Skip to content

Commit 4d8931c

Browse files
jasonsaaymanjasonsaayman
authored
fix: formidable dependency vulnerable to arbitrary (#7533)
* fix: dependabot uses the correct labels * fix: issue #7463 * fix: update to the latest version of formidable
1 parent 3a6f5c1 commit 4d8931c

4 files changed

Lines changed: 25 additions & 23 deletions

File tree

package-lock.json

Lines changed: 8 additions & 6 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -109,7 +109,7 @@
109109
"eslint": "^10.0.3",
110110
"express": "^5.2.1",
111111
"formdata-node": "^5.0.1",
112-
"formidable": "^2.1.5",
112+
"formidable": "^3.2.4",
113113
"fs-extra": "^10.1.0",
114114
"get-stream": "^9.0.1",
115115
"globals": "^17.4.0",

tests/setup/server.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ import http2 from 'http2';
33
import stream from 'stream';
44
import getStream, { getStreamAsBuffer } from 'get-stream';
55
import { Throttle } from 'stream-throttle';
6-
import formidable from 'formidable';
6+
import { IncomingForm } from 'formidable';
77
import selfsigned from 'selfsigned';
88

99
export const SERVER_HANDLER_STREAM_ECHO = (req, res) => req.pipe(res);
@@ -124,7 +124,7 @@ export const stopAllTrackedHTTPServers = async (timeout = 10000) => {
124124

125125
export const handleFormData = (req) => {
126126
return new Promise((resolve, reject) => {
127-
const form = new formidable.IncomingForm();
127+
const form = new IncomingForm();
128128

129129
form.parse(req, (err, fields, files) => {
130130
if (err) {

tests/unit/adapters/http.test.js

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ import os from 'os';
2222
import path from 'path';
2323
import devNull from 'dev-null';
2424
import FormDataLegacy from 'form-data';
25-
import formidable from 'formidable';
25+
import { IncomingForm } from 'formidable';
2626
import { FormData as FormDataPolyfill, Blob as BlobPolyfill } from 'formdata-node';
2727
import express from 'express';
2828
import multer from 'multer';
@@ -2285,7 +2285,7 @@ describe('supports http with nodejs', () => {
22852285

22862286
const server = await startHTTPServer(
22872287
(req, res) => {
2288-
const receivedForm = new formidable.IncomingForm();
2288+
const receivedForm = new IncomingForm();
22892289

22902290
assert.ok(req.rawHeaders.some((header) => header.toLowerCase() === 'content-length'));
22912291

@@ -2314,15 +2314,15 @@ describe('supports http with nodejs', () => {
23142314
},
23152315
});
23162316

2317-
assert.deepStrictEqual(response.data.fields, { foo: 'bar' });
2317+
assert.deepStrictEqual(response.data.fields, { foo: ['bar'] });
23182318

2319-
assert.strictEqual(response.data.files.file1.mimetype, 'image/jpeg');
2320-
assert.strictEqual(response.data.files.file1.originalFilename, 'temp/bar.jpg');
2321-
assert.strictEqual(response.data.files.file1.size, 3);
2319+
assert.strictEqual(response.data.files.file1[0].mimetype, 'image/jpeg');
2320+
assert.strictEqual(response.data.files.file1[0].originalFilename, 'temp/bar.jpg');
2321+
assert.strictEqual(response.data.files.file1[0].size, 3);
23222322

2323-
assert.strictEqual(response.data.files.fileStream.mimetype, 'image/png');
2324-
assert.strictEqual(response.data.files.fileStream.originalFilename, 'axios.png');
2325-
assert.strictEqual(response.data.files.fileStream.size, stat.size);
2323+
assert.strictEqual(response.data.files.fileStream[0].mimetype, 'image/png');
2324+
assert.strictEqual(response.data.files.fileStream[0].originalFilename, 'axios.png');
2325+
assert.strictEqual(response.data.files.fileStream[0].size, stat.size);
23262326
} finally {
23272327
await stopHTTPServer(server);
23282328
}
@@ -2358,10 +2358,10 @@ describe('supports http with nodejs', () => {
23582358
maxRedirects: 0,
23592359
});
23602360

2361-
assert.deepStrictEqual(data.fields, { foo1: 'bar1', foo2: 'bar2' });
2362-
assert.deepStrictEqual(typeof data.files.file1, 'object');
2361+
assert.deepStrictEqual(data.fields, { foo1: ['bar1'], foo2: ['bar2'] });
2362+
assert.deepStrictEqual(typeof data.files.file1[0], 'object');
23632363

2364-
const { size, mimetype, originalFilename } = data.files.file1;
2364+
const { size, mimetype, originalFilename } = data.files.file1[0];
23652365

23662366
assert.deepStrictEqual(
23672367
{ size, mimetype, originalFilename },
@@ -3270,8 +3270,8 @@ describe('supports http with nodejs', () => {
32703270

32713271
assert.deepStrictEqual(data, {
32723272
fields: {
3273-
x: 'foo',
3274-
y: 'bar',
3273+
x: ['foo'],
3274+
y: ['bar'],
32753275
},
32763276
files: {},
32773277
});

0 commit comments

Comments
 (0)