fix: content-type mis-handling for invalid non-essence content-type (fastify#4509)

climba03003 · Uzlopak · web-flow · commit 4723c1b228f4 · 2023-03-13T15:29:05.000+01:00
* fix: content-type mis-handling for invalid non-essence content-type

* Update lib/contentTypeParser.js

Co-authored-by: Uzlopak &lt;aras.abbasi@googlemail.com&gt;

* fixup: empty string and semicolon edge case

* test: add edge case

* chore: update comment

* test: remove duplicate test

---------

Co-authored-by: Uzlopak &lt;aras.abbasi@googlemail.com&gt;
diff --git a/lib/contentTypeParser.js b/lib/contentTypeParser.js
@@ -396,10 +396,18 @@ function ParserListItem (contentType) {
   // we pre-calculate all the needed information
   // before content-type comparsion
   const parsed = safeParseContentType(contentType)
-  this.type = parsed.type
+  this.isEssence = contentType.indexOf(';') === -1
+  // we should not allow empty string for parser list item
+  // because it would become a match-all handler
+  if (this.isEssence === false && parsed.type === '') {
+    // handle semicolon or empty string
+    const tmp = contentType.split(';')[0]
+    this.type = tmp === '' ? contentType : tmp
+  } else {
+    this.type = parsed.type
+  }
   this.parameters = parsed.parameters
   this.parameterKeys = Object.keys(parsed.parameters)
-  this.isEssence = contentType.indexOf(';') === -1
 }
 
 // used in ContentTypeParser.remove
diff --git a/test/content-parser.test.js b/test/content-parser.test.js
@@ -649,3 +649,104 @@ test('content-type regexp list should be cloned when plugin override', async t =
     t.same(payload, 'png')
   }
 })
+
+test('allow partial content-type - essence check', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser('json', function (request, body, done) {
+    t.pass('should be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; foo=bar; charset=utf8'
+    },
+    body: ''
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'image/jpeg'
+    },
+    body: ''
+  })
+})
+
+test('allow partial content-type - not essence check', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser('json;', function (request, body, done) {
+    t.pass('should be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; foo=bar; charset=utf8'
+    },
+    body: ''
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'image/jpeg'
+    },
+    body: ''
+  })
+})
+
+test('edge case content-type - ;', async t => {
+  t.plan(1)
+
+  const fastify = Fastify()
+  fastify.removeAllContentTypeParsers()
+  fastify.addContentTypeParser(';', function (request, body, done) {
+    t.fail('should not be called')
+    done(null, body)
+  })
+
+  fastify.post('/', async () => {
+    return 'ok'
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'application/json; foo=bar; charset=utf8'
+    },
+    body: ''
+  })
+
+  await fastify.inject({
+    method: 'POST',
+    path: '/',
+    headers: {
+      'content-type': 'image/jpeg'
+    },
+    body: ''
+  })
+
+  t.pass('end')
+})
