fix: set maxFiles default to 1000 to match maxFields (#1065)

maxFiles defaulted to Infinity, making _setUpMaxFiles() a no-op.
An attacker could send thousands of tiny files in a single multipart
request, each creating a temp file via fs.createWriteStream(), crashing
the process with EMFILE on default ulimit -n (1024).

Closes #1064

Author: vnykmshr

src/Formidable.js

@@ -22,7 +22,7 @@ const createId = cuid2init({ length: 25, fingerprint: CUID2_FINGERPRINT.toLowerC
 const DEFAULT_OPTIONS = {
   maxFields: 1000,
   maxFieldsSize: 20 * 1024 * 1024,
-  maxFiles: Infinity,
+  maxFiles: 1000,
   maxFileSize: 200 * 1024 * 1024,
   maxTotalFileSize: undefined,
   minFileSize: 1,

test/unit/formidable.test.js

@@ -302,6 +302,32 @@ function makeHeader(originalFilename) {
     });
   });
 
+  test(`${name}: maxFiles exceeded emits error`, (done) => {
+    const form = getForm(name, { maxFiles: 1 });
+    form.req = requestStub();
+
+    form.on('error', (error) => {
+      expect(error.message.includes('maxFiles')).toBe(true);
+      done();
+    });
+
+    const part1 = new Stream();
+    part1.mimetype = 'text/plain';
+    const part2 = new Stream();
+    part2.mimetype = 'text/plain';
+
+    form.onPart(part1).then(() => {
+      part1.emit('data', Buffer.alloc(1));
+      part1.emit('end');
+      form.onPart(part2);
+    });
+  });
+
+  test(`${name}: maxFiles defaults to 1000`, () => {
+    const form = getForm(name);
+    expect(form.options.maxFiles).toBe(1000);
+  });
+
   // test(`${name}: use custom options.originalFilename instead of form._uploadPath`, () => {
   //   const form = getForm(name, {
   //     originalFilename: (_) => path.join(__dirname, 'sasa'),