Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Ignore everything after closing boundary when parsing multi form data #2862

Merged
merged 17 commits into from
Jun 12, 2024
Merged

fix: Ignore everything after closing boundary when parsing multi form data #2862

merged 17 commits into from
Jun 12, 2024

Conversation

seakayone
Copy link
Contributor

@seakayone seakayone commented May 23, 2024
edited
Loading

Resolves: #2411

Enables: softwaremill/tapir#3690

Based on an idea by @fliiiix. Co-authored with @fliiiix and @grigala during a Hackergarten session.

/claim #2411
/split @fliiiix
/split @grigala

@seakayone seakayone changed the title fix/ignore clrf after last multipart boundary fix: Ignore everything after closing boundary when parsing multi form data May 23, 2024
@seakayone seakayone mentioned this pull request May 23, 2024
Merged
@ipetkovic
Copy link

thx @seakayone for pushing this one.
I was just about to make PR myself and then saw yours.

@seakayone
Copy link
Contributor Author

thx @seakayone for pushing this one. I was just about to make PR myself and then saw yours.

This fix is not yet complete and more of a rough first shot. It currently has a couple of "problems":

  • For one we had to replace the ChunkBuilder with a Chunk. I plan to revert that change. Even though zio's ChunkBuilder now has a knownSize method it would not work on 2.12.
  • Although the actual issue is fixed other tests are broken.

I will not be able to do much the next couple of days and will progress on this in June hopefully.

@ipetkovic
Copy link

thx @seakayone for pushing this one. I was just about to make PR myself and then saw yours.

This fix is not yet complete and more of a rough first shot. It currently has a couple of "problems":

  • For one we had to replace the ChunkBuilder with a Chunk. I plan to revert that change. Even though zio's ChunkBuilder now has a knownSize method it would not work on 2.12.
  • Although the actual issue is fixed other tests are broken.

I will not be able to do much the next couple of days and will progress on this in June hopefully.

can we overcome first issue by having size counter in FormStateBuffer instead?

@seakayone seakayone mentioned this pull request Jun 10, 2024
Closed
@987Nabil
Copy link
Contributor

@seakayone if you want to have the bounty, you have to add /claim with the issue number to the PR description. You can also use /split if you want to split with the co-authors.

@seakayone seakayone marked this pull request as ready for review June 10, 2024 14:30
@algora-pbc Algora PBC
Copy link

algora-pbc bot commented Jun 10, 2024

💵 To receive payouts, sign up on Algora, link your Github account and connect with Stripe/Alipay.

kyri-petrou
kyri-petrou reviewed Jun 12, 2024
View reviewed changes
Copy link
Collaborator

@kyri-petrou kyri-petrou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some minor comments from my side, otherwise looks good to me :)

zio-http/shared/src/main/scala/zio/http/internal/FormState.scala Outdated Show resolved Hide resolved
zio-http/shared/src/main/scala/zio/http/internal/FormState.scala Outdated Show resolved Hide resolved
zio-http/shared/src/main/scala/zio/http/internal/FormState.scala Outdated Show resolved Hide resolved
zio-http/shared/src/main/scala/zio/http/internal/FormState.scala Outdated Show resolved Hide resolved
zio-http/shared/src/main/scala/zio/http/internal/FormState.scala Outdated Show resolved Hide resolved
zio-http/shared/src/main/scala/zio/http/internal/FormState.scala Outdated Show resolved Hide resolved
seakayone and others added 4 commits June 12, 2024 06:51
@seakayone @kyri-petrou
Update zio-http/shared/src/main/scala/zio/http/internal/FormState.scala
106ba2a 
Co-authored-by: kyri-petrou <67301607+kyri-petrou@users.noreply.github.com>
@seakayone
Extract closingBoundaryBytesSize and reset boundaryMatches with a new…
b338c6e 
… Array[Boolean](closingBoundaryBytesSize)
@seakayone
Merge branch 'main' into fix/ignore-clrf-after-last-multipart-boundary
669f718
@seakayone @kyri-petrou
Update zio-http/shared/src/main/scala/zio/http/internal/FormState.scala
736b504 
Co-authored-by: kyri-petrou <67301607+kyri-petrou@users.noreply.github.com>
@seakayone
Copy link
Contributor Author

Thank you @kyri-petrou I have addressed all you remarks, tests are passing. Please have another look.

kyri-petrou
kyri-petrou reviewed Jun 12, 2024
View reviewed changes
Copy link
Collaborator

@kyri-petrou kyri-petrou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I didn't pick this up in the last review round. I might be missing something but I think we can simplify the logic massively

zio-http/shared/src/main/scala/zio/http/internal/FormState.scala Outdated
private val buffer: ChunkBuilder[Byte] = new ChunkBuilder.Byte
private var bufferSize: Int = 0
private val closingBoundaryBytesSize = boundary.closingBoundaryBytes.size
private var boundaryMatches: Array[Boolean] = new Array[Boolean](closingBoundaryBytesSize)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is something here that I don't understand / failing to see. What is the reason for using an array? Can't this be just a boolean and then L62-68 become this?

boundaryMatches &&= posInLine < closingBoundaryBytesSize && boundary.closingBoundaryBytes(posInLine) == byte

val boundaryDetected = boundaryMatches && posInLine == closingBoundaryBytesSize - 1

Copy link
Contributor Author

@seakayone seakayone Jun 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wonderful, you are right we do not need to remember all checked bytes this way.

That works => f1f33ba

Thanks.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tbh no idea why i thought we need an array 🙈 so much better without - nice find @kyri-petrou 🎉

kyri-petrou
kyri-petrou approved these changes Jun 12, 2024
View reviewed changes
Copy link
Collaborator

@kyri-petrou kyri-petrou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy to approve this PR! However, I think you still need an approval from a code owner to get it merged

@jdegoes jdegoes merged commit 68a7abe into zio:main Jun 12, 2024
33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fliiiix fliiiix fliiiix left review comments

@kyri-petrou kyri-petrou kyri-petrou approved these changes

@jdegoes jdegoes jdegoes approved these changes

@vigoo vigoo Awaiting requested review from vigoo vigoo is a code owner

@987Nabil 987Nabil Awaiting requested review from 987Nabil 987Nabil is a code owner

Assignees
No one assigned
Labels
🙋 Bounty claim
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Parsing multi form data requires CRLF termination
6 participants
@seakayone @ipetkovic @987Nabil @jdegoes @fliiiix @kyri-petrou