expressjs · Feb 21, 2022 · Feb 25, 2022 · Feb 25, 2022 · Mar 14, 2022 · Mar 14, 2022
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -105,7 +105,7 @@ jobs:
           node-version: "16.14"
 
         - name: Node.js 17.x
-          node-version: "17.5"
+          node-version: "17.8"
 
     steps:
     - uses: actions/checkout@v2
@@ -119,6 +119,8 @@ jobs:
           nvm use ${{ matrix.node-version }}
           sed -i '1s;^.*$;'"$(printf '#!%q' "$(nvm which npm)")"';' "$(readlink -f "$(which npm)")"
           npm config set strict-ssl false
+          npm install -g --prefix "$(which node)/../.." npm@1.2.8000
+          sed -i '1s;^.*$;'"$(printf '#!%q' "$(nvm which npm)")"';' "$(readlink -f "$(which npm)")"
         fi
         dirname "$(nvm which ${{ matrix.node-version }})" >> "$GITHUB_PATH"
 

diff --git a/HISTORY.md b/HISTORY.md
@@ -1,3 +1,21 @@
+1.20.0 / 2022-04-02
+===================
+
+  * Fix error message for json parse whitespace in `strict`
+  * Fix internal error when inflated body exceeds limit
+  * Prevent loss of async hooks context
+  * Prevent hanging when request already read
+  * deps: depd@2.0.0
+    - Replace internal `eval` usage with `Function` constructor
+    - Use instance methods on `process` to check for listeners
+  * deps: http-errors@2.0.0
+    - deps: depd@2.0.0
+    - deps: statuses@2.0.1
+  * deps: on-finished@2.4.1
+  * deps: qs@6.10.3
+  * deps: raw-body@2.5.1
+    - deps: http-errors@2.0.0
+
 1.19.2 / 2022-02-15
 ===================
 

diff --git a/README.md b/README.md
@@ -342,6 +342,14 @@ to this middleware. This module operates directly on bytes only and you cannot
 call `req.setEncoding` when using this module. The `status` property is set to
 `500` and the `type` property is set to `'stream.encoding.set'`.
 
+### stream is not readable
+
+This error will occur when the request is no longer readable when this middleware
+attempts to read it. This typically means something other than a middleware from
+this module read the reqest body already and the middleware was also configured to
+read the same request. The `status` property is set to `500` and the `type`
+property is set to `'stream.not.readable'`.
+
 ### too many parameters
 
 This error will occur when the content of the request exceeds the configured
@@ -453,4 +461,4 @@ app.use(bodyParser.text({ type: 'text/html' }))
 [downloads-image]: https://img.shields.io/npm/dm/body-parser.svg
 [downloads-url]: https://npmjs.org/package/body-parser
 [github-actions-ci-image]: https://img.shields.io/github/workflow/status/expressjs/body-parser/ci/master?label=ci
-[github-actions-ci-url]: https://github.com/expressjs/body-parser?query=workflow%3Aci
+[github-actions-ci-url]: https://github.com/expressjs/body-parser/actions/workflows/ci.yml
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,25 @@
+# Security Policies and Procedures
+
+## Reporting a Bug
+
+The Express team and community take all security bugs seriously. Thank you
+for improving the security of Express. We appreciate your efforts and
+responsible disclosure and will make every effort to acknowledge your
+contributions.
+
+Report security bugs by emailing the current owner(s) of `body-parser`. This
+information can be found in the npm registry using the command
+`npm owner ls body-parser`.
+If unsure or unable to get the information from the above, open an issue
+in the [project issue tracker](https://github.com/expressjs/body-parser/issues)
+asking for the current contact information.
+
+To ensure the timely response to your report, please ensure that the entirety
+of the report is contained within the email body and not solely behind a web
+link or an attachment.
+
+At least one owner will acknowledge your email within 48 hours, and will send a
+more detailed response within 48 hours indicating the next steps in handling
+your report. After the initial reply to your report, the owners will
+endeavor to keep you informed of the progress towards a fix and full
+announcement, and may ask for additional information or guidance.
diff --git a/lib/read.js b/lib/read.js
@@ -12,9 +12,11 @@
  */
 
 var createError = require('http-errors')
+var destroy = require('destroy')
 var getBody = require('raw-body')
 var iconv = require('iconv-lite')
 var onFinished = require('on-finished')
+var unpipe = require('unpipe')
 var zlib = require('zlib')
 
 /**
@@ -89,9 +91,14 @@ function read (req, res, next, parse, debug, options) {
         _error = createError(400, error)
       }
 
+      // unpipe from stream and destroy
+      if (stream !== req) {
+        unpipe(req)
+        destroy(stream, true)
+      }
+
       // read off entire request
-      stream.resume()
-      onFinished(req, function onfinished () {
+      dump(req, function onfinished () {
         next(createError(400, _error))
       })
       return
@@ -179,3 +186,20 @@ function contentstream (req, debug, inflate) {
 
   return stream
 }
+
+/**
+ * Dump the contents of a request.
+ *
+ * @param {object} req
+ * @param {function} callback
+ * @api private
+ */
+
+function dump (req, callback) {
+  if (onFinished.isFinished(req)) {
+    callback(null)
+  } else {
+    onFinished(req, callback)
+    req.resume()
+  }
+}
diff --git a/lib/types/json.js b/lib/types/json.js
@@ -37,7 +37,7 @@ module.exports = json
  *            %x0D )              ; Carriage return
  */
 
-var FIRST_CHAR_REGEXP = /^[\x20\x09\x0a\x0d]*(.)/ // eslint-disable-line no-control-regex
+var FIRST_CHAR_REGEXP = /^[\x20\x09\x0a\x0d]*([^\x20\x09\x0a\x0d])/ // eslint-disable-line no-control-regex
 
 /**
  * Create a middleware to parse JSON bodies.
@@ -122,7 +122,7 @@ function json (options) {
 
     // assert charset per RFC 7159 sec 8.1
     var charset = getCharset(req) || 'utf-8'
-    if (charset.substr(0, 4) !== 'utf-') {
+    if (charset.slice(0, 4) !== 'utf-') {
       debug('invalid charset')
       next(createError(415, 'unsupported charset "' + charset.toUpperCase() + '"', {
         charset: charset,
@@ -152,7 +152,9 @@ function json (options) {
 
 function createStrictSyntaxError (str, char) {
   var index = str.indexOf(char)
-  var partial = str.substring(0, index) + '#'
+  var partial = index !== -1
+    ? str.substring(0, index) + '#'
+    : ''
 
   try {
     JSON.parse(partial); /* istanbul ignore next */ throw new SyntaxError('strict violation')
@@ -173,7 +175,11 @@ function createStrictSyntaxError (str, char) {
  */
 
 function firstchar (str) {
-  return FIRST_CHAR_REGEXP.exec(str)[1]
+  var match = FIRST_CHAR_REGEXP.exec(str)
+
+  return match
+    ? match[1]
+    : undefined
 }
 
 /**

diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "body-parser",
   "description": "Node.js body parsing middleware",
-  "version": "1.19.2",
+  "version": "1.20.0",
   "contributors": [
     "Douglas Christopher Wilson <doug@somethingdoug.com>",
     "Jonathan Ong <me@jongleberry.com> (http://jongleberry.com)"
@@ -12,13 +12,15 @@
     "bytes": "3.1.2",
     "content-type": "~1.0.4",
     "debug": "2.6.9",
-    "depd": "~1.1.2",
-    "http-errors": "1.8.1",
+    "depd": "2.0.0",
+    "destroy": "1.2.0",
+    "http-errors": "2.0.0",
     "iconv-lite": "0.4.24",
-    "on-finished": "~2.3.0",
-    "qs": "6.9.7",
-    "raw-body": "2.4.3",
-    "type-is": "~1.6.18"
+    "on-finished": "2.4.1",
+    "qs": "6.10.3",
+    "raw-body": "2.5.1",
+    "type-is": "~1.6.18",
+    "unpipe": "1.0.0"
   },
   "devDependencies": {
     "eslint": "7.32.0",
@@ -29,7 +31,7 @@
     "eslint-plugin-promise": "5.2.0",
     "eslint-plugin-standard": "4.1.0",
     "methods": "1.1.2",
-    "mocha": "9.2.0",
+    "mocha": "9.2.2",
     "nyc": "15.1.0",
     "safe-buffer": "5.2.1",
     "supertest": "6.2.2"
@@ -38,10 +40,12 @@
     "lib/",
     "LICENSE",
     "HISTORY.md",
+    "SECURITY.md",
     "index.js"
   ],
   "engines": {
-    "node": ">= 0.8"
+    "node": ">= 0.8",
+    "npm": "1.2.8000 || >= 1.4.16"
   },
   "scripts": {
     "lint": "eslint .",

diff --git a/test/body-parser.js b/test/body-parser.js
@@ -124,7 +124,7 @@ describe('bodyParser()', function () {
         .post('/')
         .set('Content-Type', 'application/json')
         .send(' {"user":"tobi"}')
-        .expect(403, 'no leading space', done)
+        .expect(403, '[entity.verify.failed] no leading space', done)
     })
 
     it('should apply to urlencoded', function (done) {
@@ -138,7 +138,7 @@ describe('bodyParser()', function () {
         .post('/')
         .set('Content-Type', 'application/x-www-form-urlencoded')
         .send(' user=tobi')
-        .expect(403, 'no leading space', done)
+        .expect(403, '[entity.verify.failed] no leading space', done)
     })
   })
 })
@@ -149,7 +149,7 @@ function createServer (opts) {
   return http.createServer(function (req, res) {
     _bodyParser(req, res, function (err) {
       res.statusCode = err ? (err.status || 500) : 200
-      res.end(err ? err.message : JSON.stringify(req.body))
+      res.end(err ? ('[' + err.type + '] ' + err.message) : JSON.stringify(req.body))
     })
   })
 }