fix: prevent prototype pollution via __proto__ in FormData field names

`parseFormData` walked bracket and dot-notation field names into nested
objects without filtering reserved property keys. A single field whose
name began with `__proto__` (or contained `.__proto__.` mid-path) caused
the parser to traverse and assign onto `Object.prototype`, polluting the
prototype chain of every plain object in the running process.

`handlePathPart` now throws a new `ForbiddenKeyError` (also exported)
when an object-type path segment is `__proto__`, `constructor`, or
`prototype`. The array branch is unaffected today - the regex restricts
array-index segments to digits only - and three new tests pin that
invariant so a future regex change would surface the gap.

Reported responsibly by Mohamed Bassia (https://github.com/0xBassia).

Author: Christian Schurr

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+  "js/ts.tsdk.path": "node_modules/typescript/lib"
+}

src/__tests__/index.ts

@@ -1,6 +1,11 @@
 import {FormData} from '@remix-run/web-form-data'
 import {File} from '@remix-run/web-file'
-import {DuplicateKeyError, MixedArrayError, parseFormData} from '../'
+import {
+  DuplicateKeyError,
+  ForbiddenKeyError,
+  MixedArrayError,
+  parseFormData,
+} from '../'
 
 describe('basic functionality', () => {
   describe('transform value', () => {
@@ -409,3 +414,80 @@ describe('complex examples', () => {
     })
   })
 })
+
+describe('prototype pollution protection', () => {
+  const proto = Object.prototype as unknown as {[key: string]: unknown}
+  afterEach(() => {
+    // Defensive: clean any test-leaked properties off Object.prototype so a
+    // failure can't silently affect later tests.
+    delete proto.polluted
+  })
+
+  it('rejects `__proto__` as a top-level key', () => {
+    const formData = new FormData()
+    formData.append('__proto__.polluted', 'yes')
+    expect(() => parseFormData(formData)).toThrowError(
+      new ForbiddenKeyError('__proto__'),
+    )
+    expect(proto.polluted).toBeUndefined()
+  })
+
+  it('rejects `__proto__` as a nested key', () => {
+    const formData = new FormData()
+    formData.append('a.__proto__.polluted', 'yes')
+    expect(() => parseFormData(formData)).toThrowError(
+      new ForbiddenKeyError('a.__proto__'),
+    )
+    expect(proto.polluted).toBeUndefined()
+  })
+
+  it('rejects `__proto__` reached through an array element', () => {
+    const formData = new FormData()
+    formData.append('a[0].__proto__.polluted', 'yes')
+    expect(() => parseFormData(formData)).toThrowError(
+      new ForbiddenKeyError('a[0].__proto__'),
+    )
+    expect(proto.polluted).toBeUndefined()
+  })
+
+  it('rejects `constructor` as a key', () => {
+    const formData = new FormData()
+    formData.append('constructor.prototype.polluted', 'yes')
+    expect(() => parseFormData(formData)).toThrowError(
+      new ForbiddenKeyError('constructor'),
+    )
+  })
+
+  it('rejects `prototype` as a key', () => {
+    const formData = new FormData()
+    formData.append('prototype.polluted', 'yes')
+    expect(() => parseFormData(formData)).toThrowError(
+      new ForbiddenKeyError('prototype'),
+    )
+  })
+
+  it('rejects `__proto__` as a leaf assignment', () => {
+    const formData = new FormData()
+    formData.append('a.__proto__', 'yes')
+    expect(() => parseFormData(formData)).toThrowError(
+      new ForbiddenKeyError('a.__proto__'),
+    )
+  })
+
+  // The cases below pin the invariant for the array branch. Today the regex
+  // restricts array-index segments to digit characters, so a forbidden key
+  // can't reach the array branch (the cases parse as an object pathPart with
+  // a trailing `]` and trip the array/object duplicate-key guard). If the
+  // regex is ever loosened to accept arbitrary content inside `[...]`, these
+  // tests will start failing and the array branch will need its own
+  // forbidden-key check.
+  it.each(['__proto__', 'constructor', 'prototype'])(
+    'does not pollute via `a[%s]`',
+    key => {
+      const formData = new FormData()
+      formData.append(`a[${key}]`, 'yes')
+      expect(() => parseFormData(formData)).toThrow()
+      expect(proto.polluted).toBeUndefined()
+    },
+  )
+})

src/index.ts

@@ -73,6 +73,29 @@ export class MixedArrayError extends Error {
     this.key = key
   }
 }
+/**
+ * Thrown when a path part would access or assign a property on
+ * `Object.prototype` (`__proto__`, `constructor`, `prototype`). Rejected
+ * regardless of whether pollution would actually occur, to keep input
+ * unambiguous.
+ *
+ * @example
+ * ```ts
+ * const formData = new FormData()
+ * formData.append('__proto__.polluted', 'yes')
+ * parseFormData(formData)
+ * // throws ForbiddenKeyError('__proto__')
+ * ```
+ */
+export class ForbiddenKeyError extends Error {
+  key: string
+  constructor(key: string) {
+    super(`Forbidden key at path part ${key}`)
+    this.key = key
+  }
+}
+
+const FORBIDDEN_OBJECT_KEYS = new Set(['__proto__', 'constructor', 'prototype'])
 
 type JsonObject = {[Key in string]?: JsonValue}
 type JsonArray = Array<JsonValue>
@@ -333,6 +356,9 @@ function handlePathPart(
   nextPathValue: JsonValue | undefined,
   setNextPathValue: (value: JsonValue) => void,
 ] {
+  if (FORBIDDEN_OBJECT_KEYS.has(pathPart.path)) {
+    throw new ForbiddenKeyError(pathPart.pathToPart)
+  }
   if (pathPart.type === 'object') {
     if (Array.isArray(currentPathObject)) {
       throw new DuplicateKeyError(pathPart.pathToPart)