fix: switch to using crypto random for boundary values (#28)

form-data/form-data@3d17230

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Updated continuous integration workflow to include additional Node.js
version and new event triggers.
* Removed contributor management scripts and dependencies from project
configuration.
* **Documentation**
* Simplified the contributors section in the documentation with a
dynamic badge and removed the static contributors table.
* **Refactor**
* Improved multipart form boundary generation for enhanced security and
simplicity.
* **Tests**
* Updated test assertions to support a broader range of boundary formats
in multipart form-data headers.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: fengmk2

.github/workflows/ci.yml

@@ -5,13 +5,14 @@ on:
     branches: [ master ]
   pull_request:
     branches: [ master ]
+  merge_group:
 
 jobs:
   Job:
     name: Node.js
     uses: node-modules/github-actions/.github/workflows/node-test.yml@master
     with:
       os: 'ubuntu-latest, macos-latest'
-      version: '14, 16, 18, 20, 22'
+      version: '14, 16, 18, 20, 22, 24'
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

README.md

@@ -204,14 +204,8 @@ See [Node.js Documentation](http://nodejs.org/api/stream.html#stream_event_end)
 
 [MIT](LICENSE)
 
-<!-- GITCONTRIBUTOR_START -->
-
 ## Contributors
 
-|[<img src="https://avatars.githubusercontent.com/u/156269?v=4" width="100px;"/><br/><sub><b>fengmk2</b></sub>](https://github.com/fengmk2)<br/>|[<img src="https://avatars.githubusercontent.com/u/288288?v=4" width="100px;"/><br/><sub><b>xingrz</b></sub>](https://github.com/xingrz)<br/>|[<img src="https://avatars.githubusercontent.com/u/32174276?v=4" width="100px;"/><br/><sub><b>semantic-release-bot</b></sub>](https://github.com/semantic-release-bot)<br/>|[<img src="https://avatars.githubusercontent.com/u/13151189?v=4" width="100px;"/><br/><sub><b>fjc0k</b></sub>](https://github.com/fjc0k)<br/>|[<img src="https://avatars.githubusercontent.com/u/18096247?v=4" width="100px;"/><br/><sub><b>mrspeiser</b></sub>](https://github.com/mrspeiser)<br/>|[<img src="https://avatars.githubusercontent.com/u/985607?v=4" width="100px;"/><br/><sub><b>dead-horse</b></sub>](https://github.com/dead-horse)<br/>|
-| :---: | :---: | :---: | :---: | :---: | :---: |
-[<img src="https://avatars.githubusercontent.com/u/7326406?v=4" width="100px;"/><br/><sub><b>shaozj</b></sub>](https://github.com/shaozj)<br/>
-
-This project follows the git-contributor [spec](https://github.com/xudafeng/git-contributor), auto updated at `Wed May 15 2024 00:34:12 GMT+0800`.
+[![Contributors](https://contrib.rocks/image?repo=node-modules/formstream)](https://github.com/node-modules/formstream/graphs/contributors)
 
-<!-- GITCONTRIBUTOR_END -->
+Made with [contributors-img](https://contrib.rocks).

lib/formstream.js

@@ -35,6 +35,7 @@ Content-Type: image/png\r\n
 
 var debug = require('util').debuglog('formstream');
 var Stream = require('stream');
+var crypto = require('crypto');
 var parseStream = require('pause-stream');
 var util = require('util');
 var mime = require('mime');
@@ -71,15 +72,8 @@ util.inherits(FormStream, Stream);
 module.exports = FormStream;
 
 FormStream.prototype._generateBoundary = function() {
-  // https://github.com/felixge/node-form-data/blob/master/lib/form_data.js#L162
-  // This generates a 50 character boundary similar to those used by Firefox.
-  // They are optimized for boyer-moore parsing.
-  var boundary = '--------------------------';
-  for (var i = 0; i < 24; i++) {
-    boundary += Math.floor(Math.random() * 10).toString(16);
-  }
-
-  return boundary;
+  // https://github.com/form-data/form-data/blob/16e00765342106876f98a1c9703314006c9e937a/lib/form_data.js#L345
+  return '--------------------------' + crypto.randomBytes(12).toString('hex');
 };
 
 FormStream.prototype.setTotalStreamSize = function (size) {

package.json

@@ -13,8 +13,7 @@
     "cov": "egg-bin cov",
     "ci": "npm run lint && npm run tsd && npm run cov && NODE_DEBUG=formstream npm run cov",
     "lint": "jshint .",
-    "tsd": "tsd",
-    "contributor": "git-contributor"
+    "tsd": "tsd"
   },
   "repository": {
     "type": "git",
@@ -40,7 +39,6 @@
     "connect-multiparty": "1",
     "egg-bin": "^5.6.1",
     "express": "^4.16.4",
-    "git-contributor": "^2.1.5",
     "jshint": "^2.13.6",
     "pedding": "1",
     "should": "4",

test/formstream.test.js

@@ -246,7 +246,7 @@ describe('formstream.test.js', function () {
         pwd: '哈哈pwd'
       });
       data.headers.should.have.property('content-type')
-        .with.match(/multipart\/form-data; boundary=--------------------------\d{24}/);
+        .with.match(/multipart\/form-data; boundary=--------------------------\w{24}/);
       var files = data.files;
       files.should.have.keys('stream1', 'stream2', 'file');
       var stream1 = files.stream1;
@@ -288,7 +288,7 @@ describe('formstream.test.js', function () {
         pwd: '哈哈pwd'
       });
       data.headers.should.have.property('content-type')
-        .with.match(/multipart\/form-data; boundary=--------------------------\d{24}/);
+        .with.match(/multipart\/form-data; boundary=--------------------------\w{24}/);
       var files = data.files;
       files.should.have.keys('stream1', 'stream2', 'file');
       var stream1 = files.stream1;
@@ -323,7 +323,7 @@ describe('formstream.test.js', function () {
         pwd: '哈哈pwd'
       });
       data.headers.should.have.property('content-type')
-        .with.match(/^multipart\/form-data; boundary=--------------------------\d{24}$/);
+        .with.match(/^multipart\/form-data; boundary=--------------------------\w{24}$/);
       var files = data.files;
       files.should.have.keys('file', 'logo');
       files.file.filename.should.equal('formstream.test.js');
@@ -351,7 +351,7 @@ describe('formstream.test.js', function () {
         });
         data.headers.should.have.property('content-length').with.equal(form._contentLength + '');
         data.headers.should.have.property('content-type')
-          .with.match(/^multipart\/form-data; boundary=--------------------------\d{24}$/);
+          .with.match(/^multipart\/form-data; boundary=--------------------------\w{24}$/);
         var files = data.files;
         files.should.have.keys('file', 'logo');
         files.file.filename.should.equal('formstream.test.js');
@@ -448,7 +448,7 @@ describe('formstream.test.js', function () {
       form.field('foo', 'bar');
       var headers = form.headers({ 'X-Test': 'hello' });
       headers.should.have.keys('Content-Type', 'Content-Length', 'X-Test');
-      headers['Content-Type'].should.match(/^multipart\/form-data; boundary=--------------------------\d{24}$/);
+      headers['Content-Type'].should.match(/^multipart\/form-data; boundary=--------------------------\w{24}$/);
       headers['X-Test'].should.equal('hello');
       headers['Content-Length'].should.equal('161');
     });