search

mscdex / busboy

A streaming parser for HTML form data for node.js
MIT License
2.86k stars 213 forks source link

Document the `error` event #286

Closed cristi8 closed 2 years ago

cristi8 commented 2 years ago

If busboy is used as currently documented, sending a malformed multipart header will crash the server.

One has to use .on('error', ...) to handle errors and avoid crashes.

I think the documentation should mention this, as without this, servers are vulnerable to DenialOfService.

mscdex commented 2 years ago

The object that the exported function returns is documented as being a standard Writable stream, which is a node.js core object type that is fully documented on the node.js API website.

cristi8 commented 2 years ago

Oh! So it's considered ok to have sample code on the main page that has a security vulnerability? (DOS)

You know a lot of people will copy-paste and edit when starting with busboy..

Ok then