-
-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update the busboy
dependency to v1
#311
Comments
@jaydenseric I am very interested in what you plan to do - and the "off by one" error is not nearly as troubling to me, as the Security Flaw... but that's just one vote... I know I may not be typical. I would be very interested in whatever steps you take to remediate this issue - as I need to include this in my work as well. Thanks. |
I'm hoping for an overnight response to mscdex/busboy#297 (comment) , either a fix or a timeline for a fix otherwise I will probably just update to |
@jaydenseric Have you made any decision regarding this? The Security Flaw is blocking our work as well, and I also think the "off by one" error is definitely something that we can tolerate... while waiting for |
Yes, I'm about to start work on it now. |
@jaydenseric we have the same issue and it blocks our releases. Is there any estimated time for the fix? sorry for the disturbance |
ETA within the hour. I'm about to push a commit up. |
I was curious to see how /[redacted]/apollo-upload-examples/api/node_modules/dicer/lib/HeaderParser.js:85
this.header[h][this.header[h].length - 1] += lines[i];
^
TypeError: Cannot read properties of undefined (reading 'length')
at HeaderParser._parseHeader (/[redacted]/apollo-upload-examples/api/node_modules/dicer/lib/HeaderParser.js:85:37)
at HeaderParser._finish (/[redacted]/apollo-upload-examples/api/node_modules/dicer/lib/HeaderParser.js:60:10)
at SBMH.<anonymous> (/[redacted]/apollo-upload-examples/api/node_modules/dicer/lib/HeaderParser.js:40:12)
at SBMH.emit (node:events:527:28)
at SBMH._sbmh_feed (/[redacted]/apollo-upload-examples/api/node_modules/streamsearch/lib/sbmh.js:159:14)
at SBMH.push (/[redacted]/apollo-upload-examples/api/node_modules/streamsearch/lib/sbmh.js:56:14)
at HeaderParser.push (/[redacted]/apollo-upload-examples/api/node_modules/dicer/lib/HeaderParser.js:46:19)
at Dicer._oninfo (/[redacted]/apollo-upload-examples/api/node_modules/dicer/lib/Dicer.js:196:25)
at SBMH.<anonymous> (/[redacted]/apollo-upload-examples/api/node_modules/dicer/lib/Dicer.js:126:10)
at SBMH.emit (node:events:527:28) |
So, there might need to be more work to do. Because even with |
This seems to be a problem: graphql-upload/processRequest.js Line 91 in 5d4c758
If you change it to I mean, what is this for? graphql-upload/processRequest.js Lines 106 to 112 in 5d4c758
I vaguely remember it took us ages to figure out it was really important. Is it still important? IDK. |
@jaydenseric probably the issue should be reopened because as you've already mentioned the issue is still actual and there wasn't any release |
I pushed up a failing test for the function |
I've figured a lot of it out, putting polish on it. I'm going as fast as I can but not sure I'm going to be able to publish a new |
I've pushed up a few commits that get all the tests passing across all our supported Node.js versions. I'm a little scared to rush this out without adequate testing or review because it changes the way errors a handled in the function Something that I noticed testing this out, is that when there are certain kinds of graphql-upload/processRequest.test.mjs Lines 1531 to 1534 in ef566f3
The result of a multipart request that is so malformed that the error comes from the Improving that can happen in future work and doesn't need to block this release. |
This work has been published in v15.0.0! Please test this update in your projects and hopefully we didn't introduce any new bugs in the rush 🙏 |
The
busboy
v1 update has a lot of great improvements, and importantly fixes this security flaw:GHSA-wm7h-9275-46v2
Unfortunately, it also introduces a bug where the file size limit is 1 byte off:
mscdex/busboy#297
If we were to update the
graphql-upload
dependencybusboy
to v1 with that bug, imagine how many apps have public facing labels on file upload inputs saying things like "max 4 MB file size" and users would try to upload an exactly 4 MB file and it would be erroring. To avoid having to update our front ends to say "max 3.999999 MB" we would have to change ourgraphql-upload
maxFileSize
config in GraphQL APIs to be the real limit we want + 1. But then, if thisbusboy
bug is fixed in a patch release, suddenly files 1 byte too big will start being accepted which could have who knows what problems further down the line in our systems depending how the files are used.We might be forced to publish a major release of
graphql-upload
that only bumpsbusboy
to v1, but with a big warning in the changelog entry that explains this outstandingbusboy
bug and that people should be aware of the dilemma and deal with it as best as they can.The text was updated successfully, but these errors were encountered: