Merge pull request #1564 from elysiajs/next

SaltyAom · web-flow · commit 428b9765af69 · 2025-12-02T14:21:12.000+07:00
patch 1.4.17
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,24 @@
-# 1.4.17 - TBD
+# 1.4.17 - 2 Dec 2025
+Improvement:
+- [#1573](https://github.com/elysiajs/elysia/pull/1573) `Server` is always resolved to `any` when `@types/bun` is missing
+- [#1568](https://github.com/elysiajs/elysia/pull/1568) optimize cookie value comparison using FNV-1a hash
+- [#1549](https://github.com/elysiajs/elysia/pull/1549) Set-Cookie headers not sent when errors are thrown
+- [#1579](https://github.com/elysiajs/elysia/pull/1579) HEAD to handle Promise value
+
+Security:
+- cookie injection, prototype pollution, and RCE
+
 Bug fix:
+- [#1550](https://github.com/elysiajs/elysia/pull/1550) excess property checking
+- allow cookie.sign to be string
+
+Change:
+- [#1584](https://github.com/elysiajs/elysia/pull/1584) change customError property to unknown
 - [#1556](https://github.com/elysiajs/elysia/issues/1556) prevent sending set-cookie header when cookie value is not modified
+- [#1563](https://github.com/elysiajs/elysia/issues/1563) standard schema on websocket
+- conditional parseQuery parameter
+- conditional pass `c.request` to handler for streaming response
+- fix missing `contentType` type on `parser`
 
 # 1.4.16 - 13 Nov 2025
 Improvement:
diff --git a/bun.lock b/bun.lock
diff --git a/example/a.ts b/example/a.ts
@@ -1,22 +1,26 @@
-import { Elysia, status, t } from '../src'
+import { Elysia, t } from '../src'
+import * as z from 'zod'
+import { post, req } from '../test/utils'
 
-const auth = (app: Elysia) =>
-	app.derive(({ headers, status }) => {
-		try {
-			const token = headers['authorization']?.replace('Bearer ', '') || ''
-			return {
-				isAuthenticated: true
-			}
-		} catch (e) {
-			const error = e as Error
-			console.error('Authentication error:', error.message)
-			return status(401, 'Unauthorized')
-		}
+const app = new Elysia({
+	cookie: { secrets: 'secrets', sign: 'session' }
+})
+	.onError(({ code, error }) => {
+		console.log({ code })
+
+		if (code === 'INVALID_COOKIE_SIGNATURE')
+			return 'Where is the signature?'
 	})
+	.get('/', ({ cookie: { session } }) => 'awd')
+
+console.log(app.routes[0].compile().toString())
 
-const app = new Elysia()
-	.use(auth)
-	.get('/', ({ isAuthenticated }) => isAuthenticated)
-	.listen(5000)
+const root = await app.handle(
+	new Request('http://localhost/', {
+		headers: {
+			Cookie: 'session=1234'
+		}
+	})
+)
 
-app['~Routes']
+console.log(await root.text())
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
 	"name": "elysia",
 	"description": "Ergonomic Framework for Human",
-	"version": "1.4.16",
+	"version": "1.4.17",
 	"author": {
 		"name": "saltyAom",
 		"url": "https://github.com/SaltyAom",
@@ -190,15 +190,15 @@
 		"release": "bun run build && bun run test && bun publish"
 	},
 	"dependencies": {
-		"cookie": "^1.0.2",
+		"cookie": "^1.1.1",
 		"exact-mirror": "0.2.5",
 		"fast-decode-uri-component": "^1.0.1",
 		"memoirist": "^0.4.0"
 	},
 	"devDependencies": {
 		"@elysiajs/openapi": "^1.4.1",
 		"@types/bun": "^1.2.12",
-		"@types/cookie": "^1.0.0",
+		"@types/cookie": "1.0.0",
 		"@types/fast-decode-uri-component": "^1.0.0",
 		"@typescript-eslint/eslint-plugin": "^8.30.1",
 		"@typescript-eslint/parser": "^8.30.1",
diff --git a/src/adapter/bun/index.ts b/src/adapter/bun/index.ts
@@ -340,6 +340,7 @@ export const BunAdapter: ElysiaAdapter = {
 									createStaticRoute(app.router.response),
 									mapRoutes(app)
 								),
+								// @ts-ignore
 								app.config.serve?.routes
 							),
 							websocket: {
@@ -360,6 +361,7 @@ export const BunAdapter: ElysiaAdapter = {
 									createStaticRoute(app.router.response),
 									mapRoutes(app)
 								),
+								// @ts-ignore
 								app.config.serve?.routes
 							),
 							websocket: {
@@ -402,6 +404,7 @@ export const BunAdapter: ElysiaAdapter = {
 							}),
 							mapRoutes(app)
 						),
+						// @ts-ignore
 						app.config.serve?.routes
 					)
 				})
@@ -428,15 +431,21 @@ export const BunAdapter: ElysiaAdapter = {
 		// eslint-disable-next-line @typescript-eslint/no-unused-vars
 		const { parse, body, response, ...rest } = options
 
-		const validateMessage = getSchemaValidator(body, {
+		const messageValidator = getSchemaValidator(body, {
 			// @ts-expect-error private property
 			modules: app.definitions.typebox,
 			// @ts-expect-error private property
 			models: app.definitions.type as Record<string, TSchema>,
 			normalize: app.config.normalize
 		})
 
-		const validateResponse = getSchemaValidator(response as any, {
+		const validateMessage = messageValidator ?
+			messageValidator.provider === 'standard'
+				? (data: unknown) => messageValidator.schema['~standard'].validate(data).issues
+				: (data: unknown) => messageValidator.Check(data) === false
+				: undefined
+
+		const responseValidator = getSchemaValidator(response as any, {
 			// @ts-expect-error private property
 			modules: app.definitions.typebox,
 			// @ts-expect-error private property
@@ -456,7 +465,7 @@ export const BunAdapter: ElysiaAdapter = {
 				const { set, path, qi, headers, query, params } = context
 
 				// @ts-ignore
-				context.validator = validateResponse
+				context.validator = responseValidator
 
 				if (options.upgrade) {
 					if (typeof options.upgrade === 'function') {
@@ -484,7 +493,7 @@ export const BunAdapter: ElysiaAdapter = {
 						set.headers['set-cookie']
 					) as any
 
-				const handleResponse = createHandleWSResponse(validateResponse)
+				const handleResponse = createHandleWSResponse(responseValidator)
 				const parseMessage = createWSMessageParser(parse as any)
 
 				let _id: string | undefined
@@ -535,7 +544,7 @@ export const BunAdapter: ElysiaAdapter = {
 
 								return (_id = randomId())
 							},
-							validator: validateResponse,
+							validator: responseValidator,
 							ping(ws: ServerWebSocket<any>, data?: unknown) {
 								options.ping?.(ws as any, data)
 							},
@@ -560,18 +569,17 @@ export const BunAdapter: ElysiaAdapter = {
 							) => {
 								const message = await parseMessage(ws, _message)
 
-								if (validateMessage?.Check(message) === false) {
+								if (validateMessage && validateMessage(message)) {
 									const validationError = new ValidationError(
 										'message',
-										validateMessage,
+										messageValidator!,
 										message
 									)
 
-									if (!hasCustomErrorHandlers) {
+									if (!hasCustomErrorHandlers)
 										return void ws.send(
 											validationError.message as string
 										)
-									}
 
 									return handleErrors(ws, validationError)
 								}
diff --git a/src/compose.ts b/src/compose.ts
@@ -67,6 +67,13 @@ import { tee } from './adapter/utils'
 const allocateIf = (value: string, condition: unknown) =>
 	condition ? value : ''
 
+const overrideUnsafeQuote = (value: string) =>
+	// '`' + value + '`'
+	'`' + value.replace(/`/g, '\\`').replace(/\${/g, '$\\{') + '`'
+
+const overrideUnsafeQuoteArrayValue = (value: string) =>
+	value.replace(/`/g, '\\`').replace(/\${/g, '$\\{')
+
 const defaultParsers = [
 	'json',
 	'text',
@@ -599,13 +606,17 @@ export const composeHandler = ({
 			if (cookieMeta.sign === true)
 				_encodeCookie +=
 					'for(const [key, cookie] of Object.entries(_setCookie)){' +
-					`c.set.cookie[key].value=await signCookie(cookie.value,'${secret}')` +
+					`c.set.cookie[key].value=await signCookie(cookie.value,${!secret ? 'undefined' : overrideUnsafeQuote(secret)})` +
 					'}'
-			else
+			else {
+				if (typeof cookieMeta.sign === 'string')
+					cookieMeta.sign = [cookieMeta.sign]
+
 				for (const name of cookieMeta.sign)
 					_encodeCookie +=
-						`if(_setCookie['${name}']?.value)` +
-						`c.set.cookie['${name}'].value=await signCookie(_setCookie['${name}'].value,'${secret}')\n`
+						`if(_setCookie[${overrideUnsafeQuote(name)}]?.value)` +
+						`c.set.cookie[${overrideUnsafeQuote(name)}].value=await signCookie(_setCookie[${overrideUnsafeQuote(name)}].value,${!secret ? 'undefined' : overrideUnsafeQuote(secret)})\n`
+			}
 
 			_encodeCookie += '}\n'
 		}
@@ -643,12 +654,16 @@ export const composeHandler = ({
 		const get = (name: keyof CookieOptions, defaultValue?: unknown) => {
 			// @ts-ignore
 			const value = cookieMeta?.[name] ?? defaultValue
+
+			if (value === undefined) return ''
+
 			if (!value)
 				return typeof defaultValue === 'string'
 					? `${name}:"${defaultValue}",`
 					: `${name}:${defaultValue},`
 
-			if (typeof value === 'string') return `${name}:'${value}',`
+			if (typeof value === 'string')
+				return `${name}:${overrideUnsafeQuote(value)},`
 			if (value instanceof Date)
 				return `${name}: new Date(${value.getTime()}),`
 
@@ -659,25 +674,25 @@ export const composeHandler = ({
 			? `{secrets:${
 					cookieMeta.secrets !== undefined
 						? typeof cookieMeta.secrets === 'string'
-							? `'${cookieMeta.secrets}'`
+							? overrideUnsafeQuote(cookieMeta.secrets)
 							: '[' +
-								cookieMeta.secrets.reduce(
-									(a, b) => a + `'${b}',`,
-									''
-								) +
+								cookieMeta.secrets
+									.map(overrideUnsafeQuoteArrayValue)
+									.reduce((a, b) => a + `'${b}',`, '') +
 								']'
 						: 'undefined'
 				},` +
 				`sign:${
 					cookieMeta.sign === true
 						? true
 						: cookieMeta.sign !== undefined
-							? '[' +
-								cookieMeta.sign.reduce(
-									(a, b) => a + `'${b}',`,
-									''
-								) +
-								']'
+							? typeof cookieMeta.sign === 'string'
+								? overrideUnsafeQuote(cookieMeta.sign)
+								: '[' +
+									cookieMeta.sign
+										.map(overrideUnsafeQuoteArrayValue)
+										.reduce((a, b) => a + `'${b}',`, '') +
+									']'
 							: 'undefined'
 				},` +
 				get('domain') +
@@ -698,8 +713,8 @@ export const composeHandler = ({
 	}
 
 	if (hasQuery) {
-		let arrayProperties: Record<string, 1> = {}
-		let objectProperties: Record<string, 1> = {}
+		let arrayProperties: Record<string, true> = {}
+		let objectProperties: Record<string, true> = {}
 		let hasArrayProperty = false
 		let hasObjectProperty = false
 
@@ -709,12 +724,12 @@ export const composeHandler = ({
 			if (Kind in schema && schema.properties) {
 				for (const [key, value] of Object.entries(schema.properties)) {
 					if (hasElysiaMeta('ArrayQuery', value as TSchema)) {
-						arrayProperties[key] = 1
+						arrayProperties[key] = true
 						hasArrayProperty = true
 					}
 
 					if (hasElysiaMeta('ObjectString', value as TSchema)) {
-						objectProperties[key] = 1
+						objectProperties[key] = true
 						hasObjectProperty = true
 					}
 				}
@@ -725,12 +740,16 @@ export const composeHandler = ({
 			'if(c.qi===-1){' +
 			'c.query=Object.create(null)' +
 			'}else{' +
-			`c.query=parseQueryFromURL(c.url,c.qi+1,${
+			`c.query=parseQueryFromURL(c.url,c.qi+1${
 				//
-				hasArrayProperty ? JSON.stringify(arrayProperties) : undefined
-			},${
+				hasArrayProperty
+					? ',' + JSON.stringify(arrayProperties)
+					: hasObjectProperty
+						? ',undefined'
+						: ''
+			}${
 				//
-				hasObjectProperty ? JSON.stringify(objectProperties) : undefined
+				hasObjectProperty ? ',' + JSON.stringify(objectProperties) : ''
 			})` +
 			'}'
 	}
@@ -837,7 +856,7 @@ export const composeHandler = ({
 	}
 
 	const mapResponseContext =
-		maybeStream || adapter.mapResponseContext
+		maybeStream && adapter.mapResponseContext
 			? `,${adapter.mapResponseContext}`
 			: ''
 
diff --git a/src/parse-query.ts b/src/parse-query.ts
@@ -89,9 +89,9 @@ export function parseQueryFromURL(
 
 		const currentValue = result[finalKey]
 
-		if (array?.[finalKey]) {
+		if (array && array?.[finalKey]) {
 			if (finalValue.charCodeAt(0) === 91) {
-				if (object?.[finalKey])
+				if (object && object?.[finalKey])
 					finalValue = JSON.parse(finalValue) as any
 				else finalValue = finalValue.slice(1, -1).split(',') as any
 
diff --git a/src/types.ts b/src/types.ts
@@ -1395,12 +1395,12 @@ export type BodyHandler<
 	Path extends string | undefined = undefined
 > = (
 	context: Context<
-		Route & {
+		Route,
+		Singleton & {
 			decorator: {
 				contentType: string
 			}
 		},
-		Singleton,
 		Path
 	>,
 	/**
diff --git a/src/utils.ts b/src/utils.ts
@@ -68,7 +68,11 @@ export const mergeDeep = <
 	if (!isObject(target) || !isObject(source)) return target as A & B
 
 	for (const [key, value] of Object.entries(source)) {
-		if (skipKeys?.includes(key)) continue
+		if (
+			skipKeys?.includes(key) ||
+			['__proto__', 'constructor', 'prototype'].includes(key)
+		)
+			continue
 
 		if (mergeArray && Array.isArray(value)) {
 			target[key as keyof typeof target] = Array.isArray(
diff --git a/src/ws/index.ts b/src/ws/index.ts
diff --git a/test/core/elysia.test.ts b/test/core/elysia.test.ts
diff --git a/test/ws/message.test.ts b/test/ws/message.test.ts
