Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 0 additions & 25 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion server/Security concept.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Input parsing
- Restfuncs has 2 stages:
1. First, the parameters will be collected and auto converted via `collectParamsFromRequest`. This can be very wild. It's only important that this code is side effect free.
The busboy (multipart parsing) parsing will only happen if really needed, so if that method has `readable` or `UploadFile` parameters. Cause the busboy code looks very "leet" and i find it hard to inspect it for side effects.
Multipart parsing is currently not implemented, so restfuncs-server must not ship or load a multipart parser dependency.
2. We assume that stage 1 was evil and any evil parameters can make it to here. So the call-ready parameters will be security-checked again by ServerSession.validateCall()

# Validation library
Expand Down
4 changes: 1 addition & 3 deletions server/ServerSession.ts
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ import {stringify as brilloutJsonStringify} from "@brillout/json-serializer/stri
import type {Readable as Readable_fromNodePackage} from "node:stream";
import type {Readable as Readable_fromReadableStreamPackage} from "readable-stream";
import {CommunicationError, isCommunicationError} from "./CommunicationError";
import busboy from "busboy";
import {AsyncLocalStorage} from 'node:async_hooks'
import {
CookieSession, CookieSessionState,
Expand Down Expand Up @@ -1583,7 +1582,6 @@ export class ServerSession implements IServerSession {
}
else if(contentType == "multipart/form-data") {
throw new CommunicationError("multipart/form-data file uploads not yet implemented")
//let bb = busboy({ headers: req.headers });
}
else if(contentType == "application/octet-stream") { // Stream ?
convertAndAddParams([req.body], null); // Pass it to the Buffer parameter
Expand Down Expand Up @@ -3074,4 +3072,4 @@ function checkIfSecurityFieldsAreValid(session: SecurityRelevantSessionFields) {

export function isClientCallback(fn: UnknownFunction) {
return ((fn as ClientCallback).socketConnection !== undefined);
}
}
2 changes: 0 additions & 2 deletions server/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@
"reflect-metadata": "^0.1.13",
"@brillout/json-serializer": "^0.5.3",
"escape-html": "=1.0.3",
"busboy": "^1.6.0",
"engine.io": "^6.5.3",
"tweetnacl": "^1.0.3",
"tweetnacl-util": "^0.15.1",
Expand All @@ -57,7 +56,6 @@
"@types/express-session": "^1.17.3",
"@types/underscore": "^1.11.4",
"@types/escape-html": "=1.0.4",
"@types/busboy": "^1.5.0",
"@types/clone": "^2.1.4",
"restfuncs-transformer": "^1.1.0",
"rimraf": "=5.0.5"
Expand Down
2 changes: 0 additions & 2 deletions tests/clientServer/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 0 additions & 2 deletions transformer/dev/transformExample/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.