Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add implementation of MultipartFormData streaming encoder #200

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add implementation of MultipartFormData streaming encoder #200

wants to merge 4 commits into from

Conversation

andreiltd
Copy link
Contributor

@andreiltd andreiltd commented Jan 21, 2025
edited
Loading

I did a quick comparison of encoded FormData between SM and Chrome using following JS code:

Simple FormData 
async function readStream(stream) {
 const reader = stream.getReader();
 const chunks = [];

 while (true) {
   const { done, value } = await reader.read();
   if (done) {
     break;
   }
   chunks.push(value);
 }

 let totalLen = 0;
 for (const chunk of chunks) {
   totalLen += chunk.length;
 }

 const result = new Uint8Array(totalLen);

 let offset = 0;
 for (const chunk of chunks) {
   result.set(chunk, offset);
   offset += chunk.length;
 }

 return result;
}

async function main() {
 const form = new FormData();
 form.append('field1', 'value1');
 form.append('field2', 'value2');

 const file = new File(['Hello World!'], 'dummy.txt', { type: 'foo' });
 form.append('file1', file);

 const req = new Request('https:example.com', {
   method: 'POST',
   body: form,
 });

 const type = req.headers.get('Content-Type');
 const boundary = type.split('boundary=')[1];

 // assert(type.startsWith('multipart/form-data; boundary='), "Content-Type is multipart/form-data");
 const data = await readStream(req.body);
 const dec = new TextDecoder();
 const bodyStr = dec.decode(data);

 console.log(bodyStr);
}

main();

The results are:

  • Chrome:
------WebKitFormBoundaryhpShnP1JqrBTVTnC
Content-Disposition: form-data; name="field1"

value1
------WebKitFormBoundaryhpShnP1JqrBTVTnC
Content-Disposition: form-data; name="field2"

value2
------WebKitFormBoundaryhpShnP1JqrBTVTnC
Content-Disposition: form-data; name="file1"; filename="dummy.txt"
Content-Type: foo

Hello World!
------WebKitFormBoundaryhpShnP1JqrBTVTnC--
  • SM:
----BoundaryjXo5N4HEAXWcKrw7
Content-Disposition: form-data; name="field1"

value1
----BoundaryjXo5N4HEAXWcKrw7
Content-Disposition: form-data; name="field2"

value2
----BoundaryjXo5N4HEAXWcKrw7
Content-Disposition: form-data; name="file1"; filename="dummy.txt"
Content-Type: foo

Hello World!
----BoundaryjXo5N4HEAXWcKrw7--

I also did some manual fuzzing to test the streaming logic by varying the buffer sizes the encoder writes into. Specifically, I tested these buffer sizes in bytes: 1, 2, 4, 8, 32, 1024, and 8192 by changing the size in the implementation. Though, having some unit test framework would be nice.

Relevant RFC: https://www.rfc-editor.org/rfc/rfc2046#section-5.1.1

@andreiltd andreiltd marked this pull request as draft January 21, 2025 14:21
@andreiltd andreiltd marked this pull request as ready for review January 22, 2025 14:02
@andreiltd
Copy link
Contributor Author

andreiltd commented Jan 22, 2025
edited
Loading

It looks like the CI failure is unrelated to this PR (I've observed the same failure on main branch). This is a problematic test:

    const response = await fetch("https://http-me.glitch.me/meow?header=cat:é");
    strictEqual(response.headers.get('cat'), "é");

@andreiltd andreiltd mentioned this pull request Jan 22, 2025
Merged
@tschneidereit
Copy link
Member

@andreiltd, is this ready to review, or are you still expecting to make changes to it?

@andreiltd
Copy link
Contributor Author

Yes, this is ready to review :)

tschneidereit
tschneidereit requested changes Jan 25, 2025
View reviewed changes
Copy link
Member

@tschneidereit tschneidereit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Either I'm missing something in looking at the diff, or there is some code missing—see the inline comment on form-data-encoder.h.

One thing that I can't fully evaluate, because it'll presumably be part of the implementation of encode_stream: IIUC, field names, will always be first have their newlines normalized to CRLF, and then have those escaped. It'd be good to fold those into one operation, if possible.

Otherwise, I left a few comments and suggestions. I'm a bit concerned about allocation and general failure handling, so it'd be good to go over those aspects in some detail.

builtins/web/form-data/form-data-encoder.cpp
Comment on lines +29 to +34
if (i + 1 < src.size() && src[i + 1] == LF) {
len += newline_len;
i++;
} else {
len += newline_len;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (i + 1 < src.size() && src[i + 1] == LF) {
len += newline_len;
i++;
} else {
len += newline_len;
}
len += newline_len;
if (i + 1 < src.size() && src[i + 1] == LF) {
i++;
}

builtins/web/form-data/form-data-encoder.cpp
const char CR = '\r';
const char *CRLF = "\r\n";

size_t compute_normalized_len(std::string_view src, const char *newline) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it seems like this is only ever called with CRLF as the input for newline. Given that, does it make sense to remove the newline parameter and hardcode use of CRLF instead? Chances are LLVM emits the same code anyway, but it'd be better not to have to rely on that.

builtins/web/form-data/form-data-encoder.cpp
// `%0A`, 0x0D (CR) with `%0D` and 0x22 (") with `%22`.
//
// https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data
std::optional<std::string> escape_newlines(std::string_view str) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this isn't just for newlines, it'd be good to give it a different name. Perhaps escape_name, given that this applies escaping of a set of characters in names?

builtins/web/form-data/form-data-encoder.h
Comment on lines +32 to +34
static size_t query_length(JSContext *cx, HandleObject self);
static JSObject *encode_stream(JSContext *cx, HandleObject self);
static JSObject *create(JSContext *cx, HandleObject form_data);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The implementation of these seems to be missing? (And in the case of query_length I also can't find any uses.)

builtins/web/form-data/form-data-encoder.cpp
bool MultipartFormDataImpl::handle_entry_header(JSContext *cx, StreamContext &stream) {
auto entry = stream.entries->begin()[chunk_idx_];
auto header = fmt::memory_buffer();
auto name = escape_newlines(entry.name).value();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this needs a null check?

builtins/web/form-data/form-data-encoder.cpp
RootedString type_str(cx, Blob::type(obj));
auto type = core::encode(cx, type_str);

if (!filename || !type) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The filename check needs to happen right after the call to escape_newlines: if that operation errors, we don't want to run any more fallible code.

builtins/web/form-data/form-data-encoder.cpp
// Hex encode bytes to string
auto bytes = std::move(res.unwrap());
auto bytes_str = std::string_view((char *)(bytes.ptr.get()), bytes.size());
auto base64_str = base64::forgivingBase64Encode(bytes_str, base64::base64EncodeTable);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need a null check?

builtins/web/form-data/form-data-encoder.cpp
return outbuf.size() - read;
}

template <typename I> size_t write(I first, I last) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC, this method is deliberately infallible? If so, could you document that fact?

builtins/web/form-data/form-data-encoder.cpp

bool is_draining() { return (file_leftovers_ || remainder_.size()); };

template <typename I> size_t write_and_cache_remainder(StreamContext &stream, I first, I last);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The return value isn't ever used, it seems. Maybe remove it?

builtins/web/form-data/form-data-encoder.cpp
auto leftover = datasz - written;
if (leftover > 0) {
MOZ_ASSERT(remainder_.empty());
remainder_.assign(first + written, last);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this an infallible operation? It seems like it should need to allocate memory, so I'm not sure I understand how that works. And ideally, if it does allocate, we should make that fallible—or at least assert that it didn't fail and abort execution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tschneidereit tschneidereit tschneidereit requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andreiltd @tschneidereit