expressjs · ctcpip · May 14, 2024 · Nov 21, 2017 · Nov 21, 2017 · Nov 21, 2017
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,11 +10,6 @@ jobs:
     strategy:
       matrix:
         name:
-        - Node.js 0.10
-        - Node.js 0.12
-        - io.js 1.x
-        - io.js 2.x
-        - io.js 3.x
         - Node.js 4.x
         - Node.js 5.x
         - Node.js 6.x
@@ -33,26 +28,6 @@ jobs:
         - Node.js 19.x
 
         include:
-        - name: Node.js 0.10
-          node-version: "0.10"
-          npm-i: [email protected] [email protected] [email protected]
-
-        - name: Node.js 0.12
-          node-version: "0.12"
-          npm-i: [email protected] [email protected] [email protected]
-
-        - name: io.js 1.x
-          node-version: "1.8"
-          npm-i: [email protected] [email protected] [email protected]
-
-        - name: io.js 2.x
-          node-version: "2.5"
-          npm-i: [email protected] [email protected] [email protected]
-
-        - name: io.js 3.x
-          node-version: "3.3"
-          npm-i: [email protected] [email protected] [email protected]
-
         - name: Node.js 4.x
           node-version: "4.9"
           npm-i: [email protected] [email protected] [email protected]
@@ -71,11 +46,11 @@ jobs:
 
         - name: Node.js 8.x
           node-version: "8.17"
-          npm-i: mocha@7.2.0
+          npm-i: mocha@6.2.2 [email protected] [email protected]
 
         - name: Node.js 9.x
           node-version: "9.11"
-          npm-i: mocha@7.2.0
+          npm-i: mocha@6.2.2 [email protected] [email protected]
 
         - name: Node.js 10.x
           node-version: "10.24"

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,69 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '16 21 * * 1'
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f # v2.23.2
+        with:
+          sarif_file: results.sarif
diff --git a/README.md b/README.md
@@ -87,16 +87,27 @@ specifies the number of bytes; if it is a string, the value is passed to the
 [bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults
 to `'100kb'`.
 
+##### parser
+
+The `parser` option is the function called against the request body to convert
+it to a Javascript object. If a `reviver` is supplied, it is supplied as the
+second argument to this function.
+
+```
+parser(body, reviver) -> req.body
+```
+
+Defaults to `JSON.parse`.
+
 ##### reviver
 
-The `reviver` option is passed directly to `JSON.parse` as the second
-argument. You can find more information on this argument
+You can find more information on this argument
 [in the MDN documentation about JSON.parse](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse#Example.3A_Using_the_reviver_parameter).
 
 ##### strict
 
 When set to `true`, will only accept arrays and objects; when `false` will
-accept anything `JSON.parse` accepts. Defaults to `true`.
+accept anything the `parser` accepts. Defaults to `true`.
 
 ##### type
 
@@ -273,6 +284,16 @@ The `verify` option, if supplied, is called as `verify(req, res, buf, encoding)`
 where `buf` is a `Buffer` of the raw request body and `encoding` is the
 encoding of the request. The parsing can be aborted by throwing an error.
 
+##### parser
+
+The `parser` option, if supplied, is used to in place of the default parser to
+convert the request body into a Javascript object. If this option is supplied,
+both the `extended` and `parameterLimit` options are ignored.
+
+```
+parser(body) -> req.body
+```
+
 ## Errors
 
 The middlewares provided by this module create errors using the

diff --git a/index.js b/index.js
@@ -73,6 +73,17 @@ Object.defineProperty(exports, 'urlencoded', {
   get: createParserGetter('urlencoded')
 })
 
+/**
+ * Generic parser used to build parsers.
+ * @public
+ */
+
+Object.defineProperty(exports, 'generic', {
+  configurable: true,
+  enumerable: true,
+  get: createParserGetter('generic')
+})
+
 /**
  * Create a middleware to parse json and urlencoded bodies.
  *
@@ -123,6 +134,9 @@ function loadParser (parserName) {
     case 'urlencoded':
       parser = require('./lib/types/urlencoded')
       break
+    case 'generic':
+      parser = require('./lib/generic-parser')
+      break
   }
 
   // store to prevent invoking require()

diff --git a/lib/generic-parser.js b/lib/generic-parser.js
@@ -0,0 +1,160 @@
+/*!
+ * body-parser
+ * Copyright(c) 2014 Jonathan Ong
+ * Copyright(c) 2014-2015 Douglas Christopher Wilson
+ * MIT Licensed
+ */
+
+'use strict'
+
+/**
+ * Module dependencies.
+ * @private
+ */
+
+var bytes = require('bytes')
+var contentType = require('content-type')
+var createError = require('http-errors')
+var debug = require('debug')('body-parser:generic')
+var isFinished = require('on-finished').isFinished
+var read = require('./read')
+var typeis = require('type-is')
+
+/**
+ * Module exports.
+ */
+
+module.exports = generic
+
+/**
+ * Use this to create a middleware that parses request bodies
+ *
+ * @param {object} [options]
+ * @return {function}
+ * @public
+ */
+
+function generic (parserOptions, parserOverrides) {
+  // Squash the options and the overrides down into one object
+  var opts = Object.create(parserOptions)
+  Object.assign(opts, parserOverrides)
+
+  var limit = typeof opts.limit !== 'number'
+    ? bytes.parse(opts.limit || '100kb')
+    : opts.limit
+  var charset = opts.charset
+  var inflate = opts.inflate !== false
+  var verify = opts.verify || false
+  var parse = opts.parse || defaultParse
+  var defaultReqCharset = opts.defaultCharset || 'utf-8'
+  var type = opts.type
+
+  if (verify !== false && typeof verify !== 'function') {
+    throw new TypeError('option verify must be function')
+  }
+
+  // create the appropriate type checking function
+  var shouldParse = typeof type !== 'function'
+    ? typeChecker(type)
+    : type
+
+  // create the appropriate charset validating function
+  var validCharset = typeof charset !== 'function'
+    ? charsetValidator(charset)
+    : charset
+
+  return function genericParser (req, res, next) {
+    if (isFinished(req)) {
+      debug('body already parsed')
+      next()
+      return
+    }
+
+    if (!('body' in req)) {
+      req.body = undefined
+    }
+
+    // skip requests without bodies
+    if (!typeis.hasBody(req)) {
+      debug('skip empty body')
+      next()
+      return
+    }
+
+    debug('content-type %j', req.headers['content-type'])
+
+    // determine if request should be parsed
+    if (!shouldParse(req)) {
+      debug('skip parsing')
+      next()
+      return
+    }
+
+    // assert charset per RFC 7159 sec 8.1
+    var reqCharset = null
+    if (charset !== undefined) {
+      reqCharset = getCharset(req) || defaultReqCharset
+      if (!validCharset(reqCharset)) {
+        debug('invalid charset')
+        next(createError(415, 'unsupported charset "' + reqCharset.toUpperCase() + '"', {
+          charset: reqCharset,
+          type: 'charset.unsupported'
+        }))
+        return
+      }
+    }
+
+    // read
+    read(req, res, next, parse, debug, {
+      encoding: reqCharset,
+      inflate: inflate,
+      limit: limit,
+      verify: verify
+    })
+  }
+}
+
+function defaultParse (buf) {
+  return buf
+}
+
+/**
+ * Get the charset of a request.
+ *
+ * @param {object} req
+ * @api private
+ */
+
+function getCharset (req) {
+  try {
+    return (contentType.parse(req).parameters.charset || '').toLowerCase()
+  } catch (e) {
+    return undefined
+  }
+}
+
+/**
+ * Get the simple type checker.
+ *
+ * @param {string} type
+ * @return {function}
+ */
+
+function typeChecker (type) {
+  return function checkType (req) {
+    return Boolean(typeis(req, type))
+  }
+}
+
+/**
+ * Get the simple charset validator.
+ *
+ * @param {string} type
+ * @return {function}
+ */
+
+function charsetValidator (charset) {
+  return function validateCharset (reqCharset) {
+    return charset === reqCharset
+  }
+}