.eslintrc.json

@@ -1,52 +1,26 @@
 {
-    "extends": [
-      "eslint:recommended",
-      "plugin:@typescript-eslint/eslint-recommended",
-      "plugin:@typescript-eslint/recommended",
-      "standard"
-    ],
-    "parser": "@typescript-eslint/parser",
-    "plugins": ["@typescript-eslint"],
-    "env": { "node": true },
-    "parserOptions": {
-      "ecmaVersion": 6,
-      "sourceType": "module",
-      "project": "./tsconfig.eslint.json",
-      "createDefaultProgram": true
-    },
-    "rules": {
-      "no-console": "off",
-      "@typescript-eslint/indent": ["error", 2],
-      "semi": ["error", "never"],
-      "import/export": "off" // this errors on multiple exports (overload interfaces)
-    },
-    "overrides": [
-      {
-        "files": ["*.d.ts","*.test-d.ts"],
-        "rules": {
-          "no-use-before-define": "off",
-          "no-redeclare": "off",
-          "@typescript-eslint/no-explicit-any": "off"
-        }
+  "plugins": ["@typescript-eslint"],
+  "extends": ["eslint:recommended", "standard"],
+  "overrides": [
+    {
+      "files": ["types/*.test-d.ts", "types/*.d.ts"],
+      "parser": "@typescript-eslint/parser",
+      "parserOptions": {
+        "project": ["./tsconfig.eslint.json"]
       },
-      {
-        "files": ["*.test-d.ts"],
-        "rules": {
-          "no-unused-expressions": "off",
-          "@typescript-eslint/no-var-requires": "off",
-          "no-unused-vars": "off",
-          "n/handle-callback-err": "off",
-          "@typescript-eslint/no-empty-function": "off",
-          "@typescript-eslint/explicit-function-return-type": "off",
-          "@typescript-eslint/no-unused-vars": "off",
-          "@typescript-eslint/no-non-null-assertion": "off",
-          "@typescript-eslint/no-misused-promises": ["error", {
-            "checksVoidReturn": false
-          }]
-        },
-        "globals": {
-          "NodeJS": "readonly"
-        }
+      "extends": [
+        "plugin:@typescript-eslint/recommended",
+        "plugin:@typescript-eslint/recommended-requiring-type-checking"
+      ],
+      "rules": {
+        "no-unused-expressions": "off",
+        "no-use-before-define": "off",
+        "no-redeclare": "off",
+        "@typescript-eslint/require-await": "off",
+        "@typescript-eslint/no-explicit-any": "off",
+        "@typescript-eslint/no-floating-promises": "off",
+        "@typescript-eslint/no-unused-vars": "off"
       }
-    ]
-  }
+    }
+  ]
+}

.gitattributes

@@ -0,0 +1,2 @@
+# Set default behavior to automatically convert line endings
+* text=auto eol=lf

.taprc

@@ -1,3 +1,2 @@
-check-coverage: false
 files:
   - test/**/*.test.js

README.md

@@ -288,7 +288,7 @@ If you try to read from a stream and pipe to a new file, you will obtain an empt
 
 ## JSON Schema body validation
 
-If you enable `attachFieldsToBody: 'keyValues'` then the response body and JSON Schema validation will behave similarly to `application/json` and [`application/x-www-form-urlencoded`](https://github.com/fastify/fastify-formbody) content types. Files will be decoded using `Buffer.toString()` and attached as a body value.
+When the `attachFieldsToBody` parameter is set to `'keyValues'`, JSON Schema validation on the body will behave similarly to `application/json` and [`application/x-www-form-urlencoded`](https://github.com/fastify/fastify-formbody) content types. Additionally, uploaded files will be attached to the body as `Buffer` objects.
 
 ```js
 fastify.register(require('@fastify/multipart'), { attachFieldsToBody: 'keyValues' })
@@ -302,9 +302,7 @@ fastify.post('/upload/files', {
       properties: {
         // file that gets decoded to string
         myFile: {
-          type: 'string',
-          // validate that file contents match a UUID
-          pattern: '^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$'
+          type: 'object',
         },
         hello: {
           type: 'string',

index.js

@@ -17,7 +17,6 @@ const secureJSON = require('secure-json-parse')
 
 const kMultipart = Symbol('multipart')
 const kMultipartHandler = Symbol('multipartHandler')
-const getDescriptor = Object.getOwnPropertyDescriptor
 
 const PartsLimitError = createError('FST_PARTS_LIMIT', 'reach parts limit', 413)
 const FilesLimitError = createError('FST_FILES_LIMIT', 'reach files limit', 413)
@@ -29,7 +28,7 @@ const InvalidJSONFieldError = createError('FST_INVALID_JSON_FIELD_ERROR', 'a req
 const FileBufferNotFoundError = createError('FST_FILE_BUFFER_NOT_FOUND', 'the file buffer was not found', 500)
 
 function setMultipart (req, payload, done) {
-  req.raw[kMultipart] = true
+  req[kMultipart] = true
   done()
 }
 
@@ -95,6 +94,8 @@ function fastifyMultipart (fastify, options, done) {
             const key = reqBodyKeys[i]
             const field = req.body[key]
 
+            /* Don't modify the body if a field doesn't have a value or an attached buffer */
+            /* istanbul ignore else */
             if (field.value !== undefined) {
               body[key] = field.value
             } else if (field._buf) {
@@ -139,6 +140,7 @@ function fastifyMultipart (fastify, options, done) {
   })
 
   fastify.addContentTypeParser('multipart/form-data', setMultipart)
+  fastify.decorateRequest(kMultipart, false)
   fastify.decorateRequest(kMultipartHandler, handleMultipart)
 
   fastify.decorateRequest('parts', getMultipartIterator)
@@ -160,7 +162,7 @@ function fastifyMultipart (fastify, options, done) {
   })
 
   function isMultipart () {
-    return this.raw[kMultipart]
+    return this[kMultipart]
   }
 
   function handleMultipart (opts = {}) {
@@ -249,7 +251,7 @@ function fastifyMultipart (fastify, options, done) {
 
     function onField (name, fieldValue, fieldnameTruncated, valueTruncated, encoding, contentType) {
       // don't overwrite prototypes
-      if (getDescriptor(Object.prototype, name)) {
+      if (name in Object.prototype) {
         onError(new PrototypeViolationError())
         return
       }
@@ -295,7 +297,7 @@ function fastifyMultipart (fastify, options, done) {
 
     function onFile (name, file, filename, encoding, mimetype) {
       // don't overwrite prototypes
-      if (getDescriptor(Object.prototype, name)) {
+      if (name in Object.prototype) {
         // ensure that stream is consumed, any error is suppressed
         sendToWormhole(file)
         onError(new PrototypeViolationError())
@@ -453,7 +455,8 @@ function fastifyMultipart (fastify, options, done) {
       try {
         await unlink(filepath)
       } catch (error) {
-        this.log.error(error, 'could not delete file')
+        /* istanbul ignore next */
+        this.log.error(error, 'Could not delete file')
       }
     }
   }
@@ -462,6 +465,8 @@ function fastifyMultipart (fastify, options, done) {
     const parts = this[kMultipartHandler](options)
     let part
     while ((part = await parts()) != null) {
+      /* Only return a part if the file property exists */
+      /* istanbul ignore else */
       if (part.file) {
         return part
       }

package.json

@@ -1,26 +1,27 @@
 {
   "name": "@fastify/multipart",
-  "version": "7.7.3",
+  "version": "8.1.0",
   "description": "Multipart plugin for Fastify",
   "main": "index.js",
+  "type": "commonjs",
   "types": "types/index.d.ts",
   "dependencies": {
     "@fastify/busboy": "^1.0.0",
     "@fastify/deepmerge": "^1.0.0",
     "@fastify/error": "^3.0.0",
-    "@fastify/swagger": "^8.3.1",
-    "@fastify/swagger-ui": "^1.8.0",
     "fastify-plugin": "^4.0.0",
     "secure-json-parse": "^2.4.0",
     "stream-wormhole": "^1.1.0"
   },
   "devDependencies": {
     "@fastify/pre-commit": "^2.0.2",
+    "@fastify/swagger": "^8.10.1",
+    "@fastify/swagger-ui": "^2.0.1",
     "@types/node": "^20.1.0",
     "@typescript-eslint/eslint-plugin": "^6.3.0",
     "@typescript-eslint/parser": "^6.3.0",
     "benchmark": "^2.1.4",
-    "climem": "^1.0.3",
+    "climem": "^2.0.0",
     "concat-stream": "^2.0.0",
     "eslint": "^8.20.0",
     "eslint-plugin-import": "^2.26.0",
@@ -31,11 +32,11 @@
     "h2url": "^0.2.0",
     "noop-stream": "^0.1.0",
     "pump": "^3.0.0",
-    "readable-stream": "^3.6.0",
+    "readable-stream": "^4.5.1",
     "snazzy": "^9.0.0",
     "standard": "^17.0.0",
     "tap": "^16.0.0",
-    "tsd": "^0.29.0"
+    "tsd": "^0.30.0"
   },
   "scripts": {
     "coverage": "npm run test:unit -- --coverage-report=html",

test/multipart-security.test.js

@@ -104,6 +104,141 @@ test('should not allow __proto__ as field name', function (t) {
   })
 })
 
+test('should not allow toString as field name', function (t) {
+  t.plan(4)
+
+  const fastify = Fastify()
+  t.teardown(fastify.close.bind(fastify))
+
+  fastify.register(multipart)
+
+  fastify.post('/', async function (req, reply) {
+    t.ok(req.isMultipart())
+
+    try {
+      await req.file()
+      reply.code(200).send()
+    } catch (error) {
+      t.ok(error instanceof fastify.multipartErrors.PrototypeViolationError)
+      reply.code(500).send()
+    }
+  })
+
+  fastify.listen({ port: 0 }, async function () {
+    // request
+    const form = new FormData()
+    const opts = {
+      protocol: 'http:',
+      hostname: 'localhost',
+      port: fastify.server.address().port,
+      path: '/',
+      headers: form.getHeaders(),
+      method: 'POST'
+    }
+
+    const req = http.request(opts, (res) => {
+      t.equal(res.statusCode, 500)
+      res.resume()
+      res.on('end', () => {
+        t.pass('res ended successfully')
+      })
+    })
+    form.append('toString', 'world')
+
+    form.pipe(req)
+  })
+})
+
+test('should not allow hasOwnProperty as field name', function (t) {
+  t.plan(4)
+
+  const fastify = Fastify()
+  t.teardown(fastify.close.bind(fastify))
+
+  fastify.register(multipart)
+
+  fastify.post('/', async function (req, reply) {
+    t.ok(req.isMultipart())
+
+    try {
+      await req.file()
+      reply.code(200).send()
+    } catch (error) {
+      t.ok(error instanceof fastify.multipartErrors.PrototypeViolationError)
+      reply.code(500).send()
+    }
+  })
+
+  fastify.listen({ port: 0 }, async function () {
+    // request
+    const form = new FormData()
+    const opts = {
+      protocol: 'http:',
+      hostname: 'localhost',
+      port: fastify.server.address().port,
+      path: '/',
+      headers: form.getHeaders(),
+      method: 'POST'
+    }
+
+    const req = http.request(opts, (res) => {
+      t.equal(res.statusCode, 500)
+      res.resume()
+      res.on('end', () => {
+        t.pass('res ended successfully')
+      })
+    })
+    form.append('hasOwnProperty', 'world')
+
+    form.pipe(req)
+  })
+})
+
+test('should not allow propertyIsEnumerable as field name', function (t) {
+  t.plan(4)
+
+  const fastify = Fastify()
+  t.teardown(fastify.close.bind(fastify))
+
+  fastify.register(multipart)
+
+  fastify.post('/', async function (req, reply) {
+    t.ok(req.isMultipart())
+
+    try {
+      await req.file()
+      reply.code(200).send()
+    } catch (error) {
+      t.ok(error instanceof fastify.multipartErrors.PrototypeViolationError)
+      reply.code(500).send()
+    }
+  })
+
+  fastify.listen({ port: 0 }, async function () {
+    // request
+    const form = new FormData()
+    const opts = {
+      protocol: 'http:',
+      hostname: 'localhost',
+      port: fastify.server.address().port,
+      path: '/',
+      headers: form.getHeaders(),
+      method: 'POST'
+    }
+
+    const req = http.request(opts, (res) => {
+      t.equal(res.statusCode, 500)
+      res.resume()
+      res.on('end', () => {
+        t.pass('res ended successfully')
+      })
+    })
+    form.append('propertyIsEnumerable', 'world')
+
+    form.pipe(req)
+  })
+})
+
 test('should use default for fileSize', async function (t) {
   t.plan(4)