fix: content-type mis-handling for invalid non-essence content-type (#…

…4509) * fix: content-type mis-handling for invalid non-essence content-type * Update lib/contentTypeParser.js Co-authored-by: Uzlopak <aras.abbasi@googlemail.com> * fixup: empty string and semicolon edge case * test: add edge case * chore: update comment * test: remove duplicate test --------- Co-authored-by: Uzlopak <aras.abbasi@googlemail.com>
fastify · Mar 13, 2023 · 4723c1b · 4723c1b
1 parent 6b5957d
commit 4723c1b
Show file tree

Hide file tree

Showing 2 changed files with 111 additions and 2 deletions.
diff --git a/lib/contentTypeParser.js b/lib/contentTypeParser.js
@@ -396,10 +396,18 @@ function ParserListItem (contentType) {
   // we pre-calculate all the needed information
   // before content-type comparsion
   const parsed = safeParseContentType(contentType)
-  this.type = parsed.type
+  this.isEssence = contentType.indexOf(';') === -1
+  // we should not allow empty string for parser list item
+  // because it would become a match-all handler
+  if (this.isEssence === false && parsed.type === '') {
+    // handle semicolon or empty string
+    const tmp = contentType.split(';')[0]
+    this.type = tmp === '' ? contentType : tmp
+  } else {
+    this.type = parsed.type
+  }
   this.parameters = parsed.parameters
   this.parameterKeys = Object.keys(parsed.parameters)
-  this.isEssence = contentType.indexOf(';') === -1
 }
 
 // used in ContentTypeParser.remove

diff --git a/test/content-parser.test.js b/test/content-parser.test.js
@@ -649,3 +649,104 @@ test('content-type regexp list should be cloned when plugin override', async t =
     t.same(payload, 'png')
   }
 })
+
+test('allow partial content-type - essence check', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser('json', function (request, body, done) {
+    t.pass('should be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; foo=bar; charset=utf8'
+    },
+    body: ''
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'image/jpeg'
+    },
+    body: ''
+  })
+})
+
+test('allow partial content-type - not essence check', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser('json;', function (request, body, done) {
+    t.pass('should be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; foo=bar; charset=utf8'
+    },
+    body: ''
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'image/jpeg'
+    },
+    body: ''
+  })
+})
+
+test('edge case content-type - ;', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser(';', function (request, body, done) {
+    t.fail('should not be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; foo=bar; charset=utf8'
+    },
+    body: ''
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'image/jpeg'
+    },
+    body: ''
+  })
+
+  t.pass('end')
+})