fix(op_crates/fetch): correct regexp for fetch header (#8927)

Fix bug in regular expression and make the regular expression more strict. In a string passed to new RegExp(), '[\t\s]' is identical to '[ts]' and not `/[\t\s]/`. For that, the backslash needs to be escaped in the string. Futhermore, `\t` is the tab character and is included in the special regexp value `\s` so is unnecessary. That would reduce the RegExp to new RegExp(`^${value}\\s*;?`) but there's no point in matching 0 or more space characters followed by 0 or one semi-colons as that will match no matter what follows `value`. To make it more strict, require one of space, semicolon, or end-of-string after value.
2025-03-03 09:31:22 -05:00 · 2020-12-30 14:46:08 -08:00 · 2020-12-30 14:46:08 -08:00 · e568ddf996
commit e568ddf996
parent 22e0ee92a6
3 changed files with 41 additions and 1 deletions
--- a/cli/tests/unit/fetch_test.ts
+++ b/cli/tests/unit/fetch_test.ts
@ -249,6 +249,25 @@ unitTest(
  },
 );

+unitTest(
+  { perms: { net: true } },
+  async function fetchMultipartFormBadContentType(): Promise<void> {
+    const response = await fetch(
+      "http://localhost:4545/multipart_form_bad_content_type",
+    );
+    assert(response.body !== null);
+
+    await assertThrowsAsync(
+      async (): Promise<void> => {
+        await response.formData();
+      },
+      TypeError,
+      "Invalid form data",
+    );
+    await response.body.cancel();
+  },
+);
+
 unitTest(
  { perms: { net: true } },
  async function fetchURLEncodedFormDataSuccess(): Promise<void> {
--- a/op_crates/fetch/26_fetch.js
+++ b/op_crates/fetch/26_fetch.js
@ -138,7 +138,7 @@
  }

  function hasHeaderValueOf(s, value) {
-    return new RegExp(`^${value}[\t\s]*;?`).test(s);
+    return new RegExp(`^${value}(?:[\\s;]|$)`).test(s);
  }

  function getHeaderValueParams(value) {
--- a/test_util/src/lib.rs
+++ b/test_util/src/lib.rs
@ -391,6 +391,27 @@ async fn main_server(req: Request<Body>) -> hyper::Result<Response<Body>> {
      );
      Ok(res)
    }
+    (_, "/multipart_form_bad_content_type") => {
+      let b = "Preamble\r\n\
+             --boundary\t \r\n\
+             Content-Disposition: form-data; name=\"field_1\"\r\n\
+             \r\n\
+             value_1 \r\n\
+             \r\n--boundary\r\n\
+             Content-Disposition: form-data; name=\"field_2\";\
+             filename=\"file.js\"\r\n\
+             Content-Type: text/javascript\r\n\
+             \r\n\
+             console.log(\"Hi\")\
+             \r\n--boundary--\r\n\
+             Epilogue";
+      let mut res = Response::new(Body::from(b));
+      res.headers_mut().insert(
+        "content-type",
+        HeaderValue::from_static("multipart/form-datatststs;boundary=boundary"),
+      );
+      Ok(res)
+    }
    (_, "/bad_redirect") => {
      let mut res = Response::new(Body::empty());
      *res.status_mut() = StatusCode::FOUND;