fix: refactor body-parser extended option semantics and harden prototype pollution protection

- Consolidate prototype pollution blocklist into a shared Set constant (PROTOTYPE_POLLUTION_KEYS) for DRY and O(1) lookups
- Use Object.create(null) for URL-encoded body to prevent prototype chain access
- Implement 3 distinct URL-encoded parsing modes: simple (extended=false), extended flat, and extended+nested
- Forward top-level 'extended' option to urlencoded parser for backward compatibility
- Add 8 new tests covering all extended/parseNestedObjects combinations and prototype pollution guards
- Add TypeScript types and async/await to benchmark suite
- Bump devDependencies to latest versions

Author: jkyberneees

bench.ts

@@ -1,50 +1,55 @@
 import {run, bench, group} from 'mitata'
-import httpNext from './index'
+import httpNext, {IRouter} from './index'
 import httpPrevious from '0http-bun'
 
-function setupRouter(router) {
-  router.use((req, next) => {
+const silentErrorHandler = () =>
+  new Response('Internal Server Error', {status: 500})
+
+function setupRouter(router: IRouter) {
+  router.use((req: any, next: () => any) => {
     return next()
   })
 
   router.get('/', () => {
     return new Response()
   })
-  router.get('/:id', async (req) => {
+  router.get('/:id', async (req: {params: Record<string, string>}) => {
     return new Response(req.params.id)
   })
   router.get('/:id/error', () => {
     throw new Error('Error')
   })
 }
 
-const {router} = httpNext()
+const {router} = httpNext({errorHandler: silentErrorHandler})
 setupRouter(router)
 
-const {router: routerPrevious} = httpPrevious()
+const {router: routerPrevious} = httpPrevious({
+  errorHandler: silentErrorHandler,
+})
 setupRouter(routerPrevious)
 
 group('Next Router', () => {
-  bench('Parameter URL', () => {
-    router.fetch(new Request(new URL('http://localhost/0')))
+  bench('Parameter URL', async () => {
+    await router.fetch(new Request(new URL('http://localhost/0')))
   }).gc('inner')
-  bench('Not Found URL', () => {
-    router.fetch(new Request(new URL('http://localhost/0/404')))
+  bench('Not Found URL', async () => {
+    await router.fetch(new Request(new URL('http://localhost/0/404')))
   }).gc('inner')
-  bench('Error URL', () => {
-    router.fetch(new Request(new URL('http://localhost/0/error')))
+  bench('Error URL', async () => {
+    await router.fetch(new Request(new URL('http://localhost/0/error')))
   }).gc('inner')
 })
 
 group('Previous Router', () => {
-  bench('Parameter URL', () => {
-    routerPrevious.fetch(new Request(new URL('http://localhost/0')))
+  bench('Parameter URL', async () => {
+    await routerPrevious.fetch(new Request(new URL('http://localhost/0')))
   }).gc('inner')
-  bench('Not Found URL', () => {
-    routerPrevious.fetch(new Request(new URL('http://localhost/0/404')))
+  bench('Not Found URL', async () => {
+    await routerPrevious.fetch(new Request(new URL('http://localhost/0/404')))
   }).gc('inner')
-  bench('Error URL', () => {
-    routerPrevious.fetch(new Request(new URL('http://localhost/0/error')))
+  bench('Error URL', async () => {
+    await routerPrevious.fetch(new Request(new URL('http://localhost/0/error')))
   }).gc('inner')
 })
 

lib/middleware/body-parser.js

@@ -17,6 +17,21 @@
  */
 const RAW_BODY_SYMBOL = Symbol.for('0http.rawBody')
 
+/**
+ * Keys that must be blocked to prevent prototype pollution attacks.
+ * Shared across all parsers (URL-encoded, multipart, nested key parsing).
+ */
+const PROTOTYPE_POLLUTION_KEYS = new Set([
+  '__proto__',
+  'constructor',
+  'prototype',
+  'hasOwnProperty',
+  'isPrototypeOf',
+  'propertyIsEnumerable',
+  'valueOf',
+  'toString',
+])
+
 /**
  * Reads request body as text with inline size enforcement.
  * Streams the body and aborts if the accumulated size exceeds the limit,
@@ -181,19 +196,7 @@ function parseNestedKey(obj, key, value, depth = 0) {
     throw new Error('Maximum nesting depth exceeded')
   }
 
-  // Protect against prototype pollution
-  const prototypePollutionKeys = [
-    '__proto__',
-    'constructor',
-    'prototype',
-    'hasOwnProperty',
-    'isPrototypeOf',
-    'propertyIsEnumerable',
-    'valueOf',
-    'toString',
-  ]
-
-  if (prototypePollutionKeys.includes(key)) {
+  if (PROTOTYPE_POLLUTION_KEYS.has(key)) {
     return // Silently ignore dangerous keys
   }
 
@@ -206,7 +209,7 @@ function parseNestedKey(obj, key, value, depth = 0) {
   const [, baseKey, indexKey, remaining] = match
 
   // Protect against prototype pollution on base key
-  if (prototypePollutionKeys.includes(baseKey)) {
+  if (PROTOTYPE_POLLUTION_KEYS.has(baseKey)) {
     return
   }
 
@@ -229,7 +232,7 @@ function parseNestedKey(obj, key, value, depth = 0) {
       }
     } else {
       // Protect against prototype pollution on index key
-      if (!prototypePollutionKeys.includes(indexKey)) {
+      if (!PROTOTYPE_POLLUTION_KEYS.has(indexKey)) {
         obj[baseKey][indexKey] = value
       }
     }
@@ -419,8 +422,8 @@ function createTextParser(options = {}) {
  * Creates a URL-encoded form parser middleware
  * @param {Object} options - Body parser configuration
  * @param {number|string} options.limit - Maximum body size in bytes
- * @param {boolean} options.extended - Use extended query string parsing
- * @param {boolean} options.parseNestedObjects - Parse nested object notation
+ * @param {boolean} options.extended - Enable rich parsing: nested objects, arrays, and duplicate key merging (default: true). When false, only flat key-value pairs are returned.
+ * @param {boolean} options.parseNestedObjects - Parse bracket notation (e.g. a[b]=1) into nested objects. Only applies when extended=true (default: true)
  * @param {boolean} options.deferNext - If true, don't call next() and let caller handle it
  * @returns {Function} Middleware function
  */
@@ -465,7 +468,7 @@ function createURLEncodedParser(options = {}) {
     // Store raw body text for verification (L-3: use Symbol to prevent accidental serialization)
     req[RAW_BODY_SYMBOL] = text
 
-    const body = {}
+    const body = Object.create(null)
     const params = new URLSearchParams(text)
 
     // Prevent DoS through excessive parameters
@@ -483,7 +486,9 @@ function createURLEncodedParser(options = {}) {
         return new Response('Parameter too long', {status: 400})
       }
 
-      if (parseNestedObjects) {
+      if (extended && parseNestedObjects) {
+        // Extended + nested: parse bracket notation into nested objects/arrays
+        // (parseNestedKey has its own prototype pollution guards via PROTOTYPE_POLLUTION_KEYS)
         try {
           parseNestedKey(body, key, value)
         } catch (parseError) {
@@ -492,20 +497,9 @@ function createURLEncodedParser(options = {}) {
             {status: 400},
           )
         }
-      } else {
-        // Protect against prototype pollution even when parseNestedObjects is false
-        const prototypePollutionKeys = [
-          '__proto__',
-          'constructor',
-          'prototype',
-          'hasOwnProperty',
-          'isPrototypeOf',
-          'propertyIsEnumerable',
-          'valueOf',
-          'toString',
-        ]
-
-        if (!prototypePollutionKeys.includes(key)) {
+      } else if (extended) {
+        // Extended but no nested parsing: flat keys with duplicate key merging into arrays
+        if (!PROTOTYPE_POLLUTION_KEYS.has(key)) {
           if (body[key] !== undefined) {
             if (Array.isArray(body[key])) {
               body[key].push(value)
@@ -516,6 +510,11 @@ function createURLEncodedParser(options = {}) {
             body[key] = value
           }
         }
+      } else {
+        // Simple mode: flat key-value pairs, last value wins
+        if (!PROTOTYPE_POLLUTION_KEYS.has(key)) {
+          body[key] = value
+        }
       }
     }
 
@@ -570,18 +569,6 @@ function createMultipartParser(options = {}) {
     const body = Object.create(null)
     const files = Object.create(null)
 
-    // Prototype pollution blocklist for field names
-    const prototypePollutionKeys = [
-      '__proto__',
-      'constructor',
-      'prototype',
-      'hasOwnProperty',
-      'isPrototypeOf',
-      'propertyIsEnumerable',
-      'valueOf',
-      'toString',
-    ]
-
     for (const [key, value] of formData.entries()) {
       fieldCount++
       if (fieldCount > maxFields) {
@@ -594,7 +581,7 @@ function createMultipartParser(options = {}) {
       }
 
       // Skip prototype pollution keys
-      if (prototypePollutionKeys.includes(key)) {
+      if (PROTOTYPE_POLLUTION_KEYS.has(key)) {
         continue
       }
 
@@ -710,6 +697,7 @@ function createMultipartParser(options = {}) {
  * @param {Function} options.onError - Custom error handler
  * @param {Function} options.verify - Body verification function
  * @param {boolean} options.parseNestedObjects - Parse nested object notation (for compatibility)
+ * @param {boolean} options.extended - Enable rich URL-encoded parsing (for compatibility, forwarded to urlencoded.extended)
  * @param {string|number} options.jsonLimit - JSON size limit (backward compatibility)
  * @param {string|number} options.textLimit - Text size limit (backward compatibility)
  * @param {string|number} options.urlencodedLimit - URL-encoded size limit (backward compatibility)
@@ -727,6 +715,7 @@ function createBodyParser(options = {}) {
     onError,
     verify,
     parseNestedObjects = true,
+    extended,
     // Backward compatibility for direct limit options
     jsonLimit,
     textLimit,
@@ -750,6 +739,12 @@ function createBodyParser(options = {}) {
       urlencoded.urlencodedLimit ||
       urlencoded.limit ||
       '1mb',
+    extended:
+      urlencoded.extended !== undefined
+        ? urlencoded.extended
+        : extended !== undefined
+          ? extended
+          : true,
     parseNestedObjects:
       urlencoded.parseNestedObjects !== undefined
         ? urlencoded.parseNestedObjects

package.json

@@ -26,13 +26,13 @@
     "lib/"
   ],
   "devDependencies": {
-    "0http-bun": "^1.2.1",
-    "bun-types": "^1.2.16",
+    "0http-bun": "^1.2.2",
+    "bun-types": "^1.3.8",
     "mitata": "^1.0.34",
-    "prettier": "^3.5.3",
-    "typescript": "^5.8.3",
-    "jose": "^6.0.11",
-    "pino": "^9.7.0",
+    "prettier": "^3.8.1",
+    "typescript": "^5.9.3",
+    "jose": "^6.1.3",
+    "pino": "^9.14.0",
     "prom-client": "^15.1.3"
   },
   "keywords": [