@blamejs/core 0.14.25 → 0.14.27

package/lib/framework-error.js

@@ -557,7 +557,9 @@ var WatcherError          = defineClass("WatcherError",          { alwaysPermane
 // caller-shape misuse or an irrecoverable on-disk condition.
 var LocalDbThinError      = defineClass("LocalDbThinError",      { alwaysPermanent: true });
 // RouterError covers operator-shape violations on the router primitive:
-// invalid `allowedRedirectOrigins` opt at create time, and cross-origin
+// invalid `allowedRedirectOrigins` opt at create time, a malformed
+// `use()` mount (non-string / non-array prefix, a prefix not beginning
+// with "/", a missing or non-function middleware), and cross-origin
 // `res.redirect()` targets that are not on the allowlist. alwaysPermanent
 // — every case is config-time programming bug or an outbound-redirect
 // shape error that retry will not recover.

package/lib/gate-contract.js

@@ -54,6 +54,12 @@ var { GateContractError } = require("./framework-error");
 
 var observability = lazyRequire(function () { return require("./observability"); });
 var compliance = lazyRequire(function () { return require("./compliance"); });
+var audit = lazyRequire(function () { return require("./audit"); });
+
+// One-time dedupe for the "global posture pinned but this guard maps no
+// overlay" warning. Keyed `<posture>::<errCodePrefix>` so each guard
+// family surfaces the gap once instead of on every gate construction.
+var _unmappedPostureWarned = Object.create(null);
 
 // Forensic-id token width (bytes); 64 bits is enough for cross-gate
 // correlation in a single request scope.
@@ -1415,6 +1421,16 @@ function resolveProfileAndPosture(opts, cfg) {
     if (typeof globalPosture === "string" &&
         cfg.compliancePostures && cfg.compliancePostures[globalPosture]) {
       posture = globalPosture;
+    } else if (typeof globalPosture === "string" && globalPosture.length > 0) {
+      // A global posture IS pinned, but this guard family ships no
+      // COMPLIANCE_POSTURES overlay for it (e.g. fedramp-rev5-moderate
+      // against a guard whose table only covers hipaa/pci-dss/gdpr/soc2).
+      // Falling through to the unposture-d default is the SAFE behavior,
+      // but operators must know the posture is a no-op for THIS guard —
+      // silently no-oping reads as "enforced" (compliance theater).
+      // Emit a one-time, grep-able audit warning per (posture, guard)
+      // and keep the safe default.
+      _warnUnmappedPosture(globalPosture, prefix);
     }
   }
   if (typeof posture === "string") {
@@ -1427,6 +1443,42 @@ function resolveProfileAndPosture(opts, cfg) {
   return Object.assign({}, cfg.defaults || {}, overlay, opts);
 }
 
+// _warnUnmappedPosture — emit a one-time, grep-able audit warning that a
+// globally-pinned posture has no overlay in THIS guard family's
+// COMPLIANCE_POSTURES table, so the operator doesn't read the
+// safe-default fall-through as "the posture is enforced here." Drop-
+// silent (hot-path observability sink): a warning emit must never throw
+// past the guard-gate construction that triggered it.
+function _warnUnmappedPosture(posture, prefix) {
+  var dedupeKey = posture + "::" + (prefix || "guard");
+  if (_unmappedPostureWarned[dedupeKey]) return;
+  _unmappedPostureWarned[dedupeKey] = true;
+  try {
+    // Canonical audit outcome triple is success/failure/denied; a
+    // posture that maps no overlay is an advisory NOTICE, not a failure
+    // of this construction — the severity rides in metadata.severity so
+    // the audit row carries the warning intent without abusing outcome.
+    audit().safeEmit({
+      action:  "gateContract.posture.unmapped",
+      outcome: "success",
+      metadata: {
+        severity: "warning",
+        posture:  posture,
+        guard:    prefix || "guard",
+        recommendation: "The pinned compliance posture '" + posture +
+          "' has no overlay in this guard's COMPLIANCE_POSTURES table, so " +
+          "its gate runs the unposture-d default. Pass an explicit " +
+          "compliancePosture this guard maps, or add the overlay, if the " +
+          "posture is meant to tighten this surface.",
+      },
+    });
+  } catch (_e) { /* drop-silent — warning must not break gate construction */ }
+}
+
+function _resetForTest() {
+  for (var k in _unmappedPostureWarned) delete _unmappedPostureWarned[k];
+}
+
 /**
  * @primitive  b.gateContract.buildProfile
  * @signature  b.gateContract.buildProfile(opts)
@@ -1658,4 +1710,5 @@ module.exports = {
   MODES:              MODES,
   ISSUE_SEVERITIES:   ISSUE_SEVERITIES,
   GateContractError:      GateContractError,
+  _resetForTest:      _resetForTest,
 };

package/lib/http-client.js

@@ -1925,7 +1925,21 @@ async function downloadStream(opts) {
   });
   counter.bytesWritten = 0;
 
-  var fileStream = nodeFs.createWriteStream(tmpPath, { mode: DEFAULT_DOWNLOAD_FILE_MODE, flags: "w" });
+  // CWE-377 (insecure temporary file) / CWE-59 (symlink follow): stage
+  // the download into the sibling tmp file with an EXCLUSIVE, no-follow
+  // create. The legacy "w" flag is O_WRONLY|O_CREAT|O_TRUNC — it would
+  // open (and truncate, or write through) a file an attacker pre-planted
+  // at tmpPath, including a symlink aimed at a victim path this process
+  // can write. O_EXCL fails with EEXIST if anything already exists at
+  // tmpPath; O_NOFOLLOW rejects a symlink in the final path component
+  // where the platform defines it (Windows leaves it undefined → `|| 0`).
+  // tmpPath already carries a 64-bit CSPRNG suffix (line above), so an
+  // EEXIST here is a hostile-collision signal, not a benign retry.
+  var fileStream = nodeFs.createWriteStream(tmpPath, {
+    mode:  DEFAULT_DOWNLOAD_FILE_MODE,
+    flags: nodeFs.constants.O_WRONLY | nodeFs.constants.O_CREAT |
+           nodeFs.constants.O_EXCL | (nodeFs.constants.O_NOFOLLOW || 0),
+  });
 
   try {
     await streamPromises.pipeline(res.body, counter, fileStream);
@@ -1944,14 +1958,14 @@ async function downloadStream(opts) {
   // across platforms but matches the discipline of the rest of the
   // framework's atomic-write paths.
   //
-  // CodeQL js/insecure-temporary-file: tmpPath = dest + ".tmp-" +
-  // bCrypto.generateToken(C.BYTES.bytes(8)) (line 1802), where
-  // bCrypto.generateToken produces 16 hex chars of CSPRNG-derived
-  // randomness. The path lives next to operator-supplied `dest`
-  // (downloadStream contract — never under os.tmpdir()), and the
-  // 64-bit unpredictable suffix defeats the symlink-pre-creation
-  // attack the rule flags. The fd is used solely for fsync; the
-  // file's bytes were already written by the upstream pipeline.
+  // CodeQL js/insecure-temporary-file (CWE-377 / CWE-59): the tmp file
+  // was already created above with O_EXCL | O_NOFOLLOW, so this reopen
+  // binds to an inode this process exclusively created at a path
+  // carrying a 64-bit CSPRNG suffix (line above) next to operator-
+  // supplied `dest` (downloadStream contract — never under os.tmpdir()).
+  // The earlier exclusive create — not the reopen — is the symlink-
+  // pre-creation defense; this fd is used solely for fsync, after the
+  // upstream pipeline already wrote the bytes.
   try {
     var fd = nodeFs.openSync(tmpPath, "r+");
     try { atomicFile.fsync(fd); } finally { try { nodeFs.closeSync(fd); } catch (_c) { /* best-effort fd close */ } }

package/lib/mail-server-jmap.js

@@ -316,6 +316,33 @@ function create(opts) {
     return cur;
   }
 
+  // ---- Account authorization (RFC 8620 §3.6.1 accountNotFound) ------------
+  //
+  // The set of accountIds an actor may touch is whatever
+  // `opts.accountsFor(actor)` enumerates in its `accounts` map — the same
+  // source the session resource advertises. Resolving it ONCE per request
+  // and rejecting any client-supplied accountId outside that set is the
+  // cross-tenant authorization control: without it, a tenant's request can
+  // name another tenant's accountId and reach the operator's method/blob
+  // handler, which must then independently re-check or leak. The listener
+  // owns this gate so every account-scoped op (method dispatch + blob
+  // upload/download) is covered uniformly.
+  async function _permittedAccountIds(actor) {
+    var info = await opts.accountsFor(actor);
+    info = info || {};
+    var accounts = info.accounts || {};
+    // A Set of the accountIds the actor is enumerated for. An empty/garbage
+    // accounts map yields an empty set → every account-scoped reference is
+    // rejected (fail-closed), which is the correct posture for an actor the
+    // operator declined to grant any account.
+    var set = Object.create(null);
+    if (accounts && typeof accounts === "object") {
+      var ids = Object.keys(accounts);
+      for (var i = 0; i < ids.length; i += 1) set[ids[i]] = true;
+    }
+    return set;
+  }
+
   // ---- Dispatch ------------------------------------------------------------
   //
   // `dispatch(actor, body)` is the operator-callable form — accepts a
@@ -340,6 +367,20 @@ function create(opts) {
       return _refusalResponse(errType, (e && e.message) || "request refused");
     }
 
+    // Resolve the actor's permitted accountId set ONCE for the whole
+    // request (RFC 8620 §3.6.1). Every account-scoped method call is gated
+    // against it below, BEFORE the operator handler runs, so a client can't
+    // name another tenant's accountId and reach the backend.
+    var permittedAccounts;
+    try {
+      permittedAccounts = await _permittedAccountIds(actor);
+    } catch (e) {
+      _emit("mail.server.jmap.accounts_for_threw",
+        { error: (e && e.message) || String(e) }, "failure");
+      return _refusalResponse("urn:ietf:params:jmap:error:serverFail",
+        "account authorization unavailable");
+    }
+
     var methodResponses = [];
     var byClientId = Object.create(null);
     for (var i = 0; i < parsed.methodCalls.length; i += 1) {
@@ -361,6 +402,24 @@ function create(opts) {
             description: "Method '" + methodName + "' not implemented on this server" }, clientId]);
         continue;
       }
+      // Cross-tenant gate (RFC 8620 §3.6.1): if the call names an accountId,
+      // it MUST be one the actor is enumerated for. Rejected BEFORE the
+      // operator handler runs so a forged/foreign accountId never reaches
+      // the backend. Calls without an accountId (account-agnostic methods)
+      // pass through unchanged.
+      if (resolvedArgs && typeof resolvedArgs === "object" &&
+          resolvedArgs.accountId !== undefined && resolvedArgs.accountId !== null) {
+        var callAccountId = resolvedArgs.accountId;
+        if (typeof callAccountId !== "string" || !permittedAccounts[callAccountId]) {
+          _emit("mail.server.jmap.account_not_found",
+            { method: methodName, accountId: typeof callAccountId === "string" ? callAccountId : null,
+              clientId: clientId }, "denied");
+          methodResponses.push(["error",
+            { type: "urn:ietf:params:jmap:error:accountNotFound",
+              description: "accountId is not accessible to this actor" }, clientId]);
+          continue;
+        }
+      }
       if (!_legacyDeprecationEmitted && registry.source(methodName) === "builtin") {
         _legacyDeprecationEmitted = true;
         _emit("mail.server.jmap.methods_opt_deprecated",
@@ -813,6 +872,40 @@ function create(opts) {
       if (refused) return;
       var bytes = collector.result();
       Promise.resolve()
+        // Cross-tenant gate (RFC 8620 §3.6.1): the accountId in the upload
+        // URL must be one the actor is enumerated for, else accountNotFound
+        // — the foreign accountId never reaches uploadBlob.
+        .then(function () { return _permittedAccountIds(actor); })
+        .then(function (permitted) {
+          if (!permitted[accountId]) {
+            _emit("mail.server.jmap.account_not_found",
+              { op: "upload", accountId: accountId }, "denied");
+            res.statusCode = 404;
+            res.setHeader("Content-Type", "application/json; charset=utf-8");
+            res.end(JSON.stringify({
+              type:        "urn:ietf:params:jmap:error:accountNotFound",
+              description: "accountId is not accessible to this actor",
+            }));
+            return;
+          }
+          return _completeUpload(bytes);
+        })
+        .catch(function (err) {
+          _emit("mail.server.jmap.upload_threw",
+            { accountId: accountId, error: (err && err.message) || String(err) }, "failure");
+          if (!res.headersSent) {
+            res.statusCode = 500;
+            res.setHeader("Content-Type", "application/json; charset=utf-8");
+            res.end(JSON.stringify({
+              type:        "urn:ietf:params:jmap:error:serverFail",
+              description: "Upload failed",
+            }));
+          }
+        });
+    });
+
+    function _completeUpload(bytes) {
+      return Promise.resolve()
         .then(function () { return opts.mailStore.uploadBlob(actor, accountId, contentType, bytes); })
         .then(function (meta) {
           if (!meta || typeof meta !== "object" || typeof meta.blobId !== "string") {
@@ -827,18 +920,10 @@ function create(opts) {
             type:      meta.type || contentType,
             size:      typeof meta.size === "number" ? meta.size : bytes.length,
           }));
-        })
-        .catch(function (err) {
-          _emit("mail.server.jmap.upload_threw",
-            { accountId: accountId, error: (err && err.message) || String(err) }, "failure");
-          res.statusCode = 500;
-          res.setHeader("Content-Type", "application/json; charset=utf-8");
-          res.end(JSON.stringify({
-            type:        "urn:ietf:params:jmap:error:serverFail",
-            description: "Upload failed",
-          }));
         });
-    });
+      // Errors from uploadBlob propagate to the req.on("end") chain's
+      // .catch (single serverFail responder, headersSent-guarded).
+    }
     req.on("error", function () {
       if (!refused) {
         refused = true;
@@ -944,9 +1029,29 @@ function create(opts) {
       }));
       return;
     }
+    var downloadDenied = false;
     Promise.resolve()
-      .then(function () { return opts.mailStore.downloadBlob(actor, accountId, blobId); })
+      // Cross-tenant gate (RFC 8620 §3.6.1): the accountId in the download
+      // URL must be one the actor is enumerated for, else accountNotFound —
+      // the foreign accountId never reaches downloadBlob.
+      .then(function () { return _permittedAccountIds(actor); })
+      .then(function (permitted) {
+        if (!permitted[accountId]) {
+          downloadDenied = true;
+          _emit("mail.server.jmap.account_not_found",
+            { op: "download", accountId: accountId, blobId: blobId }, "denied");
+          res.statusCode = 404;
+          res.setHeader("Content-Type", "application/json; charset=utf-8");
+          res.end(JSON.stringify({
+            type:        "urn:ietf:params:jmap:error:accountNotFound",
+            description: "accountId is not accessible to this actor",
+          }));
+          return undefined;
+        }
+        return opts.mailStore.downloadBlob(actor, accountId, blobId);
+      })
       .then(function (result) {
+        if (downloadDenied) return;
         if (!result || (typeof result !== "object" && !Buffer.isBuffer(result))) {
           res.statusCode = 404;
           res.setHeader("Content-Type", "application/json; charset=utf-8");

package/lib/middleware/body-parser.js

@@ -166,6 +166,29 @@ var BodyParserError = defineClass("BodyParserError", { withStatusCode: true });
 // in play — consistent prototype-pollution defense across the framework.
 var POISONED_KEYS = new Set(["__proto__", "constructor", "prototype"]);
 
+// Materialize a header/parameter map from request-derived [key, value]
+// pairs WITHOUT a computed member write (`target[key] = value`). A
+// request-keyed computed write is the CWE-915 unsafe-reflection /
+// CWE-1321 prototype-pollution sink: an attacker who controls the key
+// (Content-Type parameter name, multipart part-header name,
+// Content-Disposition parameter name) can target `__proto__` /
+// `constructor` / `prototype` and corrupt the prototype chain. Poisoned
+// keys are dropped, the remaining pairs are funneled through
+// `Object.fromEntries`, and the result carries no prototype chain
+// (`Object.create(null)`) so even a key that slipped a future POISONED_KEYS
+// gap cannot reach Object.prototype. The returned map has plain-object
+// shape (string keys → values) so existing named-property reads
+// (`.boundary`, `.charset`, `["content-disposition"]`, `.name`,
+// `.filename`) are unchanged.
+function _mapFromPairs(pairs) {
+  var safe = [];
+  for (var i = 0; i < pairs.length; i++) {
+    if (POISONED_KEYS.has(pairs[i][0])) continue;
+    safe.push(pairs[i]);
+  }
+  return Object.assign(Object.create(null), Object.fromEntries(safe));
+}
+
 // ---- defaults ----
 
 var DEFAULTS = Object.freeze({
@@ -221,7 +244,11 @@ function _contentType(req) {
   if (typeof ct !== "string") return { type: "", params: {} };
   var idx = ct.indexOf(";");
   var type = (idx === -1 ? ct : ct.slice(0, idx)).trim().toLowerCase();
-  var params = {};
+  // Collect [name, value] pairs, then materialize via _mapFromPairs so a
+  // request-controlled parameter name (e.g. `boundary` / `charset` / an
+  // attacker-supplied `__proto__`) is never used as a computed-write key
+  // (CWE-915 / CWE-1321). Poisoned names are dropped at materialization.
+  var paramPairs = [];
   if (idx !== -1) {
     var rest = ct.slice(idx + 1);
     // RFC 9110 §8.3 + §5.6.6 — parameter values may be quoted-string
@@ -238,10 +265,10 @@ function _contentType(req) {
       var v = p.slice(eq + 1).trim();
       var _unq = structuredFields.unquoteSfString(v);
       if (_unq !== null) v = _unq;
-      params[k] = v;
+      paramPairs.push([k, v]);
     }
   }
-  return { type: type, params: params };
+  return { type: type, params: _mapFromPairs(paramPairs) };
 }
 
 function _typeMatches(actual, allowed) {
@@ -583,7 +610,13 @@ function _parseMultipartHeaders(rawHeaders) {
   // §5.5 — header field values MUST NOT contain CR, LF, or NUL bytes.
   // We refuse the part outright (caller surfaces the throw as 400 + drop).
   var lines = rawHeaders.split("\r\n");
-  var out = {};
+  // Collect [name, value] pairs; materialize via _mapFromPairs so the
+  // request-controlled header name is never a computed-write key
+  // (CWE-915 / CWE-1321 — a part header literally named `__proto__` would
+  // otherwise pollute the prototype chain). Later headers of the same
+  // name keep last-wins (the prior `out[k] = v` overwrite semantics:
+  // Object.fromEntries takes the last pair for a duplicate key).
+  var headerPairs = [];
   for (var i = 0; i < lines.length; i++) {
     var line = lines[i];
     if (!line) continue;
@@ -609,9 +642,9 @@ function _parseMultipartHeaders(rawHeaders) {
         );
       }
     }
-    out[k] = v;
+    headerPairs.push([k, v]);
   }
-  return out;
+  return _mapFromPairs(headerPairs);
 }
 
 // Percent-decode an RFC 5987 ext-value's value segment under iso-8859-1.
@@ -672,14 +705,20 @@ function _parseHeaderParams(headerValue, filenameCharsets) {
   // is present, it takes precedence over the legacy `filename=`
   // companion (RFC 6266 §4.3). We surface the decoded value at
   // `filename` so downstream consumers don't need parser-aware code.
-  var out = { _value: "" };
-  if (!headerValue) return out;
+  if (!headerValue) return _mapFromPairs([["_value", ""]]);
   // RFC 6266 §4.1 + RFC 9110 §5.6.6 — parameter values may be
   // quoted-string (e.g. `filename="weird;name.txt"`). Bare
   // `.split(";")` would slice through the quoted semicolon and
   // corrupt the filename. Quote-aware shared splitter.
   var parts = structuredFields.splitTopLevel(headerValue, ";");
-  out._value = parts[0].trim().toLowerCase();
+  // Collect [name, value] pairs, then materialize via _mapFromPairs so a
+  // request-controlled Content-Disposition parameter name (or its
+  // ext-value `name*` bare form) is never a computed-write key
+  // (CWE-915 / CWE-1321). `_value` carries the disposition type;
+  // `filename` (when an ext-value decoded) takes precedence over the
+  // legacy `filename=` companion (RFC 6266 §4.3), preserved by appending
+  // it last so Object.fromEntries' last-wins resolves it.
+  var paramPairs = [["_value", parts[0].trim().toLowerCase()]];
   var extName = null;
   for (var i = 1; i < parts.length; i++) {
     var p = parts[i].trim();
@@ -694,14 +733,14 @@ function _parseHeaderParams(headerValue, filenameCharsets) {
       if (decoded !== null) {
         var bareKey = k.slice(0, -1);
         if (bareKey === "filename") extName = decoded;
-        out[bareKey] = decoded;
+        paramPairs.push([bareKey, decoded]);
       }
       continue;
     }
-    out[k] = v;
+    paramPairs.push([k, v]);
   }
-  if (extName !== null) out.filename = extName;
-  return out;
+  if (extName !== null) paramPairs.push(["filename", extName]);
+  return _mapFromPairs(paramPairs);
 }
 
 async function _parseMultipart(req, opts, ctParams) {
@@ -1173,20 +1212,27 @@ async function _parseMultipart(req, opts, ctParams) {
               var fbuf = Buffer.concat(currentBuf);
               var text = fbuf.toString("utf8");
               // Repeated field name → array, matching urlencoded parser.
-              if (Object.prototype.hasOwnProperty.call(fields, currentField)) {
-                // lgtm[js/remote-property-injection] — `currentField` is gated
-                // upstream at lib/middleware/body-parser.js:867 by
-                // POISONED_KEYS (__proto__ / constructor / prototype) which
-                // refuses the multipart part with a 400 BodyParserError before
-                // `currentField` is ever assigned. Reachable values cannot
-                // pollute the prototype chain.
-                if (Array.isArray(fields[currentField])) fields[currentField].push(text);
-                else fields[currentField] = [fields[currentField], text];
+              // `currentField` is request-controlled, so the accumulation
+              // never uses it as a computed-write key (`fields[key] = v`),
+              // which is the CWE-915 / CWE-1321 sink: it is merged through
+              // Object.fromEntries + Object.assign instead. The upstream
+              // POISONED_KEYS gate (the multipart-poisoned-field check above)
+              // already rejects __proto__ / constructor / prototype field
+              // names with a 400 before reaching here; the entries-merge is
+              // the structural backstop.
+              var fieldName = currentField;
+              var prior = Object.prototype.hasOwnProperty.call(fields, fieldName)
+                            ? fields[fieldName] : undefined;
+              var nextValue;
+              if (prior === undefined) {
+                nextValue = text;
+              } else if (Array.isArray(prior)) {
+                prior.push(text);
+                nextValue = prior;
               } else {
-                // lgtm[js/remote-property-injection] — see upstream POISONED_KEYS
-                // gate at lib/middleware/body-parser.js:867.
-                fields[currentField] = text;
+                nextValue = [prior, text];
               }
+              Object.assign(fields, Object.fromEntries([[fieldName, nextValue]]));
             }
             currentHeaders = null;
             currentField = null;

package/lib/middleware/csrf-protect.js

@@ -91,25 +91,36 @@ function _parseCookieHeader(header) {
   // just splits the name=value pairs. Keys that appear multiple times
   // resolve to the FIRST occurrence (browsers send pairs left-to-right
   // by registration order; the first is the most-specific path).
-  // Output object has no prototype chain — `Object.create(null)` defends
-  // against `__proto__` / `constructor` / `prototype` cookie-name keys
-  // polluting the prototype before the hasOwnProperty gate runs.
-  var out = Object.create(null);
-  if (typeof header !== "string" || header.length === 0) return out;
+  // Collect [name, value] pairs, then materialize the cookie map via
+  // Object.fromEntries onto a null-prototype object. The cookie name is
+  // attacker-controlled (Cookie request header), so it is never used as a
+  // computed-write key (`out[name] = value` / `seen[name] = true`) — that
+  // is the CWE-915 unsafe-reflection / CWE-1321 prototype-pollution sink.
+  // First-occurrence-wins de-duplication tracks names in a Set (add/has
+  // are method calls, not tainted-key property writes); POISONED names
+  // (`__proto__` / `constructor` / `prototype`) are dropped; and the
+  // null-prototype accumulator means even a slipped name cannot reach
+  // Object.prototype.
+  if (typeof header !== "string" || header.length === 0) return Object.create(null);
   var parts = header.split(/;\s*/);
+  var seen = new Set();
+  var pairs = [];
   for (var i = 0; i < parts.length; i++) {
     var p = parts[i];
     var eq = p.indexOf("=");
     if (eq === -1) continue;
     var k = p.slice(0, eq).trim();
-    if (k.length === 0 || Object.prototype.hasOwnProperty.call(out, k)) continue;
+    if (k.length === 0) continue;
+    if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
+    if (seen.has(k)) continue;  // first-occurrence wins
+    seen.add(k);
     var v = p.slice(eq + 1).trim();
     if (v.length >= 2 && v.charCodeAt(0) === 0x22 && v.charCodeAt(v.length - 1) === 0x22) {
       v = v.slice(1, -1);
     }
-    out[k] = v;
+    pairs.push([k, v]);
   }
-  return out;
+  return Object.assign(Object.create(null), Object.fromEntries(pairs));
 }
 
 // `_isHttps` defers to `requestHelpers.requestProtocol` so the

package/lib/object-store/azure-blob.js

@@ -35,6 +35,7 @@ var { URL } = require("node:url");
 var { Readable } = require("node:stream");
 var safeXml = require("../parsers/safe-xml");
 var sharedRequest = require("./http-request");
+var sigv4 = require("./sigv4");
 var C = require("../constants");
 var requestHelpers = require("../request-helpers");
 var { ObjectStoreError } = require("../framework-error");
@@ -65,6 +66,26 @@ function _arrayify(value) {
   return Array.isArray(value) ? value : [value];
 }
 
+// Percent-encode a hierarchical blob name for use in a URL path. Azure
+// blob names are `/`-delimited virtual directories, so each segment is
+// RFC 3986 percent-encoded (via the family-shared encoder used by the
+// S3 / GCS backends) while the `/` separators are preserved. Without
+// this, a key containing `?`, `#`, a space, or other reserved chars is
+// interpolated raw into the request URL — `?`/`#` start the query /
+// fragment (so the blob path is truncated, hitting the wrong object or
+// the container root), and spaces / control bytes corrupt the request
+// line (CWE-20 improper input → request-smuggling-adjacent). A null
+// byte is refused outright (it can't appear in a valid blob name and
+// indicates a malformed / hostile key), matching the S3 / GCS guards.
+function _encodeBlobKey(key) {
+  if (key.indexOf("\0") !== -1) {
+    throw _err("INVALID_KEY", "null byte in blob key", true);
+  }
+  return key.split("/").map(function (s) {
+    return sigv4.awsUriEncode(s, true);
+  }).join("/");
+}
+
 var DEFAULT_API_VERSION = "2024-08-04";
 
 // Service SAS expiry bounds. Azure doesn't enforce a hard max, but
@@ -208,7 +229,8 @@ function create(config) {
   if (allowInternal !== null) reqOpts.allowInternal = allowInternal;
 
   function _blobUrl(key, params) {
-    var u = _internalUrl(endpoint + "/" + config.container + "/" + key, allowedProtocols);
+    var u = _internalUrl(endpoint + "/" + config.container + "/" + _encodeBlobKey(key),
+                         allowedProtocols);
     if (params) {
       Object.keys(params).forEach(function (k) { u.searchParams.set(k, params[k]); });
     }
@@ -425,8 +447,12 @@ function create(config) {
       throw _err("INVALID_KEY", "null byte in key", true);
     }
 
+    // _buildSasToken signs the canonicalized resource with the RAW
+    // (decoded) blob name per the Azure SAS spec; the URL PATH carries the
+    // percent-encoded key so a key with reserved chars (`?` / `#` / space)
+    // doesn't truncate the path or corrupt the request line.
     var token = _buildSasToken(permissions, opts);
-    var url = _internalUrl(endpoint + "/" + config.container + "/" + opts.key + "?" + token.sas, allowedProtocols);
+    var url = _internalUrl(endpoint + "/" + config.container + "/" + _encodeBlobKey(opts.key) + "?" + token.sas, allowedProtocols);
 
     var clientHeaders = {};
     if (opts.contentType) clientHeaders["Content-Type"] = opts.contentType;