Skip to content

Commit 3d17230

Browse files
benweissmannljharb
benweissmann
authored and
ljharb
committed
[Fix] Switch to using crypto random for boundary values
1 parent d8d67dc commit 3d17230

File tree

3 files changed

+62
-6
lines changed

3 files changed

+62
-6
lines changed

lib/form_data.js

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ var https = require('https');
88
var parseUrl = require('url').parse;
99
var fs = require('fs');
1010
var Stream = require('stream').Stream;
11+
var crypto = require('crypto');
1112
var mime = require('mime-types');
1213
var asynckit = require('asynckit');
1314
var setToStringTag = require('es-set-tostringtag');
@@ -345,12 +346,7 @@ FormData.prototype._generateBoundary = function () {
345346
// This generates a 50 character boundary similar to those used by Firefox.
346347

347348
// They are optimized for boyer-moore parsing.
348-
var boundary = '--------------------------';
349-
for (var i = 0; i < 24; i++) {
350-
boundary += Math.floor(Math.random() * 10).toString(16);
351-
}
352-
353-
this._boundary = boundary;
349+
this._boundary = '--------------------------' + crypto.randomBytes(12).toString('hex');
354350
};
355351

356352
// Note: getLengthSync DOESN'T calculate streams length

package.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,9 @@
5858
"istanbul": "^0.4.5",
5959
"obake": "^0.1.2",
6060
"pkgfiles": "^2.3.2",
61+
"pre-commit": "^1.2.2",
62+
"predict-v8-randomness": "^1.0.35",
63+
"puppeteer": "^1.20.0",
6164
"request": "~2.87.0",
6265
"rimraf": "^2.7.1",
6366
"tape": "^5.9.0"

test/integration/test-boundary-prediction.js

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
var common = require('../common');
2+
var assert = common.assert;
3+
var FormData = require(common.dir.lib + '/form_data');
4+
var predictV8Randomness = require('predict-v8-randomness');
5+
6+
var initialSequence = [
7+
Math.random(),
8+
Math.random(),
9+
Math.random(),
10+
Math.random(),
11+
];
12+
var predictor = new predictV8Randomness.Predictor(initialSequence);
13+
14+
predictor.predictNext(24).then(function (next24RandomOutputs) {
15+
var predictedBoundary = next24RandomOutputs
16+
.map(function (v) {
17+
return Math.floor(v * 10).toString(16);
18+
})
19+
.join('');
20+
21+
var boundaryIntro = '----------------------------';
22+
23+
var payload =
24+
'zzz\r\n' +
25+
boundaryIntro +
26+
predictedBoundary +
27+
'\r\nContent-Disposition: form-data; name="is_admin"\r\n\r\ntrue\r\n' +
28+
boundaryIntro +
29+
predictedBoundary +
30+
'--\r\n';
31+
32+
var FIELDS = {
33+
my_field: {
34+
value: payload,
35+
},
36+
};
37+
38+
// count total
39+
var fieldsPassed = Object.keys(FIELDS).length;
40+
41+
// prepare form-receiving http server
42+
var server = common.testFields(FIELDS, function (fields) {
43+
fieldsPassed = fields;
44+
});
45+
46+
server.listen(common.port, function () {
47+
var form = new FormData();
48+
49+
common.actions.populateFields(form, FIELDS);
50+
51+
common.actions.submit(form, server);
52+
});
53+
54+
process.on('exit', function () {
55+
assert.strictEqual(fieldsPassed, 0);
56+
});
57+
});

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy