Add test. Closes #82

hapijs · Feb 13, 2020 · 0c1a3f6 · 0c1a3f6
1 parent 423c1e0
commit 0c1a3f6
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 12 deletions.
diff --git a/lib/index.js b/lib/index.js
@@ -114,13 +114,13 @@ internals.parse = async function (req, tap, options, contentType) {
 internals.decoder = function (source, options) {
 
     const contentEncoding = source.headers['content-encoding'];
-    const decoder = (options.decoders || internals.decoders)[contentEncoding];
-    if (!decoder) {
+    const decoders = options.decoders || internals.decoders;
+    if (!decoders.hasOwnProperty(contentEncoding)) {
         return source;
     }
 
-    const decoderOptions = (options.compression && options.compression[contentEncoding]) || null;
-    const stream = decoder(decoderOptions);
+    const decoderOptions = options.compression && options.compression[contentEncoding] || null;
+    const stream = decoders[contentEncoding](decoderOptions);
 
     const orig = stream.emit;
     stream.emit = (event, ...args) => {
@@ -177,7 +177,7 @@ internals.object = function (options, payload, mime) {
     // Binary
 
     if (mime === 'application/octet-stream') {
-        return (payload.length ? payload : null);
+        return payload.length ? payload : null;
     }
 
     // Text
@@ -206,8 +206,8 @@ internals.object = function (options, payload, mime) {
     // Form-encoded
 
     if (mime === 'application/x-www-form-urlencoded') {
-        const parse = (options.querystring || Querystring.parse);
-        return (payload.length ? parse(payload.toString('utf8')) : {});
+        const parse = options.querystring || Querystring.parse;
+        return payload.length ? parse(payload.toString('utf8')) : {};
     }
 
     const error = Boom.unsupportedMediaType();
@@ -223,7 +223,7 @@ internals.multipart = function (req, options, source, contentType) {
         // Set stream timeout
 
         const clientTimeout = options.timeout;
-        const clientTimeoutId = (clientTimeout ? setTimeout(() => reject(Boom.clientTimeout()), clientTimeout) : null);
+        const clientTimeoutId = clientTimeout ? setTimeout(() => reject(Boom.clientTimeout()), clientTimeout) : null;
 
         // Create parser
 
@@ -275,7 +275,7 @@ internals.multipart = function (req, options, source, contentType) {
             resolve(data);
         };
 
-        const output = (options.multipart ? options.multipart.output : options.output);
+        const output = options.multipart ? options.multipart.output : options.output;
 
         const onPart = (part) => {
 

diff --git a/package.json b/package.json
@@ -14,10 +14,10 @@
   "dependencies": {
     "@hapi/boom": "7.x.x",
     "@hapi/bourne": "1.x.x",
-    "@hapi/content": "4.x.x",
+    "@hapi/content": "^4.1.1",
     "@hapi/file": "1.x.x",
     "@hapi/hoek": "8.x.x",
-    "@hapi/pez": "4.x.x",
+    "@hapi/pez": "^4.1.2",
     "@hapi/wreck": "15.x.x"
   },
   "devDependencies": {

diff --git a/test/index.js b/test/index.js
@@ -952,7 +952,7 @@ describe('parse()', () => {
             'content-type': 'multipart/form-data; boundary="AaB03x"'
         };
 
-        await expect(Subtext.parse(request, null, { parse: true, output: 'file', uploads: '/no/such/folder/a/b/c' })).to.reject(/\/no\/such\/folder\/a\/b\/c/);
+        await expect(Subtext.parse(request, null, { parse: true, output: 'file', uploads: '/no/such/folder/a/b/c' })).to.reject(/no.such.folder/);
     });
 
     it('parses multiple files as streams', async () => {
@@ -1330,6 +1330,62 @@ describe('parse()', () => {
 
         await expect(Subtext.parse(request, null, { parse: true, output: 'stream', maxBytes: 10 })).to.reject();
     });
+
+    it('handles __proto__ in multipart param', async () => {
+
+        const body =
+            '--AaB03x\r\n' +
+            'content-disposition: form-data; name="x"; __proto__="y"\r\n' +
+            '\r\n' +
+            'First\r\n' +
+            '--AaB03x\r\n' +
+            'content-disposition: form-data; name="x"\r\n' +
+            '\r\n' +
+            'Second\r\n' +
+            '--AaB03x\r\n' +
+            'content-disposition: form-data; name="x"\r\n' +
+            '\r\n' +
+            'Third\r\n' +
+            '--AaB03x\r\n' +
+            'content-disposition: form-data; name="field1"\r\n' +
+            '\r\n' +
+            'Joe Blow\r\nalmost tricked you!\r\n' +
+            '--AaB03x\r\n' +
+            'content-disposition: form-data; name="field1"\r\n' +
+            '\r\n' +
+            'Repeated name segment\r\n' +
+            '--AaB03x\r\n' +
+            'content-disposition: form-data; name="pics"; filename="file1.txt"\r\n' +
+            'Content-Type: text/plain\r\n' +
+            '\r\n' +
+            '... contents of file1.txt ...\r\r\n' +
+            '--AaB03x--\r\n';
+
+        const request = Wreck.toReadableStream(body);
+        request.headers = {
+            'content-type': 'multipart/form-data; boundary=AaB03x'
+        };
+
+        await expect(Subtext.parse(request, null, { parse: true, output: 'data' })).to.reject('Invalid multipart payload format');
+    });
+
+    it('handles __proto__ in multipart name', async () => {
+
+        const body =
+            '--AaB03x\r\n' +
+            'content-disposition: form-data; name="__proto__"; filename="test"\r\n' +
+            'Content-Type: application/json\r\n' +
+            '\r\n' +
+            '{"a":1}\r\r\n' +
+            '--AaB03x--\r\n';
+
+        const request = Wreck.toReadableStream(body);
+        request.headers = {
+            'content-type': 'multipart/form-data; boundary=AaB03x'
+        };
+
+        await expect(Subtext.parse(request, null, { parse: true, output: 'data' })).to.reject('Invalid multipart payload format');
+    });
 });