fix(fixRequestBody): harden form-data stringification

Author: chimurai

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## [Unreleased](https://github.com/chimurai/http-proxy-middleware/compare/v4.1.0...master)
+
+- fix(fixRequestBody): harden form-data stringification
+
 ## [v4.1.0](https://github.com/chimurai/http-proxy-middleware/releases/tag/v4.1.0)
 
 - feat(definePlugin): helper function to create plugins

src/handlers/fix-request-body-utils/stringify-form-data.ts

@@ -0,0 +1,59 @@
+const CR_OR_LF = /[\r\n]/;
+
+/**
+ * stringify FormData data
+ * @param contentType
+ * @param data
+ * @returns
+ */
+export function stringifyFormData(contentType: string, data: object): string {
+  const boundary = getMultipartBoundary(contentType);
+  let str = '';
+
+  for (const [key, value] of Object.entries(data)) {
+    const normalizedKey = String(key);
+    const normalizedValue = String(value);
+
+    // Reject potentially dangerous sequences to prevent multipart header/body injection.
+    validateMultipartField(normalizedKey, normalizedValue, boundary);
+
+    str += `--${boundary}\r\nContent-Disposition: form-data; name="${escapeMultipartFieldName(normalizedKey)}"\r\n\r\n${normalizedValue}\r\n`;
+  }
+
+  return str;
+}
+
+function getMultipartBoundary(contentType: string): string {
+  const boundaryMatch = /(?:^|;)\s*boundary=(?:"([^"]+)"|([^;]+))/i.exec(contentType);
+
+  // Keep backward-compatible behavior when boundary is omitted: fall back to legacy extraction.
+  const boundary = (boundaryMatch?.[1] ?? boundaryMatch?.[2] ?? contentType).trim();
+
+  if (!boundary || CR_OR_LF.test(boundary)) {
+    throw new Error(
+      '[HPM] unsafe multipart boundary detected. Request rejected per RFC 9112 obsolete line folding guidance.',
+    );
+  }
+
+  return boundary;
+}
+
+function validateMultipartField(fieldName: string, fieldValue: string, boundary: string): void {
+  const boundaryDelimiter = `--${boundary}`;
+
+  if (CR_OR_LF.test(fieldName)) {
+    throw new Error(
+      `[HPM] unsafe multipart field name "${fieldName}" detected. Request rejected per RFC 9112 obsolete line folding guidance.`,
+    );
+  }
+
+  if (CR_OR_LF.test(fieldValue) || fieldValue.includes(boundaryDelimiter)) {
+    throw new Error(
+      `[HPM] unsafe multipart field value for "${fieldName}" detected. Request rejected per RFC 9112 obsolete line folding guidance.`,
+    );
+  }
+}
+
+function escapeMultipartFieldName(fieldName: string): string {
+  return fieldName.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+}

src/handlers/fix-request-body.ts

@@ -2,6 +2,8 @@ import type * as http from 'node:http';
 import * as querystring from 'node:querystring';
 import * as zlib from 'node:zlib';
 
+import { stringifyFormData } from './fix-request-body-utils/stringify-form-data.js';
+
 export type BodyParserLikeRequest = http.IncomingMessage & { body?: any };
 
 /**
@@ -65,30 +67,25 @@ export function fixRequestBody<TReq extends BodyParserLikeRequest = BodyParserLi
     proxyReq.write(proxyData);
   };
 
-  // Use if-elseif to prevent multiple writeBody/setHeader calls:
-  // Error: "Cannot set headers after they are sent to the client"
-  if (contentType.includes('application/json') || contentType.includes('+json')) {
-    writeBody(JSON.stringify(requestBody));
-  } else if (contentType.includes('application/x-www-form-urlencoded')) {
-    writeBody(querystring.stringify(requestBody));
-  } else if (contentType.includes('multipart/form-data')) {
-    writeBody(handlerFormDataBodyData(contentType, requestBody));
-  } else if (contentType.includes('text/plain')) {
-    writeBody(requestBody);
+  try {
+    // Use if-elseif to prevent multiple writeBody/setHeader calls:
+    // Error: "Cannot set headers after they are sent to the client"
+    if (contentType.includes('application/json') || contentType.includes('+json')) {
+      writeBody(JSON.stringify(requestBody));
+    } else if (contentType.includes('application/x-www-form-urlencoded')) {
+      writeBody(querystring.stringify(requestBody));
+    } else if (contentType.includes('multipart/form-data')) {
+      writeBody(stringifyFormData(contentType, requestBody));
+    } else if (contentType.includes('text/plain')) {
+      writeBody(requestBody);
+    }
+  } catch (error) {
+    // proxyReq listeners run outside the middleware try/catch path; re-throwing here can bubble as
+    // an unhandled exception in consumers, so destroy() is used to fail closed through proxy error handling.
+    proxyReq.destroy(toError(error));
   }
 }
 
-/**
- * format FormData data
- * @param contentType
- * @param data
- * @returns
- */
-function handlerFormDataBodyData(contentType: string, data: any) {
-  const boundary = contentType.replace(/^.*boundary=(.*)$/, '$1');
-  let str = '';
-  for (const [key, value] of Object.entries(data)) {
-    str += `--${boundary}\r\nContent-Disposition: form-data; name="${key}"\r\n\r\n${value}\r\n`;
-  }
-  return str;
+function toError(error: unknown): Error {
+  return error instanceof Error ? error : new Error(String(error));
 }

test/e2e/http-proxy-middleware.spec.ts

@@ -128,6 +128,50 @@ describe('E2E http-proxy-middleware', () => {
         });
         await agent.post('/api').send({ foo: 'bar', bar: 'baz', doubleByte: '文' }).expect(200);
       });
+
+      it('should reject CRLF multipart injection when fixRequestBody serializes multipart', async () => {
+        const targetSpy = vi.fn();
+
+        agent = request(
+          createApp(
+            bodyParser.urlencoded({ extended: false }),
+            (req, res, next) => {
+              if (req.body?.role === 'admin') {
+                res.status(403).send('gateway: role=admin forbidden');
+                return;
+              }
+              next();
+            },
+            createProxyMiddleware({
+              target: mockTargetServer.url,
+              pathFilter: '/api',
+              on: {
+                proxyReq: (proxyReq, req) => {
+                  proxyReq.setHeader('Content-Type', 'multipart/form-data; boundary=BB');
+                  fixRequestBody(proxyReq, req);
+                },
+              },
+            }),
+          ),
+        );
+
+        await mockTargetServer.forPost('/api').thenCallback(async () => {
+          targetSpy();
+          return { statusCode: 200 };
+        });
+
+        const injectedValue =
+          'alice\r\n--BB\r\nContent-Disposition: form-data; name="role"\r\n\r\nadmin\r\n--BB--';
+
+        const response = await agent
+          .post('/api')
+          .set('Content-Type', 'application/x-www-form-urlencoded')
+          .send(`user=${encodeURIComponent(injectedValue)}`)
+          .expect(500);
+
+        expect(response.text).toContain('Error occurred while trying to proxy');
+        expect(targetSpy).toHaveBeenCalledTimes(0);
+      });
     });
 
     describe('custom pathFilter matcher/filter', () => {

test/unit/fix-request-body.spec.ts

@@ -113,6 +113,92 @@ describe('fixRequestBody', () => {
     expect(proxyRequest.write).toHaveBeenCalledWith(expectedBody);
   });
 
+  it('should reject multipart field values containing CRLF', () => {
+    const proxyRequest = fakeProxyRequest();
+    proxyRequest.setHeader('content-type', 'multipart/form-data; boundary=BB');
+
+    fixRequestBody(
+      proxyRequest,
+      createRequestWithBody({
+        user: 'alice\r\n--BB\r\nContent-Disposition: form-data; name="role"\r\n\r\nadmin',
+      }),
+    );
+
+    expect(proxyRequest.write).toHaveBeenCalledTimes(0);
+    expect(proxyRequest.destroy).toHaveBeenCalledTimes(1);
+  });
+
+  it('should reject multipart field values containing LF only', () => {
+    const proxyRequest = fakeProxyRequest();
+    proxyRequest.setHeader('content-type', 'multipart/form-data; boundary=BB');
+
+    fixRequestBody(
+      proxyRequest,
+      createRequestWithBody({
+        user: 'alice\nadmin',
+      }),
+    );
+
+    expect(proxyRequest.write).toHaveBeenCalledTimes(0);
+    expect(proxyRequest.destroy).toHaveBeenCalledTimes(1);
+  });
+
+  it('should reject multipart field values containing CR only', () => {
+    const proxyRequest = fakeProxyRequest();
+    proxyRequest.setHeader('content-type', 'multipart/form-data; boundary=BB');
+
+    fixRequestBody(
+      proxyRequest,
+      createRequestWithBody({
+        user: 'alice\radmin',
+      }),
+    );
+
+    expect(proxyRequest.write).toHaveBeenCalledTimes(0);
+    expect(proxyRequest.destroy).toHaveBeenCalledTimes(1);
+  });
+
+  it('should reject multipart field names containing LF', () => {
+    const proxyRequest = fakeProxyRequest();
+    proxyRequest.setHeader('content-type', 'multipart/form-data; boundary=BB');
+
+    fixRequestBody(
+      proxyRequest,
+      createRequestWithBody({
+        'bad\nname': 'alice',
+      }),
+    );
+
+    expect(proxyRequest.write).toHaveBeenCalledTimes(0);
+    expect(proxyRequest.destroy).toHaveBeenCalledTimes(1);
+  });
+
+  it('should reject multipart field values containing the active boundary delimiter', () => {
+    const proxyRequest = fakeProxyRequest();
+    proxyRequest.setHeader('content-type', 'multipart/form-data; boundary=BB');
+
+    fixRequestBody(
+      proxyRequest,
+      createRequestWithBody({
+        user: '--BB',
+      }),
+    );
+
+    expect(proxyRequest.write).toHaveBeenCalledTimes(0);
+    expect(proxyRequest.destroy).toHaveBeenCalledTimes(1);
+  });
+
+  it('should escape quotes in multipart field names', () => {
+    const proxyRequest = fakeProxyRequest();
+    proxyRequest.setHeader('content-type', 'multipart/form-data; boundary=BB');
+
+    fixRequestBody(proxyRequest, createRequestWithBody({ 'field"name': 'value' }));
+
+    expect(proxyRequest.write).toHaveBeenCalledWith(
+      '--BB\r\nContent-Disposition: form-data; name="field\\"name"\r\n\r\nvalue\r\n',
+    );
+  });
+
   it('should write when body is not empty and Content-Type ends with +json', () => {
     const proxyRequest = fakeProxyRequest();
     proxyRequest.setHeader('content-type', 'application/merge-patch+json; charset=utf-8');