fix: check the content-type of invalid formData (nodejs#2541)

Author: tsctx

lib/fetch/body.js

@@ -14,7 +14,7 @@ const { FormData } = require('./formdata')
 const { kState } = require('./symbols')
 const { webidl } = require('./webidl')
 const { Blob, File: NativeFile } = require('buffer')
-const { kBodyUsed } = require('../core/symbols')
+const { kBodyUsed, kHeadersList } = require('../core/symbols')
 const assert = require('assert')
 const { isErrored } = require('../core/util')
 const { isUint8Array, isArrayBuffer } = require('util/types')
@@ -369,10 +369,12 @@ function bodyMixinMethods (instance) {
 
       throwIfAborted(this[kState])
 
-      const contentType = this.headers.get('Content-Type')
+      const contentType = this.headers[kHeadersList].get('content-type', true)
+
+      const mimeType = contentType !== null ? parseMIMEType(contentType) : 'failure'
 
       // If mimeType’s essence is "multipart/form-data", then:
-      if (/multipart\/form-data/.test(contentType)) {
+      if (mimeType !== 'failure' && mimeType.essence === 'multipart/form-data') {
         const headers = {}
         for (const [key, value] of this.headers) headers[key] = value
 
@@ -430,7 +432,7 @@ function bodyMixinMethods (instance) {
         await busboyResolve
 
         return responseFormData
-      } else if (/application\/x-www-form-urlencoded/.test(contentType)) {
+      } else if (mimeType !== 'failure' && mimeType.essence === 'application/x-www-form-urlencoded') {
         // Otherwise, if mimeType’s essence is "application/x-www-form-urlencoded", then:
 
         // 1. Let entries be the result of parsing bytes.

test/fetch/response.js

@@ -2,7 +2,8 @@
 
 const { test } = require('tap')
 const {
-  Response
+  Response,
+  FormData
 } = require('../../')
 const {
   Blob: ThirdPartyBlob,
@@ -254,3 +255,35 @@ test('Issue#2465', async (t) => {
   const response = new Response(new SharedArrayBuffer(0))
   t.equal(await response.text(), '[object SharedArrayBuffer]')
 })
+
+test('Check the Content-Type of invalid formData', (t) => {
+  t.plan(4)
+
+  t.test('_application/x-www-form-urlencoded', async (t) => {
+    t.plan(1)
+    const response = new Response('x=y', { headers: { 'content-type': '_application/x-www-form-urlencoded' } })
+    await t.rejects(response.formData(), TypeError)
+  })
+
+  t.test('_multipart/form-data', async (t) => {
+    t.plan(1)
+    const formData = new FormData()
+    formData.append('x', 'y')
+    const response = new Response(formData, { headers: { 'content-type': '_multipart/form-data' } })
+    await t.rejects(response.formData(), TypeError)
+  })
+
+  t.test('application/x-www-form-urlencoded_', async (t) => {
+    t.plan(1)
+    const response = new Response('x=y', { headers: { 'content-type': 'application/x-www-form-urlencoded_' } })
+    await t.rejects(response.formData(), TypeError)
+  })
+
+  t.test('multipart/form-data_', async (t) => {
+    t.plan(1)
+    const formData = new FormData()
+    formData.append('x', 'y')
+    const response = new Response(formData, { headers: { 'content-type': 'multipart/form-data_' } })
+    await t.rejects(response.formData(), TypeError)
+  })
+})