Merge pull request #4 from shgysk8zer0/bug/2

Deprecate `parseMultipartFormData()`

Author: shgysk8zer0

CHANGELOG.md

@@ -6,6 +6,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v1.0.1] - 2023-09-24
+
+### Deprecated
+-  Deprecated `parseMultipartFormData()` due to [ReDoS  issue](https://github.com/shgysk8zer0/node-http/issues/2)
+
+### Fixed
+- Fix `imports` in `package.json` to work with `@shgysk8zer0/http/module` as well as `@shgysk8zer0/http/module.js`
+
 ## [v1.0.0] - 2023-09-22
 
 Initial Release

README.md

@@ -48,7 +48,7 @@ npm i @shgysk8zer0/http
 ### NPM Imports
 ```js
 import { HTTPError } from 'shgysk8zer0/http@shgysk8zer0/http/error.js';
-import { NOT_IMPLEMENTED } from 'shgysk8zer0/http@shgysk8zer0/http/status.js';
+import { NOT_IMPLEMENTED, INTERNAL_SERVER_ERROR } from 'shgysk8zer0/http@shgysk8zer0/http/status.js';
 import { JSON } from 'shgysk8zer0/http@shgysk8zer0/http/types.js';
 import { Cookie } from 'shgysk8zer0/http@shgysk8zer0/http/cookie.js';
 ```
@@ -60,32 +60,46 @@ It is designed to be versatile and is not limited to a specific Node.js environm
 
 ```js
 import { HTTPError } from 'https://unpkg.com/@shgysk8zer0/http/error.js';
-import { NOT_IMPLEMENTED } from 'https://unpkg.com/@shgysk8zer0/http/status.js';
+import { NOT_IMPLEMENTED, INTERNAL_SERVER_ERROR } from 'https://unpkg.com/@shgysk8zer0/http/status.js';
 import { JSON } from 'https://unpkg.com/@shgysk8zer0/http/types.js';
 import { Cookie } from 'https://unpkg.com/@shgysk8zer0/http/cookie.js';
 ```
 
 ### Example Code
 
+```js
 export async function handler() {
-  const error = new HTTPError('Not implemented.', {
-    status: NOT_IMPLEMENTED,
-    cause: new Error('I have not done this yet...'),
-  });
-  
-  return new Response([error], {
-    status: error.status,
-    headers: new Headers({
-      'Content-Type': JSON,
-      'Set-Cookie': new Cookie('uid', crypto.randomUUID(), {
-        domain: 'example.com',
-        path: '/foo',
-        maxAge: 86_400_000,
-        sameSite: 'Strict',
-        httpOnly: true,
-        partitioned: true,
-      }
-    }),
-  });
+  try {
+    const error = new HTTPError('Not implemented.', {
+      status: NOT_IMPLEMENTED,
+      cause: new Error('I have not done this yet...'),
+    });
+    
+    throw err;
+  } catch (err) {
+    if (err instanceof HTTPError) { // Error has an HTTP status & message for use by client
+      return Response.json(error, {
+        status: error.status,
+        headers: new Headers({
+          'Content-Type': JSON,
+          'Set-Cookie': new Cookie('uid', crypto.randomUUID(), {
+            domain: 'example.com',
+            path: '/foo',
+            maxAge: 86_400_000,
+            sameSite: 'Strict',
+            httpOnly: true,
+            partitioned: true,
+          })
+        }),
+      });  
+    } else { // It is not an HTTPError and may contain sensitive into
+      return Response.json({
+        error: {
+          messsage: 'Something broke :(',
+          status: INTERNAL_SERVER_ERROR,
+        }
+      }, { status: INTERNAL_SERVER_ERROR });
+    }
+  }  
 }
 ```

form-data.js

@@ -5,13 +5,17 @@ const PATTERN = /^(\r\n)?(?:Content-Disposition:\s?form-data;\s?name="(?<name>[^
 /**
  * Parse a multipart/form-data body and extract form fields and files.
  *
+ * @deprecated This function is potentially vulnerable to ReDoS attacks and is not necessary in node >= 20
+ * @see https://github.com/shgysk8zer0/node-http/issues/2
  * @param {string} body - The raw string of the multipart/form-data body.
  * @param {string} contentType - The Content-Type header specifying the boundary.
  * @returns {FormData} - A FormData object containing the parsed data.
  * @throws {TypeError} - If the body or contentType is not a string.
  * @throws {Error} - If the contentType is not valid for multipart/form-data.
  */
 export function parseMultipartFormData(body, contentType) {
+	console.warn('parseMultipartFormData() is deprecated and will be removed in version 2.0.0');
+
 	if (typeof body !== 'string') {
 		throw new TypeError('body must be a string.');
 	} else	if (typeof contentType !== 'string') {

package-lock.json

@@ -1,8 +1,14 @@
 {
   "name": "@shgysk8zer0/http",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "A JavaScript library that provides various utilities for working with HTTP",
-  "keywords": ["http", "http-status", "http-error","form-data", "http-cookie", "file-object"],
+  "keywords": [
+    "http",
+    "http-status",
+    "http-error",
+    "http-cookie",
+    "node-http"
+  ],
   "type": "module",
   "main": "http.cjs",
   "module": "http.js",
@@ -12,6 +18,9 @@
       "import": "./http.js",
       "require": "./http.cjs"
     },
+    "./*.js": {
+      "import": "./*"
+    },
     "./*": {
       "import": "./*.js"
     }