fix: bump busboy to resolve security issues (#269)

cloudflare · May 25, 2022 · 72f046e · 72f046e
1 parent 60079dd
commit 72f046e
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 52 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/core/package.json b/packages/core/package.json
@@ -41,7 +41,7 @@
     "@iarna/toml": "^2.2.5",
     "@miniflare/shared": "2.4.0",
     "@miniflare/watcher": "2.4.0",
-    "busboy": "^0.3.1",
+    "busboy": "^1.6.0",
     "dotenv": "^10.0.0",
     "kleur": "^4.1.4",
     "set-cookie-parser": "^2.4.8",
@@ -53,7 +53,7 @@
     "@miniflare/shared-test": "2.4.0",
     "@miniflare/watcher": "2.4.0",
     "@miniflare/web-sockets": "2.4.0",
-    "@types/busboy": "^0.3.1",
+    "@types/busboy": "^1.5.0",
     "@types/set-cookie-parser": "^2.4.1",
     "dequal": "^2.0.2"
   }

diff --git a/packages/core/src/standards/http.ts b/packages/core/src/standards/http.ts
@@ -21,7 +21,6 @@ import {
   waitForOpenOutputGate,
 } from "@miniflare/shared";
 import type { WebSocket } from "@miniflare/web-sockets";
-import type { BusboyHeaders } from "busboy";
 import { Colorize, blue, bold, green, grey, red, yellow } from "kleur/colors";
 import { splitCookiesString } from "set-cookie-parser";
 import {
@@ -281,7 +280,7 @@ export class Body<Inner extends BaseRequest | BaseResponse> {
           // we need to tell it that there was 0 bytes delivered so that it unblocks
           // and notices the end of stream.
           controller.byobRequest?.respond(0);
-	       }
+        }
       },
       cancel: (reason) => reader.cancel(reason),
     };
@@ -318,11 +317,12 @@ export class Body<Inner extends BaseRequest | BaseResponse> {
     const formData = new FormData();
     await new Promise<void>(async (resolve) => {
       const Busboy: typeof import("busboy") = require("busboy");
-      const busboy = new Busboy({ headers: headers as BusboyHeaders });
+      const busboy = Busboy({ headers: headers as http.IncomingHttpHeaders });
       busboy.on("field", (name, value) => {
         formData.append(name, value);
       });
-      busboy.on("file", (name, value, filename, encoding, type) => {
+      busboy.on("file", (name, value, info) => {
+        const { filename, encoding, mimeType } = info;
         const base64 = encoding.toLowerCase() === "base64";
         const chunks: Buffer[] = [];
         let totalLength = 0;
@@ -333,7 +333,7 @@ export class Body<Inner extends BaseRequest | BaseResponse> {
         });
         value.on("end", () => {
           if (this[kFormDataFiles]) {
-            const file = new File(chunks, filename, { type });
+            const file = new File(chunks, filename, { type: mimeType });
             formData.append(name, file);
           } else {
             const text = Buffer.concat(chunks, totalLength).toString();