1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2024-11-22 15:06:54 -05:00
denoland-deno/ext/fetch/21_formdata.js
Andreu Botella 9ba2c4c42f
fix(fetch): Correctly decode multipart/form-data names and filenames (#19145)
Currently the `multipart/form-data` parser in
`Request.prototype.formData` and `Response.prototype.formData` decodes
non-ASCII filenames incorrectly, as if they were encoded in Latin-1
rather than UTF-8. This happens because the header section of each
`multipart/form-data` entry is decoded as Latin-1 in order to be parsed
with `Headers`, which only allows `ByteString`s, but the names and
filenames are never decoded correctly. This PR fixes this as a
post-processing step.

Note that the `multipart/form-data` parsing for this APIs in the Fetch
spec is very much underspecified, and it does not specify that names and
filenames must be decoded as UTF-8. However, it does require that the
bodies of non-`File` entries are decoded as UTF-8, and in browsers,
names and filenames always use the same encoding as the body.

Closes #19142.
2023-05-16 17:49:35 +02:00

550 lines
14 KiB
JavaScript

// Copyright 2018-2023 the Deno authors. All rights reserved. MIT license.
// @ts-check
/// <reference path="../webidl/internal.d.ts" />
/// <reference path="../web/internal.d.ts" />
/// <reference path="../web/lib.deno_web.d.ts" />
/// <reference path="./internal.d.ts" />
/// <reference path="../web/06_streams_types.d.ts" />
/// <reference path="./lib.deno_fetch.d.ts" />
/// <reference lib="esnext" />
const core = globalThis.Deno.core;
import * as webidl from "ext:deno_webidl/00_webidl.js";
import {
Blob,
BlobPrototype,
File,
FilePrototype,
} from "ext:deno_web/09_file.js";
const primordials = globalThis.__bootstrap.primordials;
const {
ArrayPrototypePush,
ArrayPrototypeSlice,
ArrayPrototypeSplice,
MapPrototypeGet,
MapPrototypeSet,
MathRandom,
ObjectFreeze,
ObjectPrototypeIsPrototypeOf,
SafeMap,
SafeRegExp,
Symbol,
StringFromCharCode,
StringPrototypeTrim,
StringPrototypeSlice,
StringPrototypeSplit,
StringPrototypeReplace,
StringPrototypeIndexOf,
StringPrototypePadStart,
StringPrototypeCodePointAt,
StringPrototypeReplaceAll,
TypeError,
TypedArrayPrototypeSubarray,
Uint8Array,
} = primordials;
const entryList = Symbol("entry list");
/**
* @param {string} name
* @param {string | Blob} value
* @param {string | undefined} filename
* @returns {FormDataEntry}
*/
function createEntry(name, value, filename) {
if (
ObjectPrototypeIsPrototypeOf(BlobPrototype, value) &&
!ObjectPrototypeIsPrototypeOf(FilePrototype, value)
) {
value = new File([value], "blob", { type: value.type });
}
if (
ObjectPrototypeIsPrototypeOf(FilePrototype, value) &&
filename !== undefined
) {
value = new File([value], filename, {
type: value.type,
lastModified: value.lastModified,
});
}
return {
name,
// @ts-expect-error because TS is not smart enough
value,
};
}
/**
* @typedef FormDataEntry
* @property {string} name
* @property {FormDataEntryValue} value
*/
class FormData {
/** @type {FormDataEntry[]} */
[entryList] = [];
/** @param {void} form */
constructor(form) {
if (form !== undefined) {
webidl.illegalConstructor();
}
this[webidl.brand] = webidl.brand;
}
/**
* @param {string} name
* @param {string | Blob} valueOrBlobValue
* @param {string} [filename]
* @returns {void}
*/
append(name, valueOrBlobValue, filename) {
webidl.assertBranded(this, FormDataPrototype);
const prefix = "Failed to execute 'append' on 'FormData'";
webidl.requiredArguments(arguments.length, 2, prefix);
name = webidl.converters["USVString"](name, prefix, "Argument 1");
if (ObjectPrototypeIsPrototypeOf(BlobPrototype, valueOrBlobValue)) {
valueOrBlobValue = webidl.converters["Blob"](
valueOrBlobValue,
prefix,
"Argument 2",
);
if (filename !== undefined) {
filename = webidl.converters["USVString"](
filename,
prefix,
"Argument 3",
);
}
} else {
valueOrBlobValue = webidl.converters["USVString"](
valueOrBlobValue,
prefix,
"Argument 2",
);
}
const entry = createEntry(name, valueOrBlobValue, filename);
ArrayPrototypePush(this[entryList], entry);
}
/**
* @param {string} name
* @returns {void}
*/
delete(name) {
webidl.assertBranded(this, FormDataPrototype);
const prefix = "Failed to execute 'name' on 'FormData'";
webidl.requiredArguments(arguments.length, 1, prefix);
name = webidl.converters["USVString"](name, prefix, "Argument 1");
const list = this[entryList];
for (let i = 0; i < list.length; i++) {
if (list[i].name === name) {
ArrayPrototypeSplice(list, i, 1);
i--;
}
}
}
/**
* @param {string} name
* @returns {FormDataEntryValue | null}
*/
get(name) {
webidl.assertBranded(this, FormDataPrototype);
const prefix = "Failed to execute 'get' on 'FormData'";
webidl.requiredArguments(arguments.length, 1, prefix);
name = webidl.converters["USVString"](name, prefix, "Argument 1");
const entries = this[entryList];
for (let i = 0; i < entries.length; ++i) {
const entry = entries[i];
if (entry.name === name) return entry.value;
}
return null;
}
/**
* @param {string} name
* @returns {FormDataEntryValue[]}
*/
getAll(name) {
webidl.assertBranded(this, FormDataPrototype);
const prefix = "Failed to execute 'getAll' on 'FormData'";
webidl.requiredArguments(arguments.length, 1, prefix);
name = webidl.converters["USVString"](name, prefix, "Argument 1");
const returnList = [];
const entries = this[entryList];
for (let i = 0; i < entries.length; ++i) {
const entry = entries[i];
if (entry.name === name) ArrayPrototypePush(returnList, entry.value);
}
return returnList;
}
/**
* @param {string} name
* @returns {boolean}
*/
has(name) {
webidl.assertBranded(this, FormDataPrototype);
const prefix = "Failed to execute 'has' on 'FormData'";
webidl.requiredArguments(arguments.length, 1, prefix);
name = webidl.converters["USVString"](name, prefix, "Argument 1");
const entries = this[entryList];
for (let i = 0; i < entries.length; ++i) {
const entry = entries[i];
if (entry.name === name) return true;
}
return false;
}
/**
* @param {string} name
* @param {string | Blob} valueOrBlobValue
* @param {string} [filename]
* @returns {void}
*/
set(name, valueOrBlobValue, filename) {
webidl.assertBranded(this, FormDataPrototype);
const prefix = "Failed to execute 'set' on 'FormData'";
webidl.requiredArguments(arguments.length, 2, prefix);
name = webidl.converters["USVString"](name, prefix, "Argument 1");
if (ObjectPrototypeIsPrototypeOf(BlobPrototype, valueOrBlobValue)) {
valueOrBlobValue = webidl.converters["Blob"](
valueOrBlobValue,
prefix,
"Argument 2",
);
if (filename !== undefined) {
filename = webidl.converters["USVString"](
filename,
prefix,
"Argument 3",
);
}
} else {
valueOrBlobValue = webidl.converters["USVString"](
valueOrBlobValue,
prefix,
"Argument 2",
);
}
const entry = createEntry(name, valueOrBlobValue, filename);
const list = this[entryList];
let added = false;
for (let i = 0; i < list.length; i++) {
if (list[i].name === name) {
if (!added) {
list[i] = entry;
added = true;
} else {
ArrayPrototypeSplice(list, i, 1);
i--;
}
}
}
if (!added) {
ArrayPrototypePush(list, entry);
}
}
}
webidl.mixinPairIterable("FormData", FormData, entryList, "name", "value");
webidl.configurePrototype(FormData);
const FormDataPrototype = FormData.prototype;
const ESCAPE_FILENAME_PATTERN = new SafeRegExp(/\r?\n|\r/g);
const ESCAPE_PATTERN = new SafeRegExp(/([\n\r"])/g);
const ESCAPE_MAP = ObjectFreeze({
"\n": "%0A",
"\r": "%0D",
'"': "%22",
});
function escape(str, isFilename) {
return StringPrototypeReplace(
isFilename
? str
: StringPrototypeReplace(str, ESCAPE_FILENAME_PATTERN, "\r\n"),
ESCAPE_PATTERN,
(c) => ESCAPE_MAP[c],
);
}
const FORM_DETA_SERIALIZE_PATTERN = new SafeRegExp(/\r(?!\n)|(?<!\r)\n/g);
/**
* convert FormData to a Blob synchronous without reading all of the files
* @param {globalThis.FormData} formData
*/
function formDataToBlob(formData) {
const boundary = StringPrototypePadStart(
StringPrototypeSlice(
StringPrototypeReplaceAll(`${MathRandom()}${MathRandom()}`, ".", ""),
-28,
),
32,
"-",
);
const chunks = [];
const prefix = `--${boundary}\r\nContent-Disposition: form-data; name="`;
// deno-lint-ignore prefer-primordials
for (const { 0: name, 1: value } of formData) {
if (typeof value === "string") {
ArrayPrototypePush(
chunks,
prefix + escape(name) + '"' + CRLF + CRLF +
StringPrototypeReplace(
value,
FORM_DETA_SERIALIZE_PATTERN,
CRLF,
) + CRLF,
);
} else {
ArrayPrototypePush(
chunks,
prefix + escape(name) + `"; filename="${escape(value.name, true)}"` +
CRLF +
`Content-Type: ${value.type || "application/octet-stream"}\r\n\r\n`,
value,
CRLF,
);
}
}
ArrayPrototypePush(chunks, `--${boundary}--`);
return new Blob(chunks, {
type: "multipart/form-data; boundary=" + boundary,
});
}
const QUOTE_CONTENT_PATTERN = new SafeRegExp(/^"([^"]*)"$/);
/**
* @param {string} value
* @returns {Map<string, string>}
*/
function parseContentDisposition(value) {
/** @type {Map<string, string>} */
const params = new SafeMap();
// Forced to do so for some Map constructor param mismatch
const values = ArrayPrototypeSlice(StringPrototypeSplit(value, ";"), 1);
for (let i = 0; i < values.length; i++) {
const entries = StringPrototypeSplit(StringPrototypeTrim(values[i]), "=");
if (entries.length > 1) {
MapPrototypeSet(
params,
entries[0],
StringPrototypeReplace(entries[1], QUOTE_CONTENT_PATTERN, "$1"),
);
}
}
return params;
}
/**
* Decodes a string containing UTF-8 mistakenly decoded as Latin-1 and
* decodes it correctly.
* @param {string} latin1String
* @returns {string}
*/
function decodeLatin1StringAsUtf8(latin1String) {
const buffer = new Uint8Array(latin1String.length);
for (let i = 0; i < latin1String.length; i++) {
buffer[i] = latin1String.charCodeAt(i);
}
return core.decode(buffer);
}
const CRLF = "\r\n";
const LF = StringPrototypeCodePointAt(CRLF, 1);
const CR = StringPrototypeCodePointAt(CRLF, 0);
class MultipartParser {
/**
* @param {Uint8Array} body
* @param {string | undefined} boundary
*/
constructor(body, boundary) {
if (!boundary) {
throw new TypeError("multipart/form-data must provide a boundary");
}
this.boundary = `--${boundary}`;
this.body = body;
this.boundaryChars = core.encode(this.boundary);
}
/**
* @param {string} headersText
* @returns {{ headers: Headers, disposition: Map<string, string> }}
*/
#parseHeaders(headersText) {
const headers = new Headers();
const rawHeaders = StringPrototypeSplit(headersText, "\r\n");
for (let i = 0; i < rawHeaders.length; ++i) {
const rawHeader = rawHeaders[i];
const sepIndex = StringPrototypeIndexOf(rawHeader, ":");
if (sepIndex < 0) {
continue; // Skip this header
}
const key = StringPrototypeSlice(rawHeader, 0, sepIndex);
const value = StringPrototypeSlice(rawHeader, sepIndex + 1);
headers.set(key, value);
}
const disposition = parseContentDisposition(
headers.get("Content-Disposition") ?? "",
);
return { headers, disposition };
}
/**
* @returns {FormData}
*/
parse() {
// To have fields body must be at least 2 boundaries + \r\n + --
// on the last boundary.
if (this.body.length < (this.boundary.length * 2) + 4) {
const decodedBody = core.decode(this.body);
const lastBoundary = this.boundary + "--";
// check if it's an empty valid form data
if (
decodedBody === lastBoundary ||
decodedBody === lastBoundary + "\r\n"
) {
return new FormData();
}
throw new TypeError("Unable to parse body as form data.");
}
const formData = new FormData();
let headerText = "";
let boundaryIndex = 0;
let state = 0;
let fileStart = 0;
for (let i = 0; i < this.body.length; i++) {
const byte = this.body[i];
const prevByte = this.body[i - 1];
const isNewLine = byte === LF && prevByte === CR;
if (state === 1 || state === 2 || state == 3) {
headerText += StringFromCharCode(byte);
}
if (state === 0 && isNewLine) {
state = 1;
} else if (state === 1 && isNewLine) {
state = 2;
const headersDone = this.body[i + 1] === CR &&
this.body[i + 2] === LF;
if (headersDone) {
state = 3;
}
} else if (state === 2 && isNewLine) {
state = 3;
} else if (state === 3 && isNewLine) {
state = 4;
fileStart = i + 1;
} else if (state === 4) {
if (this.boundaryChars[boundaryIndex] !== byte) {
boundaryIndex = 0;
} else {
boundaryIndex++;
}
if (boundaryIndex >= this.boundary.length) {
const { headers, disposition } = this.#parseHeaders(headerText);
const content = TypedArrayPrototypeSubarray(
this.body,
fileStart,
i - boundaryIndex - 1,
);
// https://fetch.spec.whatwg.org/#ref-for-dom-body-formdata
// These are UTF-8 decoded as if it was Latin-1.
// TODO(@andreubotella): Maybe we shouldn't be parsing entry headers
// as Latin-1.
const latin1Filename = MapPrototypeGet(disposition, "filename");
const latin1Name = MapPrototypeGet(disposition, "name");
state = 5;
// Reset
boundaryIndex = 0;
headerText = "";
if (!latin1Name) {
continue; // Skip, unknown name
}
const name = decodeLatin1StringAsUtf8(latin1Name);
if (latin1Filename) {
const blob = new Blob([content], {
type: headers.get("Content-Type") || "application/octet-stream",
});
formData.append(
name,
blob,
decodeLatin1StringAsUtf8(latin1Filename),
);
} else {
formData.append(name, core.decode(content));
}
}
} else if (state === 5 && isNewLine) {
state = 1;
}
}
return formData;
}
}
/**
* @param {Uint8Array} body
* @param {string | undefined} boundary
* @returns {FormData}
*/
function parseFormData(body, boundary) {
const parser = new MultipartParser(body, boundary);
return parser.parse();
}
/**
* @param {FormDataEntry[]} entries
* @returns {FormData}
*/
function formDataFromEntries(entries) {
const fd = new FormData();
fd[entryList] = entries;
return fd;
}
webidl.converters["FormData"] = webidl
.createInterfaceConverter("FormData", FormDataPrototype);
export {
FormData,
formDataFromEntries,
FormDataPrototype,
formDataToBlob,
parseFormData,
};