Formdata ignore epilogue preamble (#4672)

KhafraDev · web-flow · commit fdafc2af7a75 · 2025-11-17T11:36:18.000-05:00
diff --git a/lib/web/fetch/formdata-parser.js b/lib/web/fetch/formdata-parser.js
@@ -9,8 +9,6 @@ const { isomorphicDecode } = require('../infra')
 const { utf8DecodeBytes } = require('../../encoding')
 
 const dd = Buffer.from('--')
-const ddcrlf = Buffer.from('--\r\n')
-
 const decoder = new TextDecoder()
 
 /**
@@ -85,20 +83,16 @@ function multipartFormDataParser (input, mimeType) {
   //    the first byte.
   const position = { position: 0 }
 
-  // Note: undici addition, allows leading and trailing CRLFs.
-  while (input[position.position] === 0x0d && input[position.position + 1] === 0x0a) {
-    position.position += 2
-  }
-
-  let trailing = input.length
+  // Note: Per RFC 2046 Section 5.1.1, we must ignore anything before the
+  // first boundary delimiter line (preamble). Search for the first boundary.
+  const firstBoundaryIndex = input.indexOf(boundary)
 
-  while (input[trailing - 1] === 0x0a && input[trailing - 2] === 0x0d) {
-    trailing -= 2
+  if (firstBoundaryIndex === -1) {
+    throw parsingError('no boundary found in multipart body')
   }
 
-  if (trailing !== input.length) {
-    input = input.subarray(0, trailing)
-  }
+  // Start parsing from the first boundary, ignoring any preamble
+  position.position = firstBoundaryIndex
 
   // 5. While true:
   while (true) {
@@ -114,11 +108,11 @@ function multipartFormDataParser (input, mimeType) {
 
     // 5.2. If position points to the sequence of bytes 0x2D 0x2D 0x0D 0x0A
     //      (`--` followed by CR LF) followed by the end of input, return entry list.
-    // Note: a body does NOT need to end with CRLF. It can end with --.
-    if (
-      (position.position === input.length - 2 && bufferStartsWith(input, dd, position)) ||
-      (position.position === input.length - 4 && bufferStartsWith(input, ddcrlf, position))
-    ) {
+    // Note: Per RFC 2046 Section 5.1.1, we must ignore anything after the
+    // final boundary delimiter (epilogue). Check for -- or --CRLF and return
+    // regardless of what follows.
+    if (bufferStartsWith(input, dd, position)) {
+      // Found closing boundary delimiter (--), ignore any epilogue
       return entryList
     }
 
diff --git a/test/busboy/issue-4671.js b/test/busboy/issue-4671.js
@@ -0,0 +1,42 @@
+'use strict'
+
+const { test } = require('node:test')
+const { Request, Response, FormData } = require('../..')
+
+// https://github.com/nodejs/undici/issues/4671
+test('preamble and epilogue is ignored', async (t) => {
+  const request = new Request('https://example.com', {
+    method: 'POST',
+    body: (function () {
+      const formData = new FormData()
+      formData.append('a', 'b')
+      return formData
+    })()
+  })
+
+  const contentType = request.headers.get('Content-Type')
+  let bytes = await request.bytes()
+  bytes = new Uint8Array([...bytes, ...Array(10).fill(0)])
+
+  await t.test('epilogue', async () => {
+    await new Response(bytes, {
+      headers: {
+        'Content-Type': contentType
+      }
+    }).formData()
+  })
+
+  await t.test('preamble', async () => {
+    // preamble
+    bytes.set(bytes.subarray(0, -10), 10)
+    bytes.fill(0, 0, 8)
+    bytes[8] = 13
+    bytes[9] = 10
+
+    await new Response(bytes, {
+      headers: {
+        'Content-Type': contentType
+      }
+    }).formData()
+  })
+})
