Ability to disable some bodyparser types completely

[ThisIsMissEm]

Hi, we're working on a server that doesn't need to process multipart/form-data requests at all, and as such, we'd like to be able to disable the multipart parsing entirely, and reject those requests with a 400 Bad Request or similar status code.

Would it be possible to allow each of form, json, multipart, raw to be set to false in the configuration, rather than an object, and if false then reject the request entirely? This would help improve our security posture by rejecting requests that we know we don't want to handle.

Currently there doesn't seem to be anyway to disable processing of certain body types entirely, the only hacked work around is setting types to an empty array, which just has the request fall through.

[thetutlage]

I think what you are trying to do can be achieved with a custom middleware. Make sure to register it within the router middleware stack before the bodyparser_middleware.

import type { HttpContext } from '@adonisjs/core/http'
import type { NextFn } from '@adonisjs/core/types/http'

export default class ContentTypeInspectorMiddleware {
  async handle(ctx: HttpContext, next: NextFn) {
    if (ctx.request.hasBody() && !!ctx.request.is(['multipart/form-data'])) {
      return ctx.response.badRequest('Unsupported request body')
    }

    /**
     * Call next method in the pipeline and return its output
     */
    const output = await next()
    return output
  }
}

router.use([
  () => import('#middleware/content_type_inspector_middleware'), // 👈 before bodyparser
  () => import('@adonisjs/core/bodyparser_middleware'),
])

This way you never even try to parse the body if it is disallowed

[ThisIsMissEm]

Would it be better to just be able to say "I only care about JSON bodies, don't parse the other types, without custom middleware?

[thetutlage]

Middleware exists for a reason. That is hook into requests lifecycle and produce the desired outcome. Adding very fine-grained config settings for a couple of use-cases is hard to maintain in the long run for me (as a maintainer).

[ThisIsMissEm]

Right, but you've already the options there, all that's needed, as far as I can tell is making the conditions handle false correctly — allowing a potential attacker to send your server loads of data that temporarily gets written to disk is a really bad idea.