Set form options for form-based request types (#50016)

captainsafia · web-flow · commit fbe90bbd91ca · 2023-08-14T11:04:53.000-07:00
* Set form options for form-based request types

* Remove MediaTypeHeaderValue

* Tweak
diff --git a/src/Antiforgery/src/AntiforgeryMiddleware.cs b/src/Antiforgery/src/AntiforgeryMiddleware.cs
@@ -23,7 +23,7 @@ public Task Invoke(HttpContext context)
         }
 
         var method = context.Request.Method;
-        if (!HttpMethodExtensions.IsValidHttpMethodForForm(method))
+        if (!HttpExtensions.IsValidHttpMethodForForm(method))
         {
             return _next(context);
         }
diff --git a/src/Antiforgery/src/Microsoft.AspNetCore.Antiforgery.csproj b/src/Antiforgery/src/Microsoft.AspNetCore.Antiforgery.csproj
@@ -25,7 +25,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <Compile Include="$(SharedSourceRoot)HttpMethodExtensions.cs" LinkBase="Shared"/>
+    <Compile Include="$(SharedSourceRoot)HttpExtensions.cs" LinkBase="Shared"/>
     <Compile Include="$(SharedSourceRoot)Reroute.cs" LinkBase="Shared"/>
   </ItemGroup>
 </Project>
diff --git a/src/Http/Routing/src/EndpointRoutingMiddleware.cs b/src/Http/Routing/src/EndpointRoutingMiddleware.cs
@@ -139,8 +139,14 @@ private Task SetRoutingAndContinue(HttpContext httpContext)
             // We do this during endpoint routing to ensure that successive middlewares in the pipeline
             // can access the feature with the correct value.
             SetMaxRequestBodySize(httpContext);
-            // Map IFormOptionsMetadata to IFormFeature if present on the endpoint.
-            SetFormOptions(httpContext, endpoint);
+            // Map IFormOptionsMetadata to IFormFeature if present on the endpoint if the
+            // request being processed is a form request. Note: we do a manual check for the
+            // form content-types here to avoid prematurely accessing the form feature.
+            if (HttpExtensions.IsValidHttpMethodForForm(httpContext.Request.Method) &&
+                HttpExtensions.IsValidContentTypeForForm(httpContext.Request.ContentType))
+            {
+                SetFormOptions(httpContext, endpoint);
+            }
 
             var shortCircuitMetadata = endpoint.Metadata.GetMetadata<ShortCircuitMetadata>();
             if (shortCircuitMetadata is not null)
@@ -177,7 +183,7 @@ private Task ExecuteShortCircuit(ShortCircuitMetadata shortCircuitMetadata, Endp
 
             if (endpoint.Metadata.GetMetadata<IAntiforgeryMetadata>() is { RequiresValidation: true } &&
                 httpContext.Request.Method is {} method &&
-                HttpMethodExtensions.IsValidHttpMethodForForm(method))
+                HttpExtensions.IsValidHttpMethodForForm(method))
             {
                 ThrowCannotShortCircuitAnAntiforgeryRouteException(endpoint);
             }
diff --git a/src/Http/Routing/src/Microsoft.AspNetCore.Routing.csproj b/src/Http/Routing/src/Microsoft.AspNetCore.Routing.csproj
@@ -36,7 +36,7 @@
     <Compile Include="$(SharedSourceRoot)HttpParseResult.cs" LinkBase="Shared" />
     <Compile Include="$(SharedSourceRoot)Debugger\DebuggerHelpers.cs" LinkBase="Shared" />
     <Compile Include="$(SharedSourceRoot)AntiforgeryMetadata.cs" LinkBase="Shared" />
-    <Compile Include="$(SharedSourceRoot)HttpMethodExtensions.cs" LinkBase="Shared" />
+    <Compile Include="$(SharedSourceRoot)HttpExtensions.cs" LinkBase="Shared" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/Http/Routing/test/UnitTests/EndpointRoutingMiddlewareFormOptionsTest.cs b/src/Http/Routing/test/UnitTests/EndpointRoutingMiddlewareFormOptionsTest.cs
@@ -186,11 +186,42 @@ public async Task SettingEndpointManuallyDoesNotOverwriteOptions()
         Assert.Equal(FormOptions.DefaultMemoryBufferThreshold, formOptions.MemoryBufferThreshold);
     }
 
+    [Fact]
+    public async Task OptionsNotSetForNonFormRequests()
+    {
+        var sink = new TestSink(TestSink.EnableWithTypeName<EndpointRoutingMiddleware>);
+        var loggerFactory = new TestLoggerFactory(sink, enabled: true);
+        var logger = new Logger<EndpointRoutingMiddleware>(loggerFactory);
+        var httpContext = new DefaultHttpContext();
+        var endpointMetadata = new FormOptionsMetadata(bufferBody: true, valueCountLimit: 70);
+        var endpoint = new Endpoint(c => Task.CompletedTask, new EndpointMetadataCollection(endpointMetadata), "myapp");
+
+        var formOptionsMetadata = new FormOptionsMetadata(bufferBody: false, valueCountLimit: 54);
+        var middleware = CreateMiddleware(
+            logger: logger,
+            matcherFactory: new TestMatcherFactory(isHandled: true, setEndpointCallback: c =>
+            {
+                c.SetEndpoint(new Endpoint(c => Task.CompletedTask, new EndpointMetadataCollection(formOptionsMetadata), "myapp"));
+            }));
+
+        // Act
+        await middleware.Invoke(httpContext);
+        httpContext.SetEndpoint(endpoint);
+
+        var formFeature = httpContext.Features.Get<IFormFeature>();
+        Assert.Null(formFeature);
+    }
+
     private HttpContext CreateHttpContext()
     {
         var httpContext = new DefaultHttpContext
         {
-            RequestServices = new TestServiceProvider()
+            RequestServices = new TestServiceProvider(),
+            Request =
+            {
+                ContentType = "multipart/form-data; boundary=----WebKitFormBoundarymx2fSWqWSd0OxQqq",
+                Method = "POST",
+            }
         };
 
         return httpContext;
diff --git a/src/Shared/HttpExtensions.cs b/src/Shared/HttpExtensions.cs
@@ -0,0 +1,30 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+using Microsoft.AspNetCore.Http;
+
+internal static class HttpExtensions
+{
+    internal const string UrlEncodedFormContentType = "application/x-www-form-urlencoded";
+    internal const string MultipartFormContentType = "multipart/form-data";
+
+    internal static bool IsValidHttpMethodForForm(string method) =>
+        HttpMethods.IsPost(method) || HttpMethods.IsPut(method) || HttpMethods.IsPatch(method);
+
+    internal static bool IsValidContentTypeForForm(string? contentType)
+    {
+        if (contentType == null)
+        {
+            return false;
+        }
+
+        // Abort early if this doesn't look like it could be a form-related content-type
+
+        if (contentType.Length < MultipartFormContentType.Length)
+        {
+            return false;
+        }
+
+        return contentType.Equals(UrlEncodedFormContentType, StringComparison.OrdinalIgnoreCase) ||
+            contentType.StartsWith(MultipartFormContentType, StringComparison.OrdinalIgnoreCase);
+    }
+}
diff --git a/src/Shared/HttpMethodExtensions.cs b/src/Shared/HttpMethodExtensions.cs

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ public Task Invoke(HttpContext context)`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`var method = context.Request.Method;`
`26`		`- if (!HttpMethodExtensions.IsValidHttpMethodForForm(method))`
	`26`	`+ if (!HttpExtensions.IsValidHttpMethodForForm(method))`
`27`	`27`	`{`
`28`	`28`	`return _next(context);`
`29`	`29`	`}`