'use strict' const test = require('tap').test const FormData = require('form-data') const Fastify = require('fastify') const multipart = require('..') const http = require('http') const path = require('path') const fs = require('fs') const filePath = path.join(__dirname, '../README.md') test('should not allow __proto__ as file name', function (t) { t.plan(4) const fastify = Fastify() t.teardown(fastify.close.bind(fastify)) fastify.register(multipart) fastify.post('/', async function (req, reply) { t.ok(req.isMultipart()) try { await req.file() reply.code(200).send() } catch (error) { t.ok(error instanceof fastify.multipartErrors.PrototypeViolationError) reply.code(500).send() } }) fastify.listen({ port: 0 }, async function () { // request const form = new FormData() const opts = { protocol: 'http:', hostname: 'localhost', port: fastify.server.address().port, path: '/', headers: form.getHeaders(), method: 'POST' } const req = http.request(opts, (res) => { t.equal(res.statusCode, 500) res.resume() res.on('end', () => { t.pass('res ended successfully') }) }) const rs = fs.createReadStream(filePath) form.append('__proto__', rs) form.pipe(req) }) }) test('should not allow __proto__ as field name', function (t) { t.plan(4) const fastify = Fastify() t.teardown(fastify.close.bind(fastify)) fastify.register(multipart) fastify.post('/', async function (req, reply) { t.ok(req.isMultipart()) try { await req.file() reply.code(200).send() } catch (error) { t.ok(error instanceof fastify.multipartErrors.PrototypeViolationError) reply.code(500).send() } }) fastify.listen({ port: 0 }, async function () { // request const form = new FormData() const opts = { protocol: 'http:', hostname: 'localhost', port: fastify.server.address().port, path: '/', headers: form.getHeaders(), method: 'POST' } const req = http.request(opts, (res) => { t.equal(res.statusCode, 500) res.resume() res.on('end', () => { t.pass('res ended successfully') }) }) form.append('__proto__', 'world') form.pipe(req) }) })