From e53969964bdb87047afef4eefe95f008e5c69ce6 Mon Sep 17 00:00:00 2001 From: fengmk2 Date: Fri, 7 Jun 2024 09:40:11 +0800 Subject: [PATCH 1/4] feat: add bodyParser.onProtoPoisoning type define https://github.com/cojs/co-body/pull/87 --- index.d.ts | 3 +++ test/app/middleware/body_parser.test.js | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/index.d.ts b/index.d.ts index 7578182fda..0083730b78 100644 --- a/index.d.ts +++ b/index.d.ts @@ -330,6 +330,7 @@ declare module 'egg' { * @property {Number} queryString.parameterLimit - paramter number limit ,default 1000 * @property {string[]} enableTypes - parser will only parse when request type hits enableTypes, default is ['json', 'form'] * @property {any} extendTypes - support extend types + * @property {string} onProtoPoisoning - Defines what action must take when parsing a JSON object with `__proto__`. Possible values are `'error'`, `'remove'` and `'ignore'`. Default is `'error'`, it will throw a `SyntaxError` when `Prototype-Poisoning` happen. */ bodyParser: { enable: boolean; @@ -351,6 +352,8 @@ declare module 'egg' { form: string[]; text: string[]; }; + /** Default is `'error'`, it will throw a `SyntaxError` when `Prototype-Poisoning` happen. */ + onProtoPoisoning: 'error' | 'remove' | 'ignore'; }; /** diff --git a/test/app/middleware/body_parser.test.js b/test/app/middleware/body_parser.test.js index 04f37833ec..04fefcf238 100644 --- a/test/app/middleware/body_parser.test.js +++ b/test/app/middleware/body_parser.test.js @@ -98,6 +98,16 @@ describe('test/app/middleware/body_parser.test.js', () => { .expect(400); }); + it('should 400 when POST with Prototype-Poisoning body', async () => { + app.mockCsrf(); + await app.httpRequest() + .post('/test/body_parser/user') + .set('content-type', 'application/json') + .set('content-encoding', 'gzip') + .expect(/unexpected end of file, check bodyParser config/) + .expect(400); + }); + it('should disable body parser', async () => { app1 = utils.app('apps/body_parser_testapp_disable'); await app1.ready(); From 9dfa68c3a90833715fdade5aa7ce8185938268da Mon Sep 17 00:00:00 2001 From: fengmk2 Date: Fri, 7 Jun 2024 09:44:41 +0800 Subject: [PATCH 2/4] f --- index.d.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/index.d.ts b/index.d.ts index 0083730b78..fd997ff766 100644 --- a/index.d.ts +++ b/index.d.ts @@ -326,11 +326,11 @@ declare module 'egg' { * @property {String} textLimit - json body size limit, default 1mb * @property {Boolean} strict - json body strict mode, if set strict value true, then only receive object and array json body * @property {Number} queryString.arrayLimit - from item array length limit, default 100 - * @property {Number} queryString.depth - json value deep lenght, default 5 - * @property {Number} queryString.parameterLimit - paramter number limit ,default 1000 + * @property {Number} queryString.depth - json value deep length, default 5 + * @property {Number} queryString.parameterLimit - parameter number limit, default 1000 * @property {string[]} enableTypes - parser will only parse when request type hits enableTypes, default is ['json', 'form'] * @property {any} extendTypes - support extend types - * @property {string} onProtoPoisoning - Defines what action must take when parsing a JSON object with `__proto__`. Possible values are `'error'`, `'remove'` and `'ignore'`. Default is `'error'`, it will throw a `SyntaxError` when `Prototype-Poisoning` happen. + * @property {string} onProtoPoisoning - Defines what action must take when parsing a JSON object with `__proto__`. Possible values are `'error'`, `'remove'` and `'ignore'`. Default is `'error'`, it will return `403` response when `Prototype-Poisoning` happen. */ bodyParser: { enable: boolean; From c09fcda548abe0096afcb9fa9433c75eae1fd759 Mon Sep 17 00:00:00 2001 From: fengmk2 Date: Fri, 7 Jun 2024 09:46:22 +0800 Subject: [PATCH 3/4] f --- index.d.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.d.ts b/index.d.ts index fd997ff766..46d4fdb095 100644 --- a/index.d.ts +++ b/index.d.ts @@ -352,7 +352,7 @@ declare module 'egg' { form: string[]; text: string[]; }; - /** Default is `'error'`, it will throw a `SyntaxError` when `Prototype-Poisoning` happen. */ + /** Default is `'error'`, it will return `403` response when `Prototype-Poisoning` happen. */ onProtoPoisoning: 'error' | 'remove' | 'ignore'; }; From 4ab9aee03efa13abafa8d4c6667f4a5004d34be9 Mon Sep 17 00:00:00 2001 From: fengmk2 Date: Fri, 7 Jun 2024 09:47:31 +0800 Subject: [PATCH 4/4] f --- index.d.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/index.d.ts b/index.d.ts index 46d4fdb095..c413d8ae1a 100644 --- a/index.d.ts +++ b/index.d.ts @@ -328,9 +328,9 @@ declare module 'egg' { * @property {Number} queryString.arrayLimit - from item array length limit, default 100 * @property {Number} queryString.depth - json value deep length, default 5 * @property {Number} queryString.parameterLimit - parameter number limit, default 1000 - * @property {string[]} enableTypes - parser will only parse when request type hits enableTypes, default is ['json', 'form'] - * @property {any} extendTypes - support extend types - * @property {string} onProtoPoisoning - Defines what action must take when parsing a JSON object with `__proto__`. Possible values are `'error'`, `'remove'` and `'ignore'`. Default is `'error'`, it will return `403` response when `Prototype-Poisoning` happen. + * @property {String[]} enableTypes - parser will only parse when request type hits enableTypes, default is ['json', 'form'] + * @property {Object} extendTypes - support extend types + * @property {String} onProtoPoisoning - Defines what action must take when parsing a JSON object with `__proto__`. Possible values are `'error'`, `'remove'` and `'ignore'`. Default is `'error'`, it will return `403` response when `Prototype-Poisoning` happen. */ bodyParser: { enable: boolean;