Improve nested formdata reliability

[Teyik0]

---

Summary by cubic

Improves nested multipart FormData parsing to reliably build objects/arrays from dot and bracket notation and to support mixed JSON + File payloads. Also blocks prototype pollution in nested keys.

• New Features

  • Parse keys like user.profile.bio and items[0].img into nested objects/arrays with Files and Files arrays.
  • Merge JSON strings with accompanying File(s) on the same field, auto-adding file/files.
  • Initialize containers safely, convert stringified objects mid-path, and avoid clobbering existing File values.
  • Works with TypeBox and Zod; supports async decode and unwraps Zod { value }.

• Security

  • Block dangerous keys (proto, constructor, prototype) in dot/bracket paths to prevent prototype pollution.
  • Added tests to confirm Object.prototype is not polluted.

^{Written for commit dafb59a. Summary will update on new commits.}

Summary by CodeRabbit

• Security Improvements

  • Strengthened defenses against prototype-pollution keys in form submission processing.

• Bug Fixes

  • More reliable handling of nested objects, arrays, and indexed keys from form/query data.
  • Improved parsing of JSON-like strings in form values and safer file(s) merging for multipart uploads.
  • Prevents unsafe key paths from altering processing.

• Tests

  • Expanded and re-enabled extensive tests covering nested form-data, files, coercion, and prototype-pollution scenarios.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Adds prototype-pollution guards and robust nested form-data normalization (JSON parsing, array-index handling, File/FileList merging) to the web adapter and dynamic handler; expands/reenables tests covering nested form-data, dot-notation, arrays, coercion, and security checks.

Changes

Cohort / File(s)	Summary
Web Adapter & FormData Handling src/adapter/web-standard/index.ts	Adds forbidden key checks (proto, constructor, prototype), detects dangerous path segments, normalizes FormData values (JSON parse when appropriate), and routes normalized values to nested-set logic.
Dynamic Handler / Nested Setter src/dynamic-handle.ts	Introduces ARRAY_INDEX_REGEX, DANGEROUS_KEYS, isDangerousKey, parseArrayKey, parseObjectString; rewrites setNestedValue to support array-indexed paths, safe array/object initialization, and file-aware assignments; adds normalizeFormValue used across parsing workflows.
Type-System FormData Tests test/type-system/formdata.test.ts	Re-enables and extends tests: nested object fields via dotted/index notation, array index handling (tags[0], tags[1]), Zod coercions for numbers/booleans, JSON-string inputs, and File + nested object scenarios; switches assertions to structural matching.
Body Validation Tests test/validator/body.test.ts	Expands coverage for nested multipart parsing, dot-notation access, array/file combinations, stringify-assisted inputs, and explicit prototype-pollution defense cases; updates assertions to toMatchObject-style checks.

Sequence Diagram(s)

sequenceDiagram
    actor Client
    participant Adapter as Web Adapter
    participant Parser as Normalizer
    participant Handler as Dynamic Handler
    participant Validator as Validator

    Client->>Adapter: POST multipart/form-data
    Adapter->>Adapter: Iterate form keys
    Adapter->>Parser: Check key safety (isDangerousKey)
    alt key dangerous
        Parser-->>Adapter: Skip key (do not set)
    else key safe
        Adapter->>Parser: normalizeFormValue(value, files)
        Parser-->>Adapter: normalizedValue
        Adapter->>Handler: setNestedValue(targetObj, keyPath, normalizedValue)
        Handler->>Handler: parseArrayKey / initialize arrays or objects
        Handler-->>Adapter: updated targetObj
    end
    Adapter->>Validator: Provide assembled body
    Validator->>Validator: Validate schema (Zod, etc.)
    Validator-->>Client: Response

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat: add array index support in nested multipart form parsing #5: Modifies nested form-data handling and array-index traversal in adapter/dynamic handler—closely related to these changes.
• Improve nested formdata reliability #6: Alters form-data parsing and dangerous-key checks; overlaps on normalization and safety logic.
• feat: add nested file upload support with dot notation in multipart forms #4: Refactors setNestedValue and dot-notation handling that this PR further extends with safety and JSON merging.

Poem

🐰 I hopped through keys both safe and strange,

Skipping traps that try to change,
I parsed your JSON, held your files,
Nesting values with careful smiles,
Now form-data flows without a strange exchange.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Improve nested formdata reliability' is directly related to the main changes in the PR, which focus on improving nested FormData parsing, handling, and security.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

1 issue found across 6 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="test/validator/body.test.ts">

<violation number="1" location="test/validator/body.test.ts:1563">
P2: Test doesn't verify the `file` property in `metadata` assertion. Since the test is for 'mix of stringify and dot notation' with files, it should verify that `metadata.file` exists and has the expected file size, otherwise the test could pass even if file merging fails.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}