Support for multipart/form-data in the request body

[ilanashapiro]

Addresses #2008

Summary

Currently, validation always fails whenever a multipart/form-data content type is used in the request body. This prevents the normal usage of prism without any other proxy server (like nginx) on which such requests can be filtered out. Now, users can successfully use multipart/form-data content type in the request body.

Checklist

• The basics
  • I tested these changes manually in my local or dev environment
• Tests
  • Added or updated
  • N/A
• Event Tracking
  • I added event tracking and followed the event tracking guidelines
  • N/A
• Error Reporting
  • I reported errors and followed the error reporting guidelines
  • N/A

Screenshots

Given the following file called examples/testapi.yaml:

openapi: '3.1.0'
paths:
  /path:
    post:
      responses:
        200:
          content:
            text/plain:
              example: ok
      requestBody:
        content:
          multipart/form-data:
            schema:
              type: object
              properties:
                testData:
                  type: string
              required:
                - "testData"

Writing a non-empty post request to http://127.0.0.1/path with included form-data in the request body now produces the following, successfully returning the response defined in the example:

In contrast, running this same command on the old version of Prism gives a 422 error:

[ilanashapiro]

@rattrayalex @RobertCraigie

[chohmann]

Thank you for submitting this PR!

The main issue we see with this PR is the test harness tests don't actually send multipart form data as expected.

Each of those tests needs to use the -F flag instead of --data in the curl command.

[chohmann]

Suggested change

	If I have an operation with a parameter with the allowEmptyValue set to false to false
	If I have an operation with a parameter with the allowEmptyValue set to false

[chohmann]

Suggested change

	and I send a request with a correcly encoded parameter but with an empty key
	and I send a request with a correctly encoded parameter but with an empty key

[chohmann]

Suggested change

	If I have an operation with a parameter with the allowEmptyValue set to false to false
	If I have an operation with a parameter with the allowEmptyValue set to true

[chohmann]

Suggested change

	and I send a request with a correcly encoded parameter and with the parameter empty
	and I send a request with a correctly encoded parameter and with the parameter empty

[chohmann]

For all of these curl requests you need to use -F instead of --data as that will actually pass form data as multipart.

[ilanashapiro]

@chohmann All requested changes are now implemented. Thank you for pointing out that I needed to pass data with the -F flag rather than the --data flag! I initially misunderstood that setting "Content-type: multipart/form-data" was not sufficient. And apologies about the typos in tests I added to the test harness -- I copied these tests from existing files in the application/x-www-form-urlencoded test suite and didn't proofread the original files. I have now fixed all the typos in these as well as in the original files. I also added some regex parsing logic for multipart form data to handle additional cases. Please let me know if you'd like any further changes! Thanks!

[EdVinyard]

We really appreciate your update, but I think there are some cases the parseMultipartFormDataParams() function doesn't yet handle regarding the boundary between multipart entities.

[EdVinyard]

I think this code assumes that the boundary between multipart entities is -- followed by any string. However, the boundary between multipart entities is defined, in each individual request, by the request's Content-Type header's Boundary parameter. This is because the client must choose a value that doesn't occur within any multipart entity that it will transmit. For example, consider the effect of the following example on your implementation.

curl -v -F a=b -F c='--="' <hostname>

Also consider any form value that includes \r\n\r\n.

RFC 2046 § 5.1.1 describes the boundary as...

a line consisting entirely of two hyphen characters ("-", decimal value 45) followed by the boundary parameter value from the Content-Type header field, optional linear whitespace, and a terminating CRLF.

I think you'll need to either:

1. implement this as the standard describes, with unit tests (not test-harness integration tests) to validate that it works with a variety of input, OR
2. rely on a library which parses multipart data according to the standard.

[ilanashapiro]

Hi Ed, thank you so much for your feedback. I discovered a library called parse-multiform-data which I'm installing as an npm package that seemed to be the most reliable method. I made changes according to this, such as parsing the boundary parameter from the Content-Type header field in order to pass it to the library for parsing the body. I left some comments on the recent changes that hopefully help clarify some of the decisions I made when implementing this. Thanks again and please let me know if you'd like any other changes!

[ilanashapiro]

Here, we parse the boundary parameter value from the Content-Type header field as specified by https://datatracker.ietf.org/doc/html/rfc2046#section-5.1.1. We do so using the parse-multipart-data library to ensure it's parsed correctly according to the standard. The boundary string is later passed into the parse-multipart-data library to correctly parse the body in the function parseMultipartFormDataParams.

[ilanashapiro]

See comment in packages/http/src/validator/index.ts

[ilanashapiro]

After end-end and unit testing, the content-type header appeared in both formats: "multipart/form-data;boundary=--...." and "multipart/form-data; boundary=--...." (with the space after the semicolon). Thus, I'm handling possible whitespace between the media type and the boundary string.

[EdVinyard]

1. I'm concerned about your use of a regular expression here. Notice that the boundary may contain any 7-bit ASCII character, which I think includes many characters with special meanings inside a regular expression (e.g., ., *, (). Consider using a library to parse the Content-Type header in its entirety. Here's a very simple example using whatwg-mimetype:

   import MIMEType from 'whatwg-mimetype';
   
   const t = new MIMEType('multipart/form-data; boundary=.*.?.+zzz');
   console.log(t?.essence);
   console.log(t.parameters.get('boundary'));

2. It looks like this block of code is a duplicate of what you added in mocker/index.ts. Could it be factored out?

[ilanashapiro]

See comment in packages/http/src/validator/index.ts

[ilanashapiro]

See: hovissimo's comment on nachomazzara/parse-multipart-data#14 (I was getting the same error as him)

And also the source code: https://github.com/nachomazzara/parse-multipart-data/blob/master/src/multipart.ts#L34C80-L34C80

[ilanashapiro]

then convert back from Buffer to String for further processing by Prism

[ilanashapiro]

The boundary string MUST be non-empty if this is multipart/form-data (which it is if we're in this function). Thus, we return with error. According to https://bobbyhadz.com/blog/error-multipart-boundary-not-found-in-express-js, postmanlabs/postman-app-support#191, https://stackoverflow.com/questions/40351429/formdata-how-to-get-or-set-boundary-in-multipart-form-data-angular, this can occur when the user is manually setting the content-type, which means the server is not generating it (and the boundary string). Thus, the possible fix is suggested in the error message.

[ilanashapiro]

(Returning an error seemed to me a better solution than just returning an empty dictionary as it keeps the user more informed. Thus, the return type is Either).

[EdVinyard]

We'd prefer to use import statements rather than dynamic require whenever possible.

[EdVinyard]

1. I'm concerned about your use of a regular expression here. Notice that the boundary may contain any 7-bit ASCII character, which I think includes many characters with special meanings inside a regular expression (e.g., ., *, (). Consider using a library to parse the Content-Type header in its entirety. Here's a very simple example using whatwg-mimetype:

   import MIMEType from 'whatwg-mimetype';
   
   const t = new MIMEType('multipart/form-data; boundary=.*.?.+zzz');
   console.log(t?.essence);
   console.log(t.parameters.get('boundary'));

2. It looks like this block of code is a duplicate of what you added in mocker/index.ts. Could it be factored out?

[ilanashapiro]

Wrapping in Either monad in order to match the return type of parseMultipartFormDataParams, which is of type Either as it may return an error.

[ilanashapiro]

Since parseMultipartFormDataParams returns an error wrapped in E.left if the boundary string is empty, the return type is Either, and I wrapped the result of splitUriParams in E.Right to match the return type (Either) of parseMultipartFormDataParams. Thus, we move this statement into the expression pipeline.

[ilanashapiro]

parseMultipartFormDataParams returns an error wrapped in E.Left if the boundary sting is empty. Here I convert that to a default value (i.e. empty dictionary) if that occurs. I'm not sure if I'm supposed to be doing anything else here -- this same behavior (unwrapping the monad using defaults) is implemented for findContentByMediaTypeOrFirst just below on line 169, so I attempted to emulate that.

[ilanashapiro]

Hi Ed, thanks for your feedback, I am now doing all Content-Type header parsing using the whatwg-mimetype library you recommended, and the dynamic require statements were changed to imports. As for the duplicate code block, I moved it to a small utility function called parseMIMEHeader I created in validators/headers.ts. Finally, I also attempted to improve the error reporting for empty multipart boundary strings by wrapping parseMultipartFormDataParams in the Either monad and returning a descriptive error (which meant I also needed to wrap splitUriParams in the Either monad to maintain equivalent types).

[chohmann]

Thank you for your contribution and for working through our reviews with us!

Review is stale

[chohmann]

This is included in version 5.2.0 of Prism.

[rattrayalex]

Hooray, thanks Ilana, Ed, and Chelsea!