catch comma and semicolon smugglers

thehabes · thehabes · commit f3cb69feb2ac · 2026-03-24T16:11:08.000-05:00
diff --git a/rest.js b/rest.js
@@ -26,6 +26,22 @@ const checkPatchOverrideSupport = function (req, res) {
     return undefined !== override && override === "PATCH"
 }
 
+/**
+ * Detects multiple MIME types smuggled into a single Content-Type header.
+ * Catches both comma-separated types (e.g., "application/json, text/plain")
+ * and semicolon-smuggled types (e.g., "application/json; text/plain").
+ * Per RFC 7231/2045, semicolons delimit parameters which must be key=value pairs.
+ * A segment without '=' after a semicolon is a bare token, not a valid parameter.
+ *
+ * @param {string} contentType - Lowercased Content-Type header value
+ * @returns {boolean} True if multiple MIME types are detected
+ */
+const hasMultipleContentTypes = (contentType) => {
+    if (contentType.includes(",")) return true
+    const segments = contentType.split(";")
+    return segments.slice(1).some(segment => !segment.trim().includes("="))
+}
+
 /**
  * Middleware to verify Content-Type headers for endpoints receiving JSON bodies.
  * Responds with a 415 Invalid Media Type for Content-Type headers that are not for JSON bodies.
@@ -43,7 +59,7 @@ const verifyJsonContentType = function (req, res, next) {
             statusMessage: `Missing or empty Content-Type header.`
         }))
     }
-    if (contentType.includes(",")) {
+    if (hasMultipleContentTypes(contentType)) {
         return next(utils.createExpressError({
             statusCode: 415,
             statusMessage: `Multiple Content-Type values are not allowed. Provide exactly one Content-Type header.`
@@ -73,7 +89,7 @@ const verifyTextContentType = function (req, res, next) {
             statusMessage: `Missing or empty Content-Type header.`
         }))
     }
-    if (contentType.includes(",")) {
+    if (hasMultipleContentTypes(contentType)) {
         return next(utils.createExpressError({
             statusCode: 415,
             statusMessage: `Multiple Content-Type values are not allowed. Provide exactly one Content-Type header.`
@@ -103,7 +119,7 @@ const verifyEitherContentType = function (req, res, next) {
             statusMessage: `Missing or empty Content-Type header.`
         }))
     }
-    if (contentType.includes(",")) {
+    if (hasMultipleContentTypes(contentType)) {
         return next(utils.createExpressError({
             statusCode: 415,
             statusMessage: `Multiple Content-Type values are not allowed. Provide exactly one Content-Type header.`
diff --git a/routes/__tests__/contentType.test.js b/routes/__tests__/contentType.test.js
@@ -156,6 +156,24 @@ describe("verifyJsonContentType middleware", () => {
         expect(response.statusCode).toBe(415)
         expect(response.text).toContain("Multiple Content-Type values are not allowed")
     })
+
+    it("returns 415 for semicolon-smuggled MIME type", async () => {
+        const response = await request(routeTester)
+            .post("/json-endpoint")
+            .set("Content-Type", "application/json; text/plain")
+            .send('{"test":"data"}')
+        expect(response.statusCode).toBe(415)
+        expect(response.text).toContain("Multiple Content-Type values are not allowed")
+    })
+
+    it("returns 415 for semicolon-smuggled MIME type with valid parameter", async () => {
+        const response = await request(routeTester)
+            .post("/json-endpoint")
+            .set("Content-Type", "application/json; charset=utf-8; text/plain")
+            .send('{"test":"data"}')
+        expect(response.statusCode).toBe(415)
+        expect(response.text).toContain("Multiple Content-Type values are not allowed")
+    })
 })
 
 describe("verifyTextContentType middleware", () => {
@@ -204,6 +222,15 @@ describe("verifyTextContentType middleware", () => {
         expect(response.statusCode).toBe(415)
         expect(response.text).toContain("Multiple Content-Type values are not allowed")
     })
+
+    it("returns 415 for semicolon-smuggled MIME type", async () => {
+        const response = await request(routeTester)
+            .post("/text-endpoint")
+            .set("Content-Type", "text/plain; application/json")
+            .send("hello")
+        expect(response.statusCode).toBe(415)
+        expect(response.text).toContain("Multiple Content-Type values are not allowed")
+    })
 })
 
 describe("verifyEitherContentType middleware", () => {
@@ -262,4 +289,13 @@ describe("verifyEitherContentType middleware", () => {
         expect(response.statusCode).toBe(415)
         expect(response.text).toContain("Multiple Content-Type values are not allowed")
     })
+
+    it("returns 415 for semicolon-smuggled MIME type", async () => {
+        const response = await request(routeTester)
+            .post("/either-endpoint")
+            .set("Content-Type", "application/json; text/plain")
+            .send('{"test":"data"}')
+        expect(response.statusCode).toBe(415)
+        expect(response.text).toContain("Multiple Content-Type values are not allowed")
+    })
 })
