careful not to interpret Buffer as json-parsed keyed object

leebyron · leebyron · commit b8737ade6d97 · 2015-09-29T15:49:48.000-07:00
diff --git a/src/__tests__/http-test.js b/src/__tests__/http-test.js
@@ -522,6 +522,23 @@ describe('test harness', () => {
         });
       });
 
+      it('does not accept unknown pre-parsed POST raw Buffer', async () => {
+        var app = express();
+        app.use(bodyParser.raw({ type: '*/*' }));
+
+        app.use(urlString(), graphqlHTTP({ schema: TestSchema }));
+
+        var req = request(app)
+          .post(urlString())
+          .set('Content-Type', 'application/graphql');
+        req.write(new Buffer('{ test(who: "World") }'));
+        var error = await catchError(req);
+
+        expect(error.response.status).to.equal(400);
+        expect(JSON.parse(error.response.text)).to.deep.equal({
+          errors: [ { message: 'Must provide query string.' } ]
+        });
+      });
     });
 
     describe('Pretty printing', () => {
diff --git a/src/parseBody.js b/src/parseBody.js
@@ -18,8 +18,8 @@ import type { Request } from 'express';
 
 export function parseBody(req: Request, next: NodeCallback): void {
   try {
-    // If express has already parsed a body as an object, use it.
-    if (typeof req.body === 'object') {
+    // If express has already parsed a body as a keyed object, use it.
+    if (typeof req.body === 'object' && !(req.body instanceof Buffer)) {
       return next(null, req.body);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -18,8 +18,8 @@ import type { Request } from 'express';`
`18`	`18`
`19`	`19`	`export function parseBody(req: Request, next: NodeCallback): void {`
`20`	`20`	`try {`
`21`		`- // If express has already parsed a body as an object, use it.`
`22`		`- if (typeof req.body === 'object') {`
	`21`	`+ // If express has already parsed a body as a keyed object, use it.`
	`22`	`+ if (typeof req.body === 'object' && !(req.body instanceof Buffer)) {`
`23`	`23`	`return next(null, req.body);`
`24`	`24`	`}`
`25`	`25`