Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[multipart/form-data] Payload is parsed incorrectly #4462

Open
tomdangpropine opened this issue Oct 3, 2023 · 4 comments
Open

[multipart/form-data] Payload is parsed incorrectly #4462

tomdangpropine opened this issue Oct 3, 2023 · 4 comments
Labels
support Questions, discussions, and general support

Comments

@tomdangpropine
Copy link

Context

  • hapi version: 20.3.0

How can we help?

I'm working with the multipart/form-data on hapi (version 20.3.0), the request payload is not parsed correctly for array and nested object.
Here is my request payload that i got

Screenshot 2023-10-03 at 12 40 27

My route

server.route({
    method: 'POST',
    path: '/onboarding/{draft_id}',
    options: {
      handler: controller.create.bind(controller),
      validate: {
        // payload: createValidator,
        failAction: (_, __, err) => badRequest(err.message),
      },
      payload: {
        allow: 'multipart/form-data',
        maxBytes: 20 * 1000 * 1000, // max payload to be 20MB in size.
        multipart: {
          output: 'data',
        },
        parse: true,
      },
      tags: [
        'create-onboarding',
        'onboarding',
      ],
      description: 'Create Onboarding',
    },
});
@tomdangpropine tomdangpropine added the support Questions, discussions, and general support label Oct 3, 2023
@kanongil
Copy link
Contributor

kanongil commented Oct 3, 2023

This needs more context to properly diagnose, but it seems like you expect one or more part names to be parsed as a query param field? Hapi does not support this, and you will need to rework your request, or maybe add a onPostAuth hook to transform from this manually.

How did you source this form input?

@tomdangpropine
Copy link
Author

tomdangpropine commented Oct 3, 2023
edited

@kanongil thanks for your quick response, I sent a form-data request, I expected to have a nested object and array in request.payload. For example: I send a request below

Screenshot 2023-10-03 at 14 54 57

I expect the request.payload looks like a nested objecte

{
  authorisation_proof: {
    file: ...,
    type: ....
  }
}

But It's not, it's a flat object like this

{
  "authorisation_proof[file]": ...,
  "authorisation_proof[type]": ...
}

Let me try transforming with the onPostAuth hook, but I think this transformation used to be available in the previous versions.

@kanongil
Copy link
Contributor

kanongil commented Oct 3, 2023
edited

I'm not aware of any standards that would expect hapi to parse form-data names as query string object keys, as you seem to suggest. I would strongly suggest that you change your approach, if possible, as this kind of parsing is prone to create security issues, as seen in the related qs module.

@devinivy
Copy link
Member

devinivy commented Oct 3, 2023

hapi used to use the qs module for parsing complex field names like that, but it was discontinued back in v12. I believe the upgrade path in the release notes from back then is still fairly accurate: #2985

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
support Questions, discussions, and general support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kanongil @devinivy @tomdangpropine