mirror of
https://github.com/honojs/hono.git
synced 2024-12-01 11:51:01 +01:00
cca7577cf4
* fix: return status 500 when using validator 'form'
When using `validator('form', ...)` hono is returning a 500 status
when receiving a POST request with a JSON in request body, instead
of a bad request 400, .
This is happenning due to a unhandled error in an
underlying library (@miniflare).
https://github.com/cloudflare/miniflare/pull/711
The code changes in this PR are responsible to prepare the code to
handle possible TypeError that can be thrown in the future, by the lib
doing the FormData parsing, as per, https://fetch.spec.whatwg.org/#dom-body-formdata.
This PR should wait for bugfix on @miniflare.
* fix: json validator allowing Content-Type value other than json/application
Forgery attacks will try to avoid preflight requests when POSTing JSON
payloads manipulating the HTTP header Content-Type. For example, it will
send a JSON payload with `Content-Type=text/plain`, but the request stills
containing a JSON in its body. Those requests must be rejected.
Thus, when using the validator with the target set to `json`, we must
check the Content-Type header.
* fix: change check for json Content-Type header
Change JSON validation to only allow Content-Type header starting with
'application/json'.
Change from regexp test to starsWith builtin function, to make code more
expressive.
---------
Co-authored-by: Bruno Nascimento <bruno.nascimento@csghq.com>
136 lines
4.1 KiB
TypeScript
136 lines
4.1 KiB
TypeScript
import type { Context } from '../context.ts'
|
|
import { getCookie } from '../helper/cookie/index.ts'
|
|
import type { Env, ValidationTargets, MiddlewareHandler } from '../types.ts'
|
|
import type { BodyData } from '../utils/body.ts'
|
|
import { bufferToFormData } from '../utils/buffer.ts'
|
|
|
|
type ValidationTargetKeysWithBody = 'form' | 'json'
|
|
type ValidationTargetByMethod<M> = M extends 'get' | 'head' // GET and HEAD request must not have a body content.
|
|
? Exclude<keyof ValidationTargets, ValidationTargetKeysWithBody>
|
|
: keyof ValidationTargets
|
|
|
|
export type ValidationFunction<
|
|
InputType,
|
|
OutputType,
|
|
E extends Env = {},
|
|
P extends string = string
|
|
> = (
|
|
value: InputType,
|
|
c: Context<E, P>
|
|
) => OutputType | Response | Promise<OutputType> | Promise<Response>
|
|
|
|
export const validator = <
|
|
InputType,
|
|
P extends string,
|
|
M extends string,
|
|
U extends ValidationTargetByMethod<M>,
|
|
OutputType = ValidationTargets[U],
|
|
P2 extends string = P,
|
|
V extends {
|
|
in: { [K in U]: unknown extends InputType ? OutputType : InputType }
|
|
out: { [K in U]: OutputType }
|
|
} = {
|
|
in: { [K in U]: unknown extends InputType ? OutputType : InputType }
|
|
out: { [K in U]: OutputType }
|
|
},
|
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
E extends Env = any
|
|
>(
|
|
target: U,
|
|
validationFunc: ValidationFunction<
|
|
unknown extends InputType ? ValidationTargets[U] : InputType,
|
|
OutputType,
|
|
E,
|
|
P2
|
|
>
|
|
): MiddlewareHandler<E, P, V> => {
|
|
return async (c, next) => {
|
|
let value = {}
|
|
|
|
switch (target) {
|
|
case 'json':
|
|
try {
|
|
const contentType = c.req.header('Content-Type')
|
|
if (!contentType || !contentType.startsWith('application/json')) {
|
|
throw new Error(`Invalid HTTP header: Content-Type=${contentType}`)
|
|
}
|
|
/**
|
|
* Get the arrayBuffer first, create JSON object via Response,
|
|
* and cache the arrayBuffer in the c.req.bodyCache.
|
|
*/
|
|
const arrayBuffer = c.req.bodyCache.arrayBuffer ?? (await c.req.raw.arrayBuffer())
|
|
value = await new Response(arrayBuffer).json()
|
|
c.req.bodyCache.json = value
|
|
c.req.bodyCache.arrayBuffer = arrayBuffer
|
|
} catch {
|
|
console.error('Error: Malformed JSON in request body')
|
|
return c.json(
|
|
{
|
|
success: false,
|
|
message: 'Malformed JSON in request body',
|
|
},
|
|
400
|
|
)
|
|
}
|
|
break
|
|
case 'form': {
|
|
try {
|
|
const contentType = c.req.header('Content-Type')
|
|
if (contentType) {
|
|
const arrayBuffer = c.req.bodyCache.arrayBuffer ?? (await c.req.raw.arrayBuffer())
|
|
const formData = await bufferToFormData(arrayBuffer, contentType)
|
|
const form: BodyData = {}
|
|
formData.forEach((value, key) => {
|
|
form[key] = value
|
|
})
|
|
value = form
|
|
c.req.bodyCache.formData = formData
|
|
c.req.bodyCache.arrayBuffer = arrayBuffer
|
|
}
|
|
} catch (e) {
|
|
let message = 'Malformed FormData request.'
|
|
message += e instanceof Error ? ` ${e.message}` : ` ${String(e)}`
|
|
return c.json(
|
|
{
|
|
success: false,
|
|
message,
|
|
},
|
|
400
|
|
)
|
|
}
|
|
break
|
|
}
|
|
case 'query':
|
|
value = Object.fromEntries(
|
|
Object.entries(c.req.queries()).map(([k, v]) => {
|
|
return v.length === 1 ? [k, v[0]] : [k, v]
|
|
})
|
|
)
|
|
break
|
|
case 'queries':
|
|
value = c.req.queries()
|
|
console.log('Warnings: Validate type `queries` is deprecated. Use `query` instead.')
|
|
break
|
|
case 'param':
|
|
value = c.req.param() as Record<string, string>
|
|
break
|
|
case 'header':
|
|
value = c.req.header()
|
|
break
|
|
case 'cookie':
|
|
value = getCookie(c)
|
|
break
|
|
}
|
|
|
|
const res = await validationFunc(value as never, c as never)
|
|
|
|
if (res instanceof Response) {
|
|
return res
|
|
}
|
|
|
|
c.req.addValidatedData(target, res as never)
|
|
|
|
await next()
|
|
}
|
|
}
|