From d22d58764832fea429d60109a19e1a23136d4425 Mon Sep 17 00:00:00 2001 From: Steven Chim <655241+chimurai@users.noreply.github.com> Date: Thu, 10 Apr 2025 14:01:49 +0200 Subject: [PATCH 1/2] fix(fixRequestBody): check readableLength (#1097) --- src/handlers/fix-request-body.ts | 40 +++------------ test/unit/fix-request-body.spec.ts | 81 +++++++++--------------------- 2 files changed, 30 insertions(+), 91 deletions(-) diff --git a/src/handlers/fix-request-body.ts b/src/handlers/fix-request-body.ts index 78fcd345..2a19c880 100644 --- a/src/handlers/fix-request-body.ts +++ b/src/handlers/fix-request-body.ts @@ -2,20 +2,15 @@ import type * as http from 'http'; import type { Request } from '../types'; import * as querystring from 'querystring'; -type HandleBadRequestArgs = { - proxyReq: http.ClientRequest; - req: http.IncomingMessage; - res: http.ServerResponse; -}; - /** * Fix proxied body if bodyParser is involved. */ -export function fixRequestBody( - proxyReq: http.ClientRequest, - req: http.IncomingMessage, - res: http.ServerResponse -): void { +export function fixRequestBody(proxyReq: http.ClientRequest, req: http.IncomingMessage): void { + // skip fixRequestBody() when req.readableLength not 0 (bodyParser failure) + if (req.readableLength !== 0) { + return; + } + const requestBody = (req as Request).body; if (!requestBody) { @@ -28,18 +23,6 @@ export function fixRequestBody( return; } - // Handle bad request when unexpected "Connect: Upgrade" header is provided - if (/upgrade/gi.test(proxyReq.getHeader('Connection') as string)) { - handleBadRequest({ proxyReq, req, res }); - return; - } - - // Handle bad request when invalid request body is provided - if (hasInvalidKeys(requestBody)) { - handleBadRequest({ proxyReq, req, res }); - return; - } - const writeBody = (bodyData: string) => { // deepcode ignore ContentLengthInCode: bodyParser fix proxyReq.setHeader('Content-Length', Buffer.byteLength(bodyData)); @@ -52,14 +35,3 @@ export function fixRequestBody( writeBody(querystring.stringify(requestBody)); } } - -function hasInvalidKeys(obj) { - return Object.keys(obj).some((key) => /[\n\r]/.test(key)); -} - -function handleBadRequest({ proxyReq, req, res }: HandleBadRequestArgs) { - res.writeHead(400); - res.end('Bad Request'); - proxyReq.destroy(); - req.destroy(); -} diff --git a/test/unit/fix-request-body.spec.ts b/test/unit/fix-request-body.spec.ts index e95e2045..0348a2df 100644 --- a/test/unit/fix-request-body.spec.ts +++ b/test/unit/fix-request-body.spec.ts @@ -17,6 +17,13 @@ const fakeProxyResponse = (): ServerResponse => { return res; }; +const createRequestWithBody = (body: unknown): Request => { + const req = new IncomingMessage(new Socket()) as Request; + req.url = '/test_path'; + req.body = body; + return req; +}; + describe('fixRequestBody', () => { it('should not write when body is undefined', () => { const proxyRequest = fakeProxyRequest(); @@ -24,7 +31,7 @@ describe('fixRequestBody', () => { jest.spyOn(proxyRequest, 'setHeader'); jest.spyOn(proxyRequest, 'write'); - fixRequestBody(proxyRequest, { body: undefined } as Request, fakeProxyResponse()); + fixRequestBody(proxyRequest, createRequestWithBody(undefined)); expect(proxyRequest.setHeader).not.toHaveBeenCalled(); expect(proxyRequest.write).not.toHaveBeenCalled(); @@ -37,7 +44,7 @@ describe('fixRequestBody', () => { jest.spyOn(proxyRequest, 'setHeader'); jest.spyOn(proxyRequest, 'write'); - fixRequestBody(proxyRequest, { body: {} } as Request, fakeProxyResponse()); + fixRequestBody(proxyRequest, createRequestWithBody({})); expect(proxyRequest.setHeader).toHaveBeenCalled(); expect(proxyRequest.write).toHaveBeenCalled(); @@ -50,11 +57,7 @@ describe('fixRequestBody', () => { jest.spyOn(proxyRequest, 'setHeader'); jest.spyOn(proxyRequest, 'write'); - fixRequestBody( - proxyRequest, - { body: { someField: 'some value' } } as Request, - fakeProxyResponse() - ); + fixRequestBody(proxyRequest, createRequestWithBody({ someField: 'some value' })); const expectedBody = JSON.stringify({ someField: 'some value' }); expect(proxyRequest.setHeader).toHaveBeenCalledWith('Content-Length', expectedBody.length); @@ -68,11 +71,7 @@ describe('fixRequestBody', () => { jest.spyOn(proxyRequest, 'setHeader'); jest.spyOn(proxyRequest, 'write'); - fixRequestBody( - proxyRequest, - { body: { someField: 'some value' } } as Request, - fakeProxyResponse() - ); + fixRequestBody(proxyRequest, createRequestWithBody({ someField: 'some value' })); const expectedBody = querystring.stringify({ someField: 'some value' }); expect(proxyRequest.setHeader).toHaveBeenCalledWith('Content-Length', expectedBody.length); @@ -86,11 +85,7 @@ describe('fixRequestBody', () => { jest.spyOn(proxyRequest, 'setHeader'); jest.spyOn(proxyRequest, 'write'); - fixRequestBody( - proxyRequest, - { body: { someField: 'some value' } } as Request, - fakeProxyResponse() - ); + fixRequestBody(proxyRequest, createRequestWithBody({ someField: 'some value' })); const expectedBody = querystring.stringify({ someField: 'some value' }); expect(proxyRequest.setHeader).toHaveBeenCalledWith('Content-Length', expectedBody.length); @@ -104,11 +99,7 @@ describe('fixRequestBody', () => { jest.spyOn(proxyRequest, 'setHeader'); jest.spyOn(proxyRequest, 'write'); - fixRequestBody( - proxyRequest, - { body: { someField: 'some value' } } as Request, - fakeProxyResponse() - ); + fixRequestBody(proxyRequest, createRequestWithBody({ someField: 'some value' })); const expectedBody = JSON.stringify({ someField: 'some value' }); expect(proxyRequest.setHeader).toHaveBeenCalledWith('Content-Length', expectedBody.length); @@ -116,50 +107,26 @@ describe('fixRequestBody', () => { expect(proxyRequest.write).toHaveBeenCalledWith(expectedBody); }); - it('should return 400 and abort request on "Connection: Upgrade" header', () => { + it('should not fixRequestBody() when there bodyParser fails', () => { const proxyRequest = fakeProxyRequest(); - const request = { body: { someField: 'some value' } } as Request; - - proxyRequest.destroy = jest.fn(); - request.destroy = jest.fn(); - - const proxyResponse = fakeProxyResponse(); - proxyRequest.setHeader('connection', 'upgrade'); - proxyRequest.setHeader('content-type', 'application/x-www-form-urlencoded'); - - jest.spyOn(proxyRequest, 'destroy'); - jest.spyOn(request, 'destroy'); - jest.spyOn(proxyResponse, 'writeHead'); - jest.spyOn(proxyResponse, 'end'); - - fixRequestBody(proxyRequest, request, proxyResponse); - - expect(proxyResponse.writeHead).toHaveBeenCalledWith(400); - expect(proxyResponse.end).toHaveBeenCalledTimes(1); - expect(proxyRequest.destroy).toHaveBeenCalledTimes(1); - expect(request.destroy).toHaveBeenCalledTimes(1); - }); - - it('should return 400 and abort request on invalid request data', () => { - const proxyRequest = fakeProxyRequest(); - const request = { body: { 'INVALID \n\r DATA': '' } } as Request; - - proxyRequest.destroy = jest.fn(); - request.destroy = jest.fn(); + const request = { + get readableLength() { + return 4444; // simulate bodyParser failure + }, + } as Request; const proxyResponse = fakeProxyResponse(); proxyRequest.setHeader('content-type', 'application/x-www-form-urlencoded'); + jest.spyOn(proxyRequest, 'write'); jest.spyOn(proxyRequest, 'destroy'); - jest.spyOn(request, 'destroy'); jest.spyOn(proxyResponse, 'writeHead'); jest.spyOn(proxyResponse, 'end'); - fixRequestBody(proxyRequest, request, proxyResponse); + fixRequestBody(proxyRequest, request); - expect(proxyResponse.writeHead).toHaveBeenCalledWith(400); - expect(proxyResponse.end).toHaveBeenCalledTimes(1); - expect(proxyRequest.destroy).toHaveBeenCalledTimes(1); - expect(request.destroy).toHaveBeenCalledTimes(1); + expect(proxyResponse.end).toHaveBeenCalledTimes(0); + expect(proxyRequest.write).toHaveBeenCalledTimes(0); + expect(proxyRequest.destroy).toHaveBeenCalledTimes(0); }); }); From 617a7c9da9cc90ecc00b0c8b1c2f6a385c879cb1 Mon Sep 17 00:00:00 2001 From: Steven Chim <655241+chimurai@users.noreply.github.com> Date: Thu, 10 Apr 2025 14:10:53 +0200 Subject: [PATCH 2/2] chore(package): v2.0.9 (#1099) --- CHANGELOG.md | 4 ++++ package.json | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 22557406..4412d3e2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## [v2.0.9](https://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.9) + +- fix(fixRequestBody): check readableLength + ## [v2.0.8](https://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.8) - fix(fixRequestBody): prevent multiple .write() calls diff --git a/package.json b/package.json index 56150637..041ed2ff 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "http-proxy-middleware", - "version": "2.0.8", + "version": "2.0.9", "description": "The one-liner node.js proxy middleware for connect, express and browser-sync", "main": "dist/index.js", "types": "dist/index.d.ts",