reject content-type headers that have multiple or duplicate types

thehabes · thehabes · commit 2b7ea90813d4 · 2026-03-24T11:06:18.000-05:00
diff --git a/rest.js b/rest.js
@@ -55,6 +55,12 @@ const validateContentType = function (req, res, next) {
             statusMessage: `Missing or empty Content-Type header.`
         }))
     }
+    if (contentType.includes(",")) {
+        return next(createExpressError({
+            statusCode: 415,
+            statusMessage: `Multiple Content-Type values are not allowed. Provide exactly one Content-Type header.`
+        }))
+    }
     if (mimeType === "application/json" || mimeType === "application/ld+json") return next()
     const isSearchEndpoint = req.path === "/search" || req.path.startsWith("/search/")
     if (mimeType === "text/plain" && isSearchEndpoint) return next()
diff --git a/routes/__tests__/contentType.test.js b/routes/__tests__/contentType.test.js
@@ -173,4 +173,22 @@ describe("Content-Type validation middleware", () => {
         expect(response.text).toContain("Unsupported Content-Type")
     })
 
+    it("returns 415 for comma-separated multiple Content-Type values", async () => {
+        const response = await request(routeTester)
+            .post("/api/create")
+            .set("Content-Type", "application/json, text/plain")
+            .send('{"test":"data"}')
+        expect(response.statusCode).toBe(415)
+        expect(response.text).toContain("Multiple Content-Type values are not allowed")
+    })
+
+    it("returns 415 for valid type smuggled via comma after charset", async () => {
+        const response = await request(routeTester)
+            .post("/api/create")
+            .set("Content-Type", "application/json; charset=utf-8, text/plain")
+            .send('{"test":"data"}')
+        expect(response.statusCode).toBe(415)
+        expect(response.text).toContain("Multiple Content-Type values are not allowed")
+    })
+
 })
