fix: return status 500 when using validator 'form' #1554
Conversation
|
Hi @b-marques Thank you for the PR! I think it is a miniflare problem that the test fails. The following PR does not use Since |
|
I see... For sure, I will wait for #1558 to be merged to proceed with tests on my side. |
|
Hi @b-marques I've merged #1558 into the main. Try it. |
When using `validator('form', ...)` hono is returning a 500 status
when receiving a POST request with a JSON in request body, instead
of a bad request 400, .
This is happenning due to a unhandled error in an
underlying library (@miniflare).
cloudflare/miniflare#711
The code changes in this PR are responsible to prepare the code to
handle possible TypeError that can be thrown in the future, by the lib
doing the FormData parsing, as per, https://fetch.spec.whatwg.org/#dom-body-formdata.
This PR should wait for bugfix on @miniflare.
|
Hi @yusukebe , it stills relevant. The Node.js native Web APIs can also throw Errors that hono is not handling. |
|
@yusukebe I would like also to mention about the possibility to add a check for the 'appliaction/json' header in the validator. Since a forgery attack trying to avoid preflight request can send a json payload with wrong content-type, and hono will accept and validate it. |
The test on my local and CI passed, is there still a problem?
That's right. If this PR is merged, can you create another one? |
With the changes in this PR, it's not going to be a problem anymore. But without those changes, we still receive a 500 status, when we should receive a 400 Bad request.
For sure. |
…cation Forgery attacks will try to avoid preflight requests when POSTing JSON payloads manipulating the HTTP header Content-Type. For example, it will send a JSON payload with `Content-Type=text/plain`, but the request stills containing a JSON in its body. Those requests must be rejected. Thus, when using the validator with the target set to `json`, we must check the Content-Type header.
|
@yusukebe done (: |
Change JSON validation to only allow Content-Type header starting with 'application/json'. Change from regexp test to starsWith builtin function, to make code more expressive.
|
Hi @b-marques! Perfect! I'll merge it now. Thanks for the contribution. |
When using
validator('form', ...)hono is returning a 500 status when receiving a POST request with a JSON in request body, instead of a bad request 400, .This is happenning due to a unhandled error in an
underlying library (@miniflare).
cloudflare/miniflare#711
The code changes in this PR are responsible to prepare the code to handle possible TypeError that can be thrown in the future, by the lib doing the FormData parsing, as per, https://fetch.spec.whatwg.org/#dom-body-formdata.
This PR should wait for bugfix on @miniflare.
Author should do the followings, if applicable
yarn test:allyarn denoifyto generate files for Deno