Security Review 07/02/2026 #13
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Critical (6): LRU cache eviction, JSON nesting depth limit, rate limit IP spoofing prevention, timing-safe API key comparison, JWT algorithm confusion prevention, streaming body reader with size limits. High (13): Single-pass multipart parser, prototype pollution protection, JWT path exclusion boundary checking, query token deprecation warning, CORS null origin rejection, sliding window memory bounds, TOCTOU race fix, async error forwarding, query prototype pollution filtering, empty JSON body handling, raw body via Symbol, JWT token type validation, rate limit standard headers minimal mode. Medium (13): Store injection removal, option merging hardening, validator arity detection, rate limit synchronous increment, unique unknown keys, single allowedHeaders resolution, error logging in catch blocks, URL normalization, frozen params, content-type matching, filename sanitization, parseLimit validation, conditional CORS headers. Low (7) + Info (4): API key masking, reduced JWT exports, Vary header, rate limit path exclusion, body parser deferNext, and more. Bumps version to 1.3.0 for breaking changes.
- Body parser: RAW_BODY_SYMBOL, empty body, nesting depth, streaming limits - JWT auth: token type validation, algorithm confusion, timing-safe comparison - Rate limit: minimal headers, unique unknown keys, IP spoofing prevention - CORS: allowedHeaders caching, null origin rejection - Router: prototype pollution, LRU cache, frozen params - Security: dedicated prototype pollution test suite - Integration & regression: updated for new security behaviors 483 tests passing, 1906 expect() calls.
…ty release - README: changelog with all 43 fixes, breaking changes table, migration guide - Middleware README: requiredTokenType, API_KEY_SYMBOL, standardHeaders modes, RAW_BODY_SYMBOL, empty body handling documentation - Type declarations: fix limit as number|string, add deferNext, parseNestedObjects, allowedHeaders function variant, RateLimitOptions.message, BodyParserOptions extended fields, parseLimit export, extractTokenFromHeader/maskApiKey alignment - Exports: re-export extractTokenFromHeader, maskApiKey, parseLimit from index.js - Add SECURITY_REVIEWS.md tracking all 43 resolved vulnerabilities
There was a problem hiding this comment.
Pull request overview
Security-hardening release for 0http-bun v1.3.0, updating core router + middleware to reduce information leakage, tighten default security posture, and add regression tests/docs for the security review items.
Changes:
- Hardened router/middleware error handling (generic 500s, async error catching) and added bounded route caching + path normalization.
- Strengthened auth/rate-limit/body parsing security (timing-safe API key comparisons, prototype pollution defenses, streaming body limit enforcement, symbol-based raw secret storage).
- Updated tests and documentation to reflect new security behavior and breaking changes; bumped version to 1.3.0.
Reviewed changes
Copilot reviewed 22 out of 23 changed files in this pull request and generated 16 comments.
Show a summary per file
| File | Description |
|---|---|
| test/unit/router.test.js | Updates router error-handling expectations and suppresses error logging in tests. |
| test/unit/rate-limit.test.js | Adjusts tests for new IP key behavior and removal of request-level store injection; adds header-mode tests. |
| test/unit/middleware.test.js | Updates expectations for async middleware errors now being caught. |
| test/unit/jwt-auth.test.js | Updates tests for masked API keys, validator signature changes, unified JWT error messages, and typ validation. |
| test/unit/edge-cases.test.js | Suppresses console errors for invalid middleware edge case. |
| test/unit/cors.test.js | Updates expectations for allowedHeaders string handling and adds caching tests. |
| test/unit/config.test.js | Suppresses console errors while testing default error handler behavior. |
| test/unit/body-parser.test.js | Updates tests for parseLimit throwing on invalid types, new error responses, and RAW_BODY_SYMBOL behavior. |
| test/security/prototype-pollution.test.js | Adds query-string prototype-pollution regression coverage. |
| test/performance/regression.test.js | Suppresses console errors in perf test for default error handler. |
| test/integration/router.test.js | Updates integration expectations for generic 500 body and decoded route params; suppresses console errors in error tests. |
| package.json | Bumps package version to 1.3.0. |
| lib/router/sequential.js | Adds cache size limit + eviction, safer default error handler, frozen empty params, path normalization, query key filtering, and fixes router.use() chaining. |
| lib/next.js | Catches rejected promises from async middleware and forwards to error handler. |
| lib/middleware/rate-limit.js | Removes request-level store injection, adds minimal standard headers mode, tightens excludePaths matching, adds sliding-window bounds/cleanup, changes key generator behavior. |
| lib/middleware/jwt-auth.js | Adds timing-safe API key comparisons, masks API keys on request, reduces token exposure, enforces algorithm constraints, optional-mode visibility, typ validation, and safer error messages/logging. |
| lib/middleware/index.js | Re-exports new symbols/helpers (API_KEY_SYMBOL, maskApiKey, parseLimit, RAW_BODY_SYMBOL). |
| lib/middleware/index.d.ts | Updates typings for new options/exports (but still needs a store typing adjustment). |
| lib/middleware/cors.js | Adjusts Vary header behavior, allowedHeaders resolution/caching, and origin validation rules. |
| lib/middleware/body-parser.js | Adds streaming body read with limit, symbol-based raw body storage, stricter JSON content-type matching, improved nesting scan, multipart hardening, and custom jsonParser size enforcement. |
| lib/middleware/README.md | Documents security features and new raw-body / API key symbol access patterns. |
| SECURITY_REVIEWS.md | Adds detailed security remediation tracking and breaking-change summary. |
| README.md | Adds v1.3.0 security release notes, migration guide, and updated security documentation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ype pollution protection - Consolidate prototype pollution blocklist into a shared Set constant (PROTOTYPE_POLLUTION_KEYS) for DRY and O(1) lookups - Use Object.create(null) for URL-encoded body to prevent prototype chain access - Implement 3 distinct URL-encoded parsing modes: simple (extended=false), extended flat, and extended+nested - Forward top-level 'extended' option to urlencoded parser for backward compatibility - Add 8 new tests covering all extended/parseNestedObjects combinations and prototype pollution guards - Add TypeScript types and async/await to benchmark suite - Bump devDependencies to latest versions
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…back and type declarations - Add req.socket?.remoteAddress as third fallback in defaultKeyGenerator (after req.ip and req.remoteAddress) to bridge the gap between test patterns and the actual default implementation - Add ip?, remoteAddress?, socket?, and rateLimit? to ZeroRequest type in common.d.ts so TypeScript users can work with connection-level properties without type errors - Add missing current/reset properties to ctx.rateLimit type to match the runtime shape set by the rate-limit middleware - Add concrete Bun.serve example in README showing how to populate req.ip via server.requestIP() before rate limiting - Add 3 new unit tests validating the socket.remoteAddress fallback and priority ordering in defaultKeyGenerator - Update all documentation references to reflect the expanded fallback chain: req.ip || req.remoteAddress || req.socket?.remoteAddress
- Add LRU refresh logic in sequential router to move accessed cache entries to the end, ensuring proper least-recently-used eviction - Extract duplicated benchmark code into reusable benchRouter function
Move CORS policy headers (Allow-Methods, Allow-Headers, Max-Age, Allow-Credentials) inside the origin-allowed check so they are not sent to disallowed origins during preflight responses.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.