Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for completely disabling multipart request handling #66

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Add support for completely disabling multipart request handling #66

wants to merge 1 commit into from
+48 −1

Conversation

ThisIsMissEm
Copy link

@ThisIsMissEm ThisIsMissEm commented Jan 23, 2025
edited
Loading

As discussed on discord, by the multipart request handling always being enabled, there can be security implications. This adds a multipart.enabled option, which defaults to true, which allows disabling handling for multipart requests.

If multipart.enabled === false then a multipart request is rejected immediately with a HTTP 514 UNSUPPORTED_MEDIA_TYPE response. As mentioned in that documentation, we could also set the Accept-Post / Accept-Patch header to indicate which content-types are supported by the server, however, this would need something specific in Exception class from poppins.

🔗 Linked issue

Discussed with @thetutlage on discord today.

❓ Type of change

  • 🐞 Bug fix (a non-breaking change that fixes an issue)
  • 👌 Enhancement (improving an existing functionality like performance)
  • ✨ New feature (a non-breaking change that adds functionality)
  • ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

This allows people using Adonis Framework to improve the security of their servers by allowing them to completely disable multipart request handling. Previously you needed a custom middleware to handle this.

📝 Checklist

  • I have linked an issue or discussion. — n/a
  • I have updated the documentation accordingly.

@ThisIsMissEm ThisIsMissEm mentioned this pull request Jan 23, 2025
Open
@ThisIsMissEm
Copy link
Author

Documentation PR: adonisjs/v6-docs#191

limwa
limwa reviewed Jan 23, 2025
View reviewed changes
src/bodyparser_middleware.ts
Comment on lines +144 to +147
throw new Exception('request content-type not supported', {
status: 415,
code: 'E_REQUEST_UNSUPPORTED_MEDIA_TYPE',
})
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it be better to create a custom exception class for this and expose it via an errors export, like the @adonisjs/auth package?
That way, people can use instanceof errors.... in an error handler.

However, this would require new documentation for the new exception type...

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I followed the pattern already in use here: https://github.com/adonisjs/bodyparser/blob/develop/src/bodyparser_middleware.ts#L72-L89

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I see! Thank you for clarifying!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@limwa limwa limwa left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ThisIsMissEm @limwa