Merge commit from fork

Eomm · UlisesGascon · web-flow · commit 23800fc8ad68 · 2026-05-04T07:27:56.000-07:00
* fix: limit the cache size

* types: add cacheSize and mark default as optional

---------

Co-authored-by: Ulises Gascon &lt;ulisesgascongonzalez@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -51,7 +51,8 @@ fastify.register(require('@fastify/accepts-serializer'), {
       serializer: body => msgpack.encode(body)
     }
   ],
-  default: 'application/yaml' // MIME type used if Accept header does not match anything
+  default: 'application/yaml', // MIME type used if Accept header does not match anything
+  cacheSize: 100               // max number of Accept header combinations to cache (default: 100)
 })
 
 // Per-router serializers
@@ -69,6 +70,14 @@ fastify.get('/request', { config }, function (req, reply) {
 })
 ```
 
+## Options
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `serializers` | `Array` | `[]` | List of serializer definitions, each with a `regex` and a `serializer` function |
+| `default` | `string` | — | MIME type to use when no serializer matches the `Accept` header. If omitted, unmatched requests receive a `406` response |
+| `cacheSize` | `number` | `100` | Maximum number of distinct `Accept` header combinations to cache. Entries are evicted in LRU order once the limit is reached |
+
 ## Behavior
 
 For each route, a SerializerManager is defined, which has both per-route and global serializer definitions.
@@ -77,6 +86,8 @@ The MIME type `application/json` is always handled by `fastify` if no serializer
 
 If no `default` key is specified in configuration, all requests with an unknown `Accept` header will be replied to with a 406 response (a boom error is used).
 
+Serializer selection results are cached by `Accept` header value using an LRU cache bounded by `cacheSize`. This prevents unbounded memory growth from attacker-controlled `Accept` header variants.
+
 ## License
 
 Licensed under [MIT](./LICENSE).
diff --git a/SerializerManager.js b/SerializerManager.js
@@ -18,7 +18,7 @@ class SerializerManager {
   }
 
   findSerializer (types) {
-    const cacheValue = this.cache[types]
+    const cacheValue = this.cache.get(types)
 
     if (cacheValue) return cacheValue
 
@@ -28,7 +28,7 @@ class SerializerManager {
       for (let j = 0; j < this.serializers.length; j++) {
         const serializer = this.serializers[j]
         if (serializer.isAble(type)) {
-          this.cache[types] = { serializer, type }
+          this.cache.set(types, { serializer, type })
           return { serializer, type }
         }
       }
diff --git a/index.js b/index.js
@@ -1,12 +1,14 @@
 'use strict'
 
 const fp = require('fastify-plugin')
+const { LruObject } = require('toad-cache')
 const SerializerManager = require('./SerializerManager')
 
 const FASTIFY_DEFAULT_SERIALIZE_MIME_TYPE = 'application/json'
 
 function fastifyAcceptsSerializer (fastify, options, next) {
-  const serializerCache = {}
+  const cacheSize = options.cacheSize ?? 100
+  const serializerCache = new LruObject(cacheSize)
   options.cache = serializerCache
 
   const globalSerializerManager = SerializerManager.build(options)
@@ -22,7 +24,9 @@ function fastifyAcceptsSerializer (fastify, options, next) {
 
     if (request.routeOptions.config.serializers) {
       // keep route level cache in config to prevent messing with global cache
-      request.routeOptions.config.serializers.cache = Object.assign({}, request.routeOptions.config.serializers.cache)
+      if (!request.routeOptions.config.serializers.cache) {
+        request.routeOptions.config.serializers.cache = new LruObject(cacheSize)
+      }
       reply.serializer.serializerManager = SerializerManager.expand({
         serializers: request.routeOptions.config.serializers,
         cache: request.routeOptions.config.serializers.cache
diff --git a/package.json b/package.json
@@ -63,7 +63,8 @@
   },
   "dependencies": {
     "@fastify/accepts": "^5.0.0",
-    "fastify-plugin": "^5.0.0"
+    "fastify-plugin": "^5.0.0",
+    "toad-cache": "^3.7.0"
   },
   "publishConfig": {
     "access": "public"
diff --git a/test/test.js b/test/test.js
@@ -458,7 +458,7 @@ test('serializer cache', async t => {
     t.plan(6)
 
     fastify.get('/request', function (_req, reply) {
-      t.assert.deepStrictEqual(Object.keys(reply.serializer.cache), ['application/cache'])
+      t.assert.deepStrictEqual(reply.serializer.cache.keys(), ['application/cache'])
 
       reply.send('cache')
     })
@@ -488,3 +488,60 @@ test('serializer cache', async t => {
     t.assert.deepStrictEqual(response2.payload, 'cache')
   })
 })
+
+test('serializer cache is bounded (GHSA-qxhc-wx3p-2wmg)', async t => {
+  t.plan(2)
+
+  const MAX_CACHE = 5
+  const fastify = Fastify()
+
+  fastify.register(plugin, {
+    cacheSize: MAX_CACHE,
+    serializers: [
+      {
+        regex: /^application\/poc$/,
+        serializer: body => JSON.stringify(body)
+      }
+    ]
+  })
+
+  fastify.get('/', async function (_request, reply) {
+    return reply.code(204).send()
+  })
+
+  // Registered before any inject so the server is not yet started
+  let cacheSize = 0
+  let cacheMax = 0
+  fastify.get('/cache-size', function (_req, reply) {
+    cacheSize = reply.serializer.cache.size
+    cacheMax = reply.serializer.cache.max
+    reply.send({ size: cacheSize })
+  })
+
+  // Send more distinct Accept header variants than the cache max.
+  // An attacker can craft headers like "application/vnd.dummy-0001, application/poc" to create
+  // a separate cache entry per request while still matching the configured serializer.
+  const attackVariants = Array.from(
+    { length: MAX_CACHE + 10 },
+    (_, i) => `application/vnd.dummy-${String(i).padStart(4, '0')}, application/poc`
+  )
+
+  for (const accept of attackVariants) {
+    await fastify.inject({ method: 'GET', url: '/', headers: { accept } })
+  }
+
+  await fastify.inject({ method: 'GET', url: '/cache-size', headers: { accept: 'application/json' } })
+
+  await t.test('cache max is set to the configured cacheSize option', t => {
+    t.plan(1)
+    t.assert.strictEqual(cacheMax, MAX_CACHE)
+  })
+
+  await t.test('cache size does not exceed cacheSize even under attacker-controlled Accept variants', t => {
+    t.plan(1)
+    t.assert.ok(
+      cacheSize <= MAX_CACHE,
+      `Cache grew to ${cacheSize} entries after ${attackVariants.length} distinct Accept variants — unbounded growth confirmed`
+    )
+  })
+})
diff --git a/types/index.d.ts b/types/index.d.ts
@@ -16,7 +16,8 @@ declare namespace fastifyAcceptsSerializer {
 
   export interface FastifyAcceptsSerializerPluginOptions {
     serializers: SerializerConfig[];
-    default: string;
+    default?: string;
+    cacheSize?: number;
   }
 
   export const fastifyAcceptsSerializer: FastifyAcceptsSerializer

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ class SerializerManager {`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`findSerializer (types) {`
`21`		`- const cacheValue = this.cache[types]`
	`21`	`+ const cacheValue = this.cache.get(types)`
`22`	`22`
`23`	`23`	`if (cacheValue) return cacheValue`
`24`	`24`
`@@ -28,7 +28,7 @@ class SerializerManager {`
`28`	`28`	`for (let j = 0; j < this.serializers.length; j++) {`
`29`	`29`	`const serializer = this.serializers[j]`
`30`	`30`	`if (serializer.isAble(type)) {`
`31`		`- this.cache[types] = { serializer, type }`
	`31`	`+ this.cache.set(types, { serializer, type })`
`32`	`32`	`return { serializer, type }`
`33`	`33`	`}`
`34`	`34`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,8 @@ declare namespace fastifyAcceptsSerializer {`
`16`	`16`
`17`	`17`	`export interface FastifyAcceptsSerializerPluginOptions {`
`18`	`18`	`serializers: SerializerConfig[];`
`19`		`- default: string;`
	`19`	`+ default?: string;`
	`20`	`+ cacheSize?: number;`
`20`	`21`	`}`
`21`	`22`
`22`	`23`	`export const fastifyAcceptsSerializer: FastifyAcceptsSerializer`