
+     * @example
+     *   app.chain('/users')
+     *     .get((req, res) => res.json(users))
+     *     .post((req, res) => res.json({ created: true }));
+     */
+    chain(path) { return this.router.route(path); }
+
+    /**
+     * Define a route group with shared middleware prefix.
+     * All routes registered inside the callback share the given path prefix
+     * and middleware stack.
+     *
+     * @param {string}      prefix      - URL prefix for the group.
+     * @param {...Function}  middleware  - Shared middleware, last argument is the callback.
+     * @returns {App} `this` for chaining.
+     *
+     * @example
+     *   app.group('/api/v1', authMiddleware, (router) => {
+     *       router.get('/users', listUsers);
+     *       router.post('/users', createUser);
+     *       router.get('/users/:id', getUser);
+     *   });
+     */
+    group(prefix, ...args)
+    {
+        const cb = args.pop();
+        const middlewareStack = args;
+        const router = new Router();
+        cb(router);
+        if (middlewareStack.length > 0)
+        {
+            this.middlewares.push((req, res, next) =>
+            {
+                const urlPath = req.url.split('?')[0];
+                const cleanPrefix = prefix.endsWith('/') ? prefix.slice(0, -1) : prefix;
+                if (urlPath === cleanPrefix || urlPath.startsWith(cleanPrefix + '/'))
+                {
+                    let i = 0;
+                    const runMw = () =>
+                    {
+                        if (i < middlewareStack.length)
+                        {
+                            const mw = middlewareStack[i++];
+                            try
+                            {
+                                const result = mw(req, res, runMw);
+                                if (result && typeof result.catch === 'function') result.catch(next);
+                            }
+                            catch (e) { next(e); }
+                        }
+                        else { next(); }
+                    };
+                    runMw();
+                }
+                else { next(); }
+            });
+        }
+        this.router.use(prefix, router);
+        return this;
+    }
 }
 
 module.exports = App;

package/lib/body/json.js

@@ -7,6 +7,25 @@ const rawBuffer = require('./rawBuffer');
 const isTypeMatch = require('./typeMatch');
 const sendError = require('./sendError');
 
+/** Recursively remove __proto__, constructor, and prototype keys to prevent prototype pollution. */
+function _sanitize(obj)
+{
+    if (!obj || typeof obj !== 'object') return;
+    const keys = Object.keys(obj);
+    for (let i = 0; i < keys.length; i++)
+    {
+        const k = keys[i];
+        if (k === '__proto__' || k === 'constructor' || k === 'prototype')
+        {
+            delete obj[k];
+        }
+        else if (typeof obj[k] === 'object' && obj[k] !== null)
+        {
+            _sanitize(obj[k]);
+        }
+    }
+}
+
 /**
  * Create a JSON body-parsing middleware.
  *
@@ -21,7 +40,7 @@ const sendError = require('./sendError');
 function json(options = {})
 {
   const opts = options || {};
-  const limit = opts.limit || null;
+  const limit = opts.limit !== undefined ? opts.limit : '1mb';
   const reviver = opts.reviver;
   const strict = (opts.hasOwnProperty('strict')) ? !!opts.strict : true;
   const typeOpt = opts.type || 'application/json';
@@ -38,11 +57,15 @@ function json(options = {})
       const txt = buf.toString('utf8');
       if (!txt) { req.body = null; return next(); }
       let parsed;
-      try { parsed = JSON.parse(txt, reviver); } catch (e) { req.body = null; return next(); }
-      if (strict && (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed) === false && Object.keys(parsed).length === 0 && !Array.isArray(parsed)))
+      try { parsed = JSON.parse(txt, reviver); } catch (e) { return sendError(res, 400, 'invalid JSON'); }
+      if (strict && (typeof parsed !== 'object' || parsed === null))
+      {
+        return sendError(res, 400, 'invalid JSON: root must be object or array');
+      }
+      // Prevent prototype pollution
+      if (parsed && typeof parsed === 'object')
       {
-        // If strict, prefer objects/arrays; allow arrays but reject primitives
-        if (typeof parsed !== 'object') { req.body = null; return next(); }
+        _sanitize(parsed);
       }
       req.body = parsed;
     } catch (err)

package/lib/body/multipart.js

@@ -51,6 +51,27 @@ function parseHeaders(headerText)
     return obj;
 }
 
+/**
+ * Sanitize a filename by stripping path traversal characters and
+ * null bytes. Keeps only the basename.
+ *
+ * @param {string} filename - Raw filename from the upload.
+ * @returns {string} Sanitized filename.
+ */
+function sanitizeFilename(filename)
+{
+    if (!filename) return '';
+    // Strip null bytes
+    let safe = filename.replace(/\0/g, '');
+    // Take only the basename (strip directory traversal)
+    safe = safe.replace(/^.*[/\\]/, '');
+    // Remove leading dots (prevent dotfile creation)
+    safe = safe.replace(/^\.+/, '');
+    // Replace potentially dangerous characters
+    safe = safe.replace(/[<>:"|?*]/g, '_');
+    return safe || 'unnamed';
+}
+
 /**
  * Extract `name` and `filename` fields from a `Content-Disposition` header.
  *
@@ -66,7 +87,14 @@ function parseContentDisposition(cd)
     for (const p of parts)
     {
         const mm = /([^=]+)="?([^"]+)"?/.exec(p);
-        if (mm) out[mm[1]] = mm[2];
+        if (mm)
+        {
+            const key = mm[1].trim();
+            let val = mm[2];
+            // Sanitize filename values
+            if (key === 'filename') val = sanitizeFilename(val);
+            out[key] = val;
+        }
     }
     return out;
 }

package/lib/body/raw.js

@@ -19,7 +19,7 @@ const sendError = require('./sendError');
 function raw(options = {})
 {
     const opts = options || {};
-    const limit = opts.limit || null;
+    const limit = opts.limit !== undefined ? opts.limit : '1mb';
     const typeOpt = opts.type || 'application/octet-stream';
     const requireSecure = !!opts.requireSecure;