diff --git a/package-lock.json b/package-lock.json index 01029f4..d3a05bc 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1339,14 +1339,6 @@ "@types/node": "*" } }, - "node_modules/@types/busboy": { - "version": "1.5.0", - "dev": true, - "license": "MIT", - "dependencies": { - "@types/node": "*" - } - }, "node_modules/@types/clone": { "version": "2.1.4", "resolved": "https://registry.npmjs.org/@types/clone/-/clone-2.1.4.tgz", @@ -1900,15 +1892,6 @@ "license": "MIT", "peer": true }, - "node_modules/busboy": { - "version": "1.6.0", - "dependencies": { - "streamsearch": "^1.1.0" - }, - "engines": { - "node": ">=10.16.0" - } - }, "node_modules/bytes": { "version": "3.1.2", "license": "MIT", @@ -5166,12 +5149,6 @@ "node": ">= 0.8" } }, - "node_modules/streamsearch": { - "version": "1.1.0", - "engines": { - "node": ">=10.0.0" - } - }, "node_modules/string_decoder": { "version": "1.3.0", "license": "MIT", @@ -5951,7 +5928,6 @@ "license": "MIT", "dependencies": { "@brillout/json-serializer": "^0.5.3", - "busboy": "^1.6.0", "clone": "^2.1.2", "engine.io": "^6.5.3", "escape-html": "=1.0.3", @@ -5966,7 +5942,6 @@ "underscore": "^1.13.3" }, "devDependencies": { - "@types/busboy": "^1.5.0", "@types/clone": "^2.1.4", "@types/escape-html": "=1.0.4", "@types/express": "^4.17.13", diff --git a/server/Security concept.md b/server/Security concept.md index cb84c7f..702cb4a 100644 --- a/server/Security concept.md +++ b/server/Security concept.md @@ -1,7 +1,7 @@ # Input parsing - Restfuncs has 2 stages: 1. First, the parameters will be collected and auto converted via `collectParamsFromRequest`. This can be very wild. It's only important that this code is side effect free. - The busboy (multipart parsing) parsing will only happen if really needed, so if that method has `readable` or `UploadFile` parameters. Cause the busboy code looks very "leet" and i find it hard to inspect it for side effects. + Multipart parsing is currently not implemented, so restfuncs-server must not ship or load a multipart parser dependency. 2. We assume that stage 1 was evil and any evil parameters can make it to here. So the call-ready parameters will be security-checked again by ServerSession.validateCall() # Validation library diff --git a/server/ServerSession.ts b/server/ServerSession.ts index 92ad563..0dc795b 100644 --- a/server/ServerSession.ts +++ b/server/ServerSession.ts @@ -29,7 +29,6 @@ import {stringify as brilloutJsonStringify} from "@brillout/json-serializer/stri import type {Readable as Readable_fromNodePackage} from "node:stream"; import type {Readable as Readable_fromReadableStreamPackage} from "readable-stream"; import {CommunicationError, isCommunicationError} from "./CommunicationError"; -import busboy from "busboy"; import {AsyncLocalStorage} from 'node:async_hooks' import { CookieSession, CookieSessionState, @@ -1583,7 +1582,6 @@ export class ServerSession implements IServerSession { } else if(contentType == "multipart/form-data") { throw new CommunicationError("multipart/form-data file uploads not yet implemented") - //let bb = busboy({ headers: req.headers }); } else if(contentType == "application/octet-stream") { // Stream ? convertAndAddParams([req.body], null); // Pass it to the Buffer parameter @@ -3074,4 +3072,4 @@ function checkIfSecurityFieldsAreValid(session: SecurityRelevantSessionFields) { export function isClientCallback(fn: UnknownFunction) { return ((fn as ClientCallback).socketConnection !== undefined); -} \ No newline at end of file +} diff --git a/server/package.json b/server/package.json index 794890a..946e2b9 100755 --- a/server/package.json +++ b/server/package.json @@ -45,7 +45,6 @@ "reflect-metadata": "^0.1.13", "@brillout/json-serializer": "^0.5.3", "escape-html": "=1.0.3", - "busboy": "^1.6.0", "engine.io": "^6.5.3", "tweetnacl": "^1.0.3", "tweetnacl-util": "^0.15.1", @@ -57,7 +56,6 @@ "@types/express-session": "^1.17.3", "@types/underscore": "^1.11.4", "@types/escape-html": "=1.0.4", - "@types/busboy": "^1.5.0", "@types/clone": "^2.1.4", "restfuncs-transformer": "^1.1.0", "rimraf": "=5.0.5" diff --git a/tests/clientServer/package-lock.json b/tests/clientServer/package-lock.json index bf57ae0..344b762 100644 --- a/tests/clientServer/package-lock.json +++ b/tests/clientServer/package-lock.json @@ -41,12 +41,10 @@ "license": "MIT", "dependencies": { "@brillout/json-serializer": "^0.5.3", - "@types/busboy": "^1.5.0", "@types/escape-html": "^1.0.4", "@types/express": "^4.17.13", "@types/express-session": "^1.17.3", "@types/underscore": "^1.11.4", - "busboy": "^1.6.0", "engine.io": "^6.5.3", "escape-html": "^1.0.3", "express": "^4.17.13", diff --git a/transformer/dev/transformExample/package-lock.json b/transformer/dev/transformExample/package-lock.json index 64bd6e9..4024768 100644 --- a/transformer/dev/transformExample/package-lock.json +++ b/transformer/dev/transformExample/package-lock.json @@ -41,12 +41,10 @@ "license": "MIT", "dependencies": { "@brillout/json-serializer": "^0.5.3", - "@types/busboy": "^1.5.0", "@types/escape-html": "^1.0.4", "@types/express": "^4.17.13", "@types/express-session": "^1.17.3", "@types/underscore": "^1.11.4", - "busboy": "^1.6.0", "engine.io": "^6.5.3", "escape-html": "^1.0.3", "express": "^4.17.13",