Skip to content

Commit 3d17230

Browse files
benweissmannljharb
benweissmann
authored and
ljharb
committed
[Fix] Switch to using crypto random for boundary values
1 parent d8d67dc commit 3d17230

File tree

3 files changed

+62
-6
lines changed

3 files changed

+62
-6
lines changed

lib/form_data.js

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ var https = require('https');
88
var parseUrl = require('url').parse;
99
var fs = require('fs');
1010
var Stream = require('stream').Stream;
11+
var crypto = require('crypto');
1112
var mime = require('mime-types');
1213
var asynckit = require('asynckit');
1314
var setToStringTag = require('es-set-tostringtag');
@@ -345,12 +346,7 @@ FormData.prototype._generateBoundary = function () {
345346
// This generates a 50 character boundary similar to those used by Firefox.
346347

347348
// They are optimized for boyer-moore parsing.
348-
var boundary = '--------------------------';
349-
for (var i = 0; i < 24; i++) {
350-
boundary += Math.floor(Math.random() * 10).toString(16);
351-
}
352-
353-
this._boundary = boundary;
349+
this._boundary = '--------------------------' + crypto.randomBytes(12).toString('hex');
354350
};
355351

356352
// Note: getLengthSync DOESN'T calculate streams length

package.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,9 @@
5858
"istanbul": "^0.4.5",
5959
"obake": "^0.1.2",
6060
"pkgfiles": "^2.3.2",
61+
"pre-commit": "^1.2.2",
62+
"predict-v8-randomness": "^1.0.35",
63+
"puppeteer": "^1.20.0",
6164
"request": "~2.87.0",
6265
"rimraf": "^2.7.1",
6366
"tape": "^5.9.0"

test/integration/test-boundary-prediction.js

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
var common = require('../common');
2+
var assert = common.assert;
3+
var FormData = require(common.dir.lib + '/form_data');
4+
var predictV8Randomness = require('predict-v8-randomness');
5+
6+
var initialSequence = [
7+
Math.random(),
8+
Math.random(),
9+
Math.random(),
10+
Math.random(),
11+
];
12+
var predictor = new predictV8Randomness.Predictor(initialSequence);
13+
14+
predictor.predictNext(24).then(function (next24RandomOutputs) {
15+
var predictedBoundary = next24RandomOutputs
16+
.map(function (v) {
17+
return Math.floor(v * 10).toString(16);
18+
})
19+
.join('');
20+
21+
var boundaryIntro = '----------------------------';
22+
23+
var payload =
24+
'zzz\r\n' +
25+
boundaryIntro +
26+
predictedBoundary +
27+
'\r\nContent-Disposition: form-data; name="is_admin"\r\n\r\ntrue\r\n' +
28+
boundaryIntro +
29+
predictedBoundary +
30+
'--\r\n';
31+
32+
var FIELDS = {
33+
my_field: {
34+
value: payload,
35+
},
36+
};
37+
38+
// count total
39+
var fieldsPassed = Object.keys(FIELDS).length;
40+
41+
// prepare form-receiving http server
42+
var server = common.testFields(FIELDS, function (fields) {
43+
fieldsPassed = fields;
44+
});
45+
46+
server.listen(common.port, function () {
47+
var form = new FormData();
48+
49+
common.actions.populateFields(form, FIELDS);
50+
51+
common.actions.submit(form, server);
52+
});
53+
54+
process.on('exit', function () {
55+
assert.strictEqual(fieldsPassed, 0);
56+
});
57+
});

0 commit comments

Comments
 (0)