perf: bypass method validation (nodejs#2583)

crysmags · Feb 27, 2024 · 26135ef · 26135ef
1 parent 76bf39f
commit 26135ef
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 14 deletions.
diff --git a/lib/fetch/request.js b/lib/fetch/request.js
@@ -313,21 +313,28 @@ class Request {
       // 1. Let method be init["method"].
       let method = init.method
 
-      // 2. If method is not a method or method is a forbidden method, then
-      // throw a TypeError.
-      if (!isValidHTTPToken(method)) {
-        throw new TypeError(`'${method}' is not a valid HTTP method.`)
-      }
+      const mayBeNormalized = normalizeMethodRecord[method]
 
-      if (forbiddenMethodsSet.has(method.toUpperCase())) {
-        throw new TypeError(`'${method}' HTTP method is unsupported.`)
-      }
+      if (mayBeNormalized !== undefined) {
+        // Note: Bypass validation DELETE, GET, HEAD, OPTIONS, POST, PUT, PATCH and these lowercase ones
+        request.method = mayBeNormalized
+      } else {
+        // 2. If method is not a method or method is a forbidden method, then
+        // throw a TypeError.
+        if (!isValidHTTPToken(method)) {
+          throw new TypeError(`'${method}' is not a valid HTTP method.`)
+        }
 
-      // 3. Normalize method.
-      method = normalizeMethodRecord[method] ?? normalizeMethod(method)
+        if (forbiddenMethodsSet.has(method.toUpperCase())) {
+          throw new TypeError(`'${method}' HTTP method is unsupported.`)
+        }
+
+        // 3. Normalize method.
+        method = normalizeMethod(method)
 
-      // 4. Set request’s method to method.
-      request.method = method
+        // 4. Set request’s method to method.
+        request.method = method
+      }
     }
 
     // 26. If init["signal"] exists, then set signal to it.

diff --git a/lib/fetch/util.js b/lib/fetch/util.js
@@ -681,7 +681,7 @@ function isCancelled (fetchParams) {
     fetchParams.controller.state === 'terminated'
 }
 
-const normalizeMethodRecord = {
+const normalizeMethodRecordBase = {
   delete: 'DELETE',
   DELETE: 'DELETE',
   get: 'GET',
@@ -696,15 +696,22 @@ const normalizeMethodRecord = {
   PUT: 'PUT'
 }
 
+const normalizeMethodRecord = {
+  ...normalizeMethodRecordBase,
+  patch: 'patch',
+  PATCH: 'PATCH'
+}
+
 // Note: object prototypes should not be able to be referenced. e.g. `Object#hasOwnProperty`.
+Object.setPrototypeOf(normalizeMethodRecordBase, null)
 Object.setPrototypeOf(normalizeMethodRecord, null)
 
 /**
  * @see https://fetch.spec.whatwg.org/#concept-method-normalize
  * @param {string} method
  */
 function normalizeMethod (method) {
-  return normalizeMethodRecord[method.toLowerCase()] ?? method
+  return normalizeMethodRecordBase[method.toLowerCase()] ?? method
 }
 
 // https://infra.spec.whatwg.org/#serialize-a-javascript-value-to-a-json-string