From 81dd350835e14dccca667fc46bc5c35f16f1b5ec Mon Sep 17 00:00:00 2001 From: GrosSacASacs Date: Thu, 19 May 2022 12:13:31 +0200 Subject: [PATCH] fix: Improve keep extension (#857) * tests: add failing test case * docs: add comment * tests: add comment * tests: add a test case that proves that the regex was always bad * fix: replace regex with reliable filtering * feat: stop at first invalid char * feat: allow numbers in file extensions * feat: stop extension from being '.' * refactor: code style * docs: use slugify in the example * chore: prepare release --- examples/with-http.js | 21 +++++++++++---------- package.json | 3 ++- src/Formidable.js | 31 +++++++++++++++++++++++++++---- src/PersistentFile.js | 10 +++++----- test/unit/formidable.test.js | 11 +++++++++++ 5 files changed, 56 insertions(+), 20 deletions(-) diff --git a/examples/with-http.js b/examples/with-http.js index 4d0fe54a..b19b0712 100644 --- a/examples/with-http.js +++ b/examples/with-http.js @@ -1,4 +1,5 @@ import http from 'node:http'; +import slugify from '@sindresorhus/slugify'; import formidable from '../src/index.js'; @@ -14,16 +15,16 @@ const server = http.createServer((req, res) => { const form = formidable({ // uploadDir: `uploads`, keepExtensions: true, - // filename(/*name, ext, part, form*/) { - // /* name basename of the http originalFilename - // ext with the dot ".txt" only if keepExtensions is true - // */ - // // slugify to avoid invalid filenames - // // substr to define a maximum length - // // return `${slugify(name)}.${slugify(ext, {separator: ''})}`.substr(0, 100); - // return 'yo.txt'; // or completly different name - // // return 'z/yo.txt'; // subdirectory - // }, + filename(name, ext, part, form) { + /* name basename of the http originalFilename + ext with the dot ".txt" only if keepExtensions is true + */ + // slugify to avoid invalid filenames + // substr to define a maximum + return `${slugify(name)}.${slugify(ext, {separator: ''})}`.substr(0, 100); + // return 'yo.txt'; // or completly different name + // return 'z/yo.txt'; // subdirectory + }, // filter: function ({name, originalFilename, mimetype}) { // // keep only images // return mimetype && mimetype.includes("image"); diff --git a/package.json b/package.json index da21d4e8..32df036b 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "formidable", - "version": "3.2.3", + "version": "3.2.4", "license": "MIT", "description": "A node.js module for parsing form data, especially file uploads.", "homepage": "https://github.com/node-formidable/formidable", @@ -37,6 +37,7 @@ "devDependencies": { "@commitlint/cli": "8.3.5", "@commitlint/config-conventional": "8.3.4", + "@sindresorhus/slugify": "^2.1.0", "@tunnckocore/prettier-config": "1.3.8", "del-cli": "3.0.0", "eslint": "6.8.0", diff --git a/src/Formidable.js b/src/Formidable.js index b777121a..11aeda3c 100644 --- a/src/Formidable.js +++ b/src/Formidable.js @@ -42,6 +42,16 @@ function hasOwnProp(obj, key) { return Object.prototype.hasOwnProperty.call(obj, key); } +const invalidExtensionChar = (c) => { + const code = c.charCodeAt(0); + return !( + code === 46 || // . + (code >= 48 && code <= 57) || + (code >= 65 && code <= 90) || + (code >= 97 && code <= 122) + ); +}; + class IncomingForm extends EventEmitter { constructor(options = {}) { super(); @@ -497,6 +507,9 @@ class IncomingForm extends EventEmitter { return originalFilename; } + // able to get composed extension with multiple dots + // "a.b.c" -> ".b.c" + // as opposed to path.extname -> ".c" _getExtension(str) { if (!str) { return ''; @@ -505,13 +518,23 @@ class IncomingForm extends EventEmitter { const basename = path.basename(str); const firstDot = basename.indexOf('.'); const lastDot = basename.lastIndexOf('.'); - const extname = path.extname(basename).replace(/(\.[a-z0-9]+).*/i, '$1'); + let rawExtname = path.extname(basename); - if (firstDot === lastDot) { - return extname; + if (firstDot !== lastDot) { + rawExtname = basename.slice(firstDot); } - return basename.slice(firstDot, lastDot) + extname; + let filtered; + const firstInvalidIndex = Array.from(rawExtname).findIndex(invalidExtensionChar); + if (firstInvalidIndex === -1) { + filtered = rawExtname; + } else { + filtered = rawExtname.substring(0, firstInvalidIndex); + } + if (filtered === '.') { + return ''; + } + return filtered; } _joinDirectoryName(name) { diff --git a/src/PersistentFile.js b/src/PersistentFile.js index fec6a4de..af8c7785 100644 --- a/src/PersistentFile.js +++ b/src/PersistentFile.js @@ -1,7 +1,7 @@ /* eslint-disable no-underscore-dangle */ -import { WriteStream, unlink } from 'node:fs'; -import { createHash } from 'node:crypto'; +import fs from 'node:fs'; +import crypto from 'node:crypto'; import { EventEmitter } from 'node:events'; class PersistentFile extends EventEmitter { @@ -15,14 +15,14 @@ class PersistentFile extends EventEmitter { this._writeStream = null; if (typeof this.hashAlgorithm === 'string') { - this.hash = createHash(this.hashAlgorithm); + this.hash = crypto.createHash(this.hashAlgorithm); } else { this.hash = null; } } open() { - this._writeStream = new WriteStream(this.filepath); + this._writeStream = fs.createWriteStream(this.filepath); this._writeStream.on('error', (err) => { this.emit('error', err); }); @@ -80,7 +80,7 @@ class PersistentFile extends EventEmitter { this._writeStream.destroy(); const filepath = this.filepath; setTimeout(function () { - unlink(filepath, () => {}); + fs.unlink(filepath, () => {}); }, 1) } } diff --git a/test/unit/formidable.test.js b/test/unit/formidable.test.js index 4fd4357e..ab6de22a 100644 --- a/test/unit/formidable.test.js +++ b/test/unit/formidable.test.js @@ -65,6 +65,7 @@ function makeHeader(originalFilename) { const getBasename = (part) => path.basename(form._getNewName(part)); + // tests below assume baseline hexoid 25 chars + a few more for the extension let basename = getBasename('fine.jpg?foo=bar'); expect(basename).toHaveLength(29); let ext = path.extname(basename); @@ -94,6 +95,16 @@ function makeHeader(originalFilename) { expect(basename).toHaveLength(30); ext = path.extname(basename); expect(ext).toBe('.QxZs'); + + basename = getBasename('test.pdf.jqlnn.png'); + expect(basename).toHaveLength(35); + ext = path.extname(basename); + expect(ext).toBe('.jqlnn'); + + basename = getBasename('test. {