Disallow non multipart/form-data request payloads

ruiquelhas · Dec 24, 2015 · fe6ee5c · fe6ee5c
1 parent bfb8fcf
commit fe6ee5c
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/lib/index.js b/lib/index.js
@@ -10,14 +10,20 @@ internals.onPostAuth = function (options) {
 
     return function (request, reply) {
 
-        if (!(request.payload instanceof Buffer)) {
+        if (!Buffer.isBuffer(request.payload)) {
             return reply.continue();
         }
 
         const readable = Wreck.toReadableStream(request.payload);
         readable.headers = request.headers;
 
-        Subtext.parse(readable, null, { output: 'data', parse: true }, (err, parsed) => {
+        const config = {
+            allow: 'multipart/form-data',
+            output: 'data',
+            parse: true
+        };
+
+        Subtext.parse(readable, null, config, (err, parsed) => {
 
             if (err) {
                 return reply(err);

diff --git a/test/index.js b/test/index.js
@@ -81,7 +81,7 @@ lab.experiment('blaine', () => {
 
         streamToPromise(form).then((payload) => {
 
-            server.inject({ method: 'POST', payload: payload, url: '/main' }, (response) => {
+            server.inject({ headers: form.getHeaders(), method: 'POST', payload: payload, url: '/main' }, (response) => {
 
                 Code.expect(response.statusCode).to.equal(200);
                 Code.expect(response.headers['content-validation']).to.not.exist();
@@ -102,7 +102,7 @@ lab.experiment('blaine', () => {
 
             server.inject({ headers: { 'Content-Type': 'application/json' }, method: 'POST', payload: payload, url: '/main' }, (response) => {
 
-                Code.expect(response.statusCode).to.equal(400);
+                Code.expect(response.statusCode).to.equal(415);
                 Code.expect(response.headers['content-validation']).to.not.exist();
                 done();
             });