@blamejs/core 0.14.26 → 0.14.27

package/lib/file-upload.js

@@ -22,8 +22,12 @@
  *   content gate inspects the reassembled buffer, so it runs on uploads
  *   up to `maxStreamReassemblyBytes` (default 64 MiB); a larger upload
  *   is handed to `onFinalize` as a stream and the byte-content gate is
- *   skipped (MIME-sniff + filename gates still run, and the skip emits a
- *   `fileUpload.content_safety_skipped` warning audit). To guarantee
+ *   skipped (MIME-sniff + filename gates still run). Every skip path —
+ *   the upload streamed past the reassembly cap, no gate is registered
+ *   for the file's extension, or `contentSafety: null` disabled scanning
+ *   — emits a `fileUpload.content_safety_skipped` audit whose `reason`
+ *   names the cause, so a security review of the audit log can tell which
+ *   uploads reached storage without a content scan and why. To guarantee
  *   content-gating of a type, cap `maxFileBytes` at or below
  *   `maxStreamReassemblyBytes`. Per-chunk hooks
  *   (`onChunk`) are the integration point for virus scanners and
@@ -475,6 +479,32 @@ function create(opts) {
     if (opts.observability) opts.observability.safeEvent(name, value, labels || {});
   }
 
+  // Emit an audit row whenever the byte-level content-safety scan is
+  // SKIPPED for a finalized upload — so a security review of the audit
+  // log can tell that bytes reached storage without passing the
+  // content gate, and WHY. Without this, every skip path (operator
+  // opt-out, no gate registered for the file's extension, or the upload
+  // streamed past maxStreamReassemblyBytes) was silent: the audit log
+  // showed a clean `fileUpload.finalize` success indistinguishable from
+  // a scanned upload. `reason` names the skip cause so operators can
+  // alert / lower maxStreamReassemblyBytes / register the missing gate.
+  // Observability-only: `_emitAudit` wraps audit.safeEmit in try/catch
+  // (drop-silent — by design) so a throwing sink never breaks the upload.
+  function _emitContentSafetySkipped(uploadId, actor, reason, ext, size) {
+    _emitObs("fileUpload.content_safety_skipped", 1, { reason: reason, ext: ext || "" });
+    // outcome "success" — the upload itself finalized; the audit records
+    // that the byte-level scan did NOT run, with `reason` naming why
+    // (the only outcomes the audit chain accepts are success / failure /
+    // denied, so the skip-cause lives in `reason` + `metadata`).
+    _emitAudit("fileUpload.content_safety_skipped", {
+      actor:    requestHelpers.extractActorContext(actor),
+      resource: { kind: "fileUpload", id: uploadId },
+      outcome:  "success",
+      reason:   reason,
+      metadata: { uploadId: uploadId, ext: ext || null, size: size, reason: reason },
+    });
+  }
+
   // Staging dir mode 0o700 — only the framework process reads its own
   // staging files.
   atomicFile.ensureDir(stagingDir, 0o700);
@@ -1088,12 +1118,27 @@ function create(opts) {
         // upload streamed past maxStreamReassemblyBytes and was never
         // reassembled into a buffer the byte-level gate can inspect. The
         // MIME-sniff and filename gates still ran; the per-extension
-        // content gate did NOT. Surface it (rather than skipping silently)
-        // via an observability counter so operators can alert, lower
-        // maxStreamReassemblyBytes, or cap maxFileBytes to force
-        // content-gating of this type.
-        _emitObs("fileUpload.content_safety_skipped_streamed", 1, { ext: safetyExt });
+        // content gate did NOT. Audit the skip (with the streamed reason)
+        // so operators can alert, lower maxStreamReassemblyBytes, or cap
+        // maxFileBytes to force content-gating of this type.
+        _emitContentSafetySkipped(uploadId, actor, "streamed-over-reassembly-cap",
+                                  safetyExt, verified.totalBytes);
+      } else {
+        // contentSafety is wired but no gate is registered for this file's
+        // extension — the byte-level scan does not run. Audit the skip so
+        // a review can tell the upload bypassed content scanning (and
+        // register a gate for the extension if it should be scanned).
+        _emitContentSafetySkipped(uploadId, actor, "no-gate-for-extension",
+                                  safetyExt, verified.totalBytes);
       }
+    } else {
+      // Content-safety scanning is disabled for this upload manager
+      // (contentSafety: null opt-out at create()). The create-time audit
+      // recorded the disable; this per-upload audit makes the bypass
+      // visible at the point bytes reached storage.
+      _emitContentSafetySkipped(uploadId, actor, "content-safety-disabled",
+                                nodePath.extname(filename).toLowerCase(),
+                                verified.totalBytes);
     }
 
     // Hand to operator's onFinalize.

package/lib/framework-error.js

@@ -557,7 +557,9 @@ var WatcherError          = defineClass("WatcherError",          { alwaysPermane
 // caller-shape misuse or an irrecoverable on-disk condition.
 var LocalDbThinError      = defineClass("LocalDbThinError",      { alwaysPermanent: true });
 // RouterError covers operator-shape violations on the router primitive:
-// invalid `allowedRedirectOrigins` opt at create time, and cross-origin
+// invalid `allowedRedirectOrigins` opt at create time, a malformed
+// `use()` mount (non-string / non-array prefix, a prefix not beginning
+// with "/", a missing or non-function middleware), and cross-origin
 // `res.redirect()` targets that are not on the allowlist. alwaysPermanent
 // — every case is config-time programming bug or an outbound-redirect
 // shape error that retry will not recover.

package/lib/gate-contract.js

@@ -54,6 +54,12 @@ var { GateContractError } = require("./framework-error");
 
 var observability = lazyRequire(function () { return require("./observability"); });
 var compliance = lazyRequire(function () { return require("./compliance"); });
+var audit = lazyRequire(function () { return require("./audit"); });
+
+// One-time dedupe for the "global posture pinned but this guard maps no
+// overlay" warning. Keyed `<posture>::<errCodePrefix>` so each guard
+// family surfaces the gap once instead of on every gate construction.
+var _unmappedPostureWarned = Object.create(null);
 
 // Forensic-id token width (bytes); 64 bits is enough for cross-gate
 // correlation in a single request scope.
@@ -1415,6 +1421,16 @@ function resolveProfileAndPosture(opts, cfg) {
     if (typeof globalPosture === "string" &&
         cfg.compliancePostures && cfg.compliancePostures[globalPosture]) {
       posture = globalPosture;
+    } else if (typeof globalPosture === "string" && globalPosture.length > 0) {
+      // A global posture IS pinned, but this guard family ships no
+      // COMPLIANCE_POSTURES overlay for it (e.g. fedramp-rev5-moderate
+      // against a guard whose table only covers hipaa/pci-dss/gdpr/soc2).
+      // Falling through to the unposture-d default is the SAFE behavior,
+      // but operators must know the posture is a no-op for THIS guard —
+      // silently no-oping reads as "enforced" (compliance theater).
+      // Emit a one-time, grep-able audit warning per (posture, guard)
+      // and keep the safe default.
+      _warnUnmappedPosture(globalPosture, prefix);
     }
   }
   if (typeof posture === "string") {
@@ -1427,6 +1443,42 @@ function resolveProfileAndPosture(opts, cfg) {
   return Object.assign({}, cfg.defaults || {}, overlay, opts);
 }
 
+// _warnUnmappedPosture — emit a one-time, grep-able audit warning that a
+// globally-pinned posture has no overlay in THIS guard family's
+// COMPLIANCE_POSTURES table, so the operator doesn't read the
+// safe-default fall-through as "the posture is enforced here." Drop-
+// silent (hot-path observability sink): a warning emit must never throw
+// past the guard-gate construction that triggered it.
+function _warnUnmappedPosture(posture, prefix) {
+  var dedupeKey = posture + "::" + (prefix || "guard");
+  if (_unmappedPostureWarned[dedupeKey]) return;
+  _unmappedPostureWarned[dedupeKey] = true;
+  try {
+    // Canonical audit outcome triple is success/failure/denied; a
+    // posture that maps no overlay is an advisory NOTICE, not a failure
+    // of this construction — the severity rides in metadata.severity so
+    // the audit row carries the warning intent without abusing outcome.
+    audit().safeEmit({
+      action:  "gateContract.posture.unmapped",
+      outcome: "success",
+      metadata: {
+        severity: "warning",
+        posture:  posture,
+        guard:    prefix || "guard",
+        recommendation: "The pinned compliance posture '" + posture +
+          "' has no overlay in this guard's COMPLIANCE_POSTURES table, so " +
+          "its gate runs the unposture-d default. Pass an explicit " +
+          "compliancePosture this guard maps, or add the overlay, if the " +
+          "posture is meant to tighten this surface.",
+      },
+    });
+  } catch (_e) { /* drop-silent — warning must not break gate construction */ }
+}
+
+function _resetForTest() {
+  for (var k in _unmappedPostureWarned) delete _unmappedPostureWarned[k];
+}
+
 /**
  * @primitive  b.gateContract.buildProfile
  * @signature  b.gateContract.buildProfile(opts)
@@ -1658,4 +1710,5 @@ module.exports = {
   MODES:              MODES,
   ISSUE_SEVERITIES:   ISSUE_SEVERITIES,
   GateContractError:      GateContractError,
+  _resetForTest:      _resetForTest,
 };

package/lib/http-client.js

@@ -1925,7 +1925,21 @@ async function downloadStream(opts) {
   });
   counter.bytesWritten = 0;
 
-  var fileStream = nodeFs.createWriteStream(tmpPath, { mode: DEFAULT_DOWNLOAD_FILE_MODE, flags: "w" });
+  // CWE-377 (insecure temporary file) / CWE-59 (symlink follow): stage
+  // the download into the sibling tmp file with an EXCLUSIVE, no-follow
+  // create. The legacy "w" flag is O_WRONLY|O_CREAT|O_TRUNC — it would
+  // open (and truncate, or write through) a file an attacker pre-planted
+  // at tmpPath, including a symlink aimed at a victim path this process
+  // can write. O_EXCL fails with EEXIST if anything already exists at
+  // tmpPath; O_NOFOLLOW rejects a symlink in the final path component
+  // where the platform defines it (Windows leaves it undefined → `|| 0`).
+  // tmpPath already carries a 64-bit CSPRNG suffix (line above), so an
+  // EEXIST here is a hostile-collision signal, not a benign retry.
+  var fileStream = nodeFs.createWriteStream(tmpPath, {
+    mode:  DEFAULT_DOWNLOAD_FILE_MODE,
+    flags: nodeFs.constants.O_WRONLY | nodeFs.constants.O_CREAT |
+           nodeFs.constants.O_EXCL | (nodeFs.constants.O_NOFOLLOW || 0),
+  });
 
   try {
     await streamPromises.pipeline(res.body, counter, fileStream);
@@ -1944,14 +1958,14 @@ async function downloadStream(opts) {
   // across platforms but matches the discipline of the rest of the
   // framework's atomic-write paths.
   //
-  // CodeQL js/insecure-temporary-file: tmpPath = dest + ".tmp-" +
-  // bCrypto.generateToken(C.BYTES.bytes(8)) (line 1802), where
-  // bCrypto.generateToken produces 16 hex chars of CSPRNG-derived
-  // randomness. The path lives next to operator-supplied `dest`
-  // (downloadStream contract — never under os.tmpdir()), and the
-  // 64-bit unpredictable suffix defeats the symlink-pre-creation
-  // attack the rule flags. The fd is used solely for fsync; the
-  // file's bytes were already written by the upstream pipeline.
+  // CodeQL js/insecure-temporary-file (CWE-377 / CWE-59): the tmp file
+  // was already created above with O_EXCL | O_NOFOLLOW, so this reopen
+  // binds to an inode this process exclusively created at a path
+  // carrying a 64-bit CSPRNG suffix (line above) next to operator-
+  // supplied `dest` (downloadStream contract — never under os.tmpdir()).
+  // The earlier exclusive create — not the reopen — is the symlink-
+  // pre-creation defense; this fd is used solely for fsync, after the
+  // upstream pipeline already wrote the bytes.
   try {
     var fd = nodeFs.openSync(tmpPath, "r+");
     try { atomicFile.fsync(fd); } finally { try { nodeFs.closeSync(fd); } catch (_c) { /* best-effort fd close */ } }

package/lib/mail-server-jmap.js

@@ -316,6 +316,33 @@ function create(opts) {
     return cur;
   }
 
+  // ---- Account authorization (RFC 8620 §3.6.1 accountNotFound) ------------
+  //
+  // The set of accountIds an actor may touch is whatever
+  // `opts.accountsFor(actor)` enumerates in its `accounts` map — the same
+  // source the session resource advertises. Resolving it ONCE per request
+  // and rejecting any client-supplied accountId outside that set is the
+  // cross-tenant authorization control: without it, a tenant's request can
+  // name another tenant's accountId and reach the operator's method/blob
+  // handler, which must then independently re-check or leak. The listener
+  // owns this gate so every account-scoped op (method dispatch + blob
+  // upload/download) is covered uniformly.
+  async function _permittedAccountIds(actor) {
+    var info = await opts.accountsFor(actor);
+    info = info || {};
+    var accounts = info.accounts || {};
+    // A Set of the accountIds the actor is enumerated for. An empty/garbage
+    // accounts map yields an empty set → every account-scoped reference is
+    // rejected (fail-closed), which is the correct posture for an actor the
+    // operator declined to grant any account.
+    var set = Object.create(null);
+    if (accounts && typeof accounts === "object") {
+      var ids = Object.keys(accounts);
+      for (var i = 0; i < ids.length; i += 1) set[ids[i]] = true;
+    }
+    return set;
+  }
+
   // ---- Dispatch ------------------------------------------------------------
   //
   // `dispatch(actor, body)` is the operator-callable form — accepts a
@@ -340,6 +367,20 @@ function create(opts) {
       return _refusalResponse(errType, (e && e.message) || "request refused");
     }
 
+    // Resolve the actor's permitted accountId set ONCE for the whole
+    // request (RFC 8620 §3.6.1). Every account-scoped method call is gated
+    // against it below, BEFORE the operator handler runs, so a client can't
+    // name another tenant's accountId and reach the backend.
+    var permittedAccounts;
+    try {
+      permittedAccounts = await _permittedAccountIds(actor);
+    } catch (e) {
+      _emit("mail.server.jmap.accounts_for_threw",
+        { error: (e && e.message) || String(e) }, "failure");
+      return _refusalResponse("urn:ietf:params:jmap:error:serverFail",
+        "account authorization unavailable");
+    }
+
     var methodResponses = [];
     var byClientId = Object.create(null);
     for (var i = 0; i < parsed.methodCalls.length; i += 1) {
@@ -361,6 +402,24 @@ function create(opts) {
             description: "Method '" + methodName + "' not implemented on this server" }, clientId]);
         continue;
       }
+      // Cross-tenant gate (RFC 8620 §3.6.1): if the call names an accountId,
+      // it MUST be one the actor is enumerated for. Rejected BEFORE the
+      // operator handler runs so a forged/foreign accountId never reaches
+      // the backend. Calls without an accountId (account-agnostic methods)
+      // pass through unchanged.
+      if (resolvedArgs && typeof resolvedArgs === "object" &&
+          resolvedArgs.accountId !== undefined && resolvedArgs.accountId !== null) {
+        var callAccountId = resolvedArgs.accountId;
+        if (typeof callAccountId !== "string" || !permittedAccounts[callAccountId]) {
+          _emit("mail.server.jmap.account_not_found",
+            { method: methodName, accountId: typeof callAccountId === "string" ? callAccountId : null,
+              clientId: clientId }, "denied");
+          methodResponses.push(["error",
+            { type: "urn:ietf:params:jmap:error:accountNotFound",
+              description: "accountId is not accessible to this actor" }, clientId]);
+          continue;
+        }
+      }
       if (!_legacyDeprecationEmitted && registry.source(methodName) === "builtin") {
         _legacyDeprecationEmitted = true;
         _emit("mail.server.jmap.methods_opt_deprecated",
@@ -813,6 +872,40 @@ function create(opts) {
       if (refused) return;
       var bytes = collector.result();
       Promise.resolve()
+        // Cross-tenant gate (RFC 8620 §3.6.1): the accountId in the upload
+        // URL must be one the actor is enumerated for, else accountNotFound
+        // — the foreign accountId never reaches uploadBlob.
+        .then(function () { return _permittedAccountIds(actor); })
+        .then(function (permitted) {
+          if (!permitted[accountId]) {
+            _emit("mail.server.jmap.account_not_found",
+              { op: "upload", accountId: accountId }, "denied");
+            res.statusCode = 404;
+            res.setHeader("Content-Type", "application/json; charset=utf-8");
+            res.end(JSON.stringify({
+              type:        "urn:ietf:params:jmap:error:accountNotFound",
+              description: "accountId is not accessible to this actor",
+            }));
+            return;
+          }
+          return _completeUpload(bytes);
+        })
+        .catch(function (err) {
+          _emit("mail.server.jmap.upload_threw",
+            { accountId: accountId, error: (err && err.message) || String(err) }, "failure");
+          if (!res.headersSent) {
+            res.statusCode = 500;
+            res.setHeader("Content-Type", "application/json; charset=utf-8");
+            res.end(JSON.stringify({
+              type:        "urn:ietf:params:jmap:error:serverFail",
+              description: "Upload failed",
+            }));
+          }
+        });
+    });
+
+    function _completeUpload(bytes) {
+      return Promise.resolve()
         .then(function () { return opts.mailStore.uploadBlob(actor, accountId, contentType, bytes); })
         .then(function (meta) {
           if (!meta || typeof meta !== "object" || typeof meta.blobId !== "string") {
@@ -827,18 +920,10 @@ function create(opts) {
             type:      meta.type || contentType,
             size:      typeof meta.size === "number" ? meta.size : bytes.length,
           }));
-        })
-        .catch(function (err) {
-          _emit("mail.server.jmap.upload_threw",
-            { accountId: accountId, error: (err && err.message) || String(err) }, "failure");
-          res.statusCode = 500;
-          res.setHeader("Content-Type", "application/json; charset=utf-8");
-          res.end(JSON.stringify({
-            type:        "urn:ietf:params:jmap:error:serverFail",
-            description: "Upload failed",
-          }));
         });
-    });
+      // Errors from uploadBlob propagate to the req.on("end") chain's
+      // .catch (single serverFail responder, headersSent-guarded).
+    }
     req.on("error", function () {
       if (!refused) {
         refused = true;
@@ -944,9 +1029,29 @@ function create(opts) {
       }));
       return;
     }
+    var downloadDenied = false;
     Promise.resolve()
-      .then(function () { return opts.mailStore.downloadBlob(actor, accountId, blobId); })
+      // Cross-tenant gate (RFC 8620 §3.6.1): the accountId in the download
+      // URL must be one the actor is enumerated for, else accountNotFound —
+      // the foreign accountId never reaches downloadBlob.
+      .then(function () { return _permittedAccountIds(actor); })
+      .then(function (permitted) {
+        if (!permitted[accountId]) {
+          downloadDenied = true;
+          _emit("mail.server.jmap.account_not_found",
+            { op: "download", accountId: accountId, blobId: blobId }, "denied");
+          res.statusCode = 404;
+          res.setHeader("Content-Type", "application/json; charset=utf-8");
+          res.end(JSON.stringify({
+            type:        "urn:ietf:params:jmap:error:accountNotFound",
+            description: "accountId is not accessible to this actor",
+          }));
+          return undefined;
+        }
+        return opts.mailStore.downloadBlob(actor, accountId, blobId);
+      })
       .then(function (result) {
+        if (downloadDenied) return;
         if (!result || (typeof result !== "object" && !Buffer.isBuffer(result))) {
           res.statusCode = 404;
           res.setHeader("Content-Type", "application/json; charset=utf-8");

package/lib/middleware/body-parser.js

@@ -166,6 +166,29 @@ var BodyParserError = defineClass("BodyParserError", { withStatusCode: true });
 // in play — consistent prototype-pollution defense across the framework.
 var POISONED_KEYS = new Set(["__proto__", "constructor", "prototype"]);
 
+// Materialize a header/parameter map from request-derived [key, value]
+// pairs WITHOUT a computed member write (`target[key] = value`). A
+// request-keyed computed write is the CWE-915 unsafe-reflection /
+// CWE-1321 prototype-pollution sink: an attacker who controls the key
+// (Content-Type parameter name, multipart part-header name,
+// Content-Disposition parameter name) can target `__proto__` /
+// `constructor` / `prototype` and corrupt the prototype chain. Poisoned
+// keys are dropped, the remaining pairs are funneled through
+// `Object.fromEntries`, and the result carries no prototype chain
+// (`Object.create(null)`) so even a key that slipped a future POISONED_KEYS
+// gap cannot reach Object.prototype. The returned map has plain-object
+// shape (string keys → values) so existing named-property reads
+// (`.boundary`, `.charset`, `["content-disposition"]`, `.name`,
+// `.filename`) are unchanged.
+function _mapFromPairs(pairs) {
+  var safe = [];
+  for (var i = 0; i < pairs.length; i++) {
+    if (POISONED_KEYS.has(pairs[i][0])) continue;
+    safe.push(pairs[i]);
+  }
+  return Object.assign(Object.create(null), Object.fromEntries(safe));
+}
+
 // ---- defaults ----
 
 var DEFAULTS = Object.freeze({
@@ -221,7 +244,11 @@ function _contentType(req) {
   if (typeof ct !== "string") return { type: "", params: {} };
   var idx = ct.indexOf(";");
   var type = (idx === -1 ? ct : ct.slice(0, idx)).trim().toLowerCase();
-  var params = {};
+  // Collect [name, value] pairs, then materialize via _mapFromPairs so a
+  // request-controlled parameter name (e.g. `boundary` / `charset` / an
+  // attacker-supplied `__proto__`) is never used as a computed-write key
+  // (CWE-915 / CWE-1321). Poisoned names are dropped at materialization.
+  var paramPairs = [];
   if (idx !== -1) {
     var rest = ct.slice(idx + 1);
     // RFC 9110 §8.3 + §5.6.6 — parameter values may be quoted-string
@@ -238,10 +265,10 @@ function _contentType(req) {
       var v = p.slice(eq + 1).trim();
       var _unq = structuredFields.unquoteSfString(v);
       if (_unq !== null) v = _unq;
-      params[k] = v;
+      paramPairs.push([k, v]);
     }
   }
-  return { type: type, params: params };
+  return { type: type, params: _mapFromPairs(paramPairs) };
 }
 
 function _typeMatches(actual, allowed) {
@@ -583,7 +610,13 @@ function _parseMultipartHeaders(rawHeaders) {
   // §5.5 — header field values MUST NOT contain CR, LF, or NUL bytes.
   // We refuse the part outright (caller surfaces the throw as 400 + drop).
   var lines = rawHeaders.split("\r\n");
-  var out = {};
+  // Collect [name, value] pairs; materialize via _mapFromPairs so the
+  // request-controlled header name is never a computed-write key
+  // (CWE-915 / CWE-1321 — a part header literally named `__proto__` would
+  // otherwise pollute the prototype chain). Later headers of the same
+  // name keep last-wins (the prior `out[k] = v` overwrite semantics:
+  // Object.fromEntries takes the last pair for a duplicate key).
+  var headerPairs = [];
   for (var i = 0; i < lines.length; i++) {
     var line = lines[i];
     if (!line) continue;
@@ -609,9 +642,9 @@ function _parseMultipartHeaders(rawHeaders) {
         );
       }
     }
-    out[k] = v;
+    headerPairs.push([k, v]);
   }
-  return out;
+  return _mapFromPairs(headerPairs);
 }
 
 // Percent-decode an RFC 5987 ext-value's value segment under iso-8859-1.
@@ -672,14 +705,20 @@ function _parseHeaderParams(headerValue, filenameCharsets) {
   // is present, it takes precedence over the legacy `filename=`
   // companion (RFC 6266 §4.3). We surface the decoded value at
   // `filename` so downstream consumers don't need parser-aware code.
-  var out = { _value: "" };
-  if (!headerValue) return out;
+  if (!headerValue) return _mapFromPairs([["_value", ""]]);
   // RFC 6266 §4.1 + RFC 9110 §5.6.6 — parameter values may be
   // quoted-string (e.g. `filename="weird;name.txt"`). Bare
   // `.split(";")` would slice through the quoted semicolon and
   // corrupt the filename. Quote-aware shared splitter.
   var parts = structuredFields.splitTopLevel(headerValue, ";");
-  out._value = parts[0].trim().toLowerCase();
+  // Collect [name, value] pairs, then materialize via _mapFromPairs so a
+  // request-controlled Content-Disposition parameter name (or its
+  // ext-value `name*` bare form) is never a computed-write key
+  // (CWE-915 / CWE-1321). `_value` carries the disposition type;
+  // `filename` (when an ext-value decoded) takes precedence over the
+  // legacy `filename=` companion (RFC 6266 §4.3), preserved by appending
+  // it last so Object.fromEntries' last-wins resolves it.
+  var paramPairs = [["_value", parts[0].trim().toLowerCase()]];
   var extName = null;
   for (var i = 1; i < parts.length; i++) {
     var p = parts[i].trim();
@@ -694,14 +733,14 @@ function _parseHeaderParams(headerValue, filenameCharsets) {
       if (decoded !== null) {
         var bareKey = k.slice(0, -1);
         if (bareKey === "filename") extName = decoded;
-        out[bareKey] = decoded;
+        paramPairs.push([bareKey, decoded]);
       }
       continue;
     }
-    out[k] = v;
+    paramPairs.push([k, v]);
   }
-  if (extName !== null) out.filename = extName;
-  return out;
+  if (extName !== null) paramPairs.push(["filename", extName]);
+  return _mapFromPairs(paramPairs);
 }
 
 async function _parseMultipart(req, opts, ctParams) {
@@ -1173,20 +1212,27 @@ async function _parseMultipart(req, opts, ctParams) {
               var fbuf = Buffer.concat(currentBuf);
               var text = fbuf.toString("utf8");
               // Repeated field name → array, matching urlencoded parser.
-              if (Object.prototype.hasOwnProperty.call(fields, currentField)) {
-                // lgtm[js/remote-property-injection] — `currentField` is gated
-                // upstream at lib/middleware/body-parser.js:867 by
-                // POISONED_KEYS (__proto__ / constructor / prototype) which
-                // refuses the multipart part with a 400 BodyParserError before
-                // `currentField` is ever assigned. Reachable values cannot
-                // pollute the prototype chain.
-                if (Array.isArray(fields[currentField])) fields[currentField].push(text);
-                else fields[currentField] = [fields[currentField], text];
+              // `currentField` is request-controlled, so the accumulation
+              // never uses it as a computed-write key (`fields[key] = v`),
+              // which is the CWE-915 / CWE-1321 sink: it is merged through
+              // Object.fromEntries + Object.assign instead. The upstream
+              // POISONED_KEYS gate (the multipart-poisoned-field check above)
+              // already rejects __proto__ / constructor / prototype field
+              // names with a 400 before reaching here; the entries-merge is
+              // the structural backstop.
+              var fieldName = currentField;
+              var prior = Object.prototype.hasOwnProperty.call(fields, fieldName)
+                            ? fields[fieldName] : undefined;
+              var nextValue;
+              if (prior === undefined) {
+                nextValue = text;
+              } else if (Array.isArray(prior)) {
+                prior.push(text);
+                nextValue = prior;
               } else {
-                // lgtm[js/remote-property-injection] — see upstream POISONED_KEYS
-                // gate at lib/middleware/body-parser.js:867.
-                fields[currentField] = text;
+                nextValue = [prior, text];
               }
+              Object.assign(fields, Object.fromEntries([[fieldName, nextValue]]));
             }
             currentHeaders = null;
             currentField = null;

package/lib/middleware/csrf-protect.js

@@ -91,25 +91,36 @@ function _parseCookieHeader(header) {
   // just splits the name=value pairs. Keys that appear multiple times
   // resolve to the FIRST occurrence (browsers send pairs left-to-right
   // by registration order; the first is the most-specific path).
-  // Output object has no prototype chain — `Object.create(null)` defends
-  // against `__proto__` / `constructor` / `prototype` cookie-name keys
-  // polluting the prototype before the hasOwnProperty gate runs.
-  var out = Object.create(null);
-  if (typeof header !== "string" || header.length === 0) return out;
+  // Collect [name, value] pairs, then materialize the cookie map via
+  // Object.fromEntries onto a null-prototype object. The cookie name is
+  // attacker-controlled (Cookie request header), so it is never used as a
+  // computed-write key (`out[name] = value` / `seen[name] = true`) — that
+  // is the CWE-915 unsafe-reflection / CWE-1321 prototype-pollution sink.
+  // First-occurrence-wins de-duplication tracks names in a Set (add/has
+  // are method calls, not tainted-key property writes); POISONED names
+  // (`__proto__` / `constructor` / `prototype`) are dropped; and the
+  // null-prototype accumulator means even a slipped name cannot reach
+  // Object.prototype.
+  if (typeof header !== "string" || header.length === 0) return Object.create(null);
   var parts = header.split(/;\s*/);
+  var seen = new Set();
+  var pairs = [];
   for (var i = 0; i < parts.length; i++) {
     var p = parts[i];
     var eq = p.indexOf("=");
     if (eq === -1) continue;
     var k = p.slice(0, eq).trim();
-    if (k.length === 0 || Object.prototype.hasOwnProperty.call(out, k)) continue;
+    if (k.length === 0) continue;
+    if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
+    if (seen.has(k)) continue;  // first-occurrence wins
+    seen.add(k);
     var v = p.slice(eq + 1).trim();
     if (v.length >= 2 && v.charCodeAt(0) === 0x22 && v.charCodeAt(v.length - 1) === 0x22) {
       v = v.slice(1, -1);
     }
-    out[k] = v;
+    pairs.push([k, v]);
   }
-  return out;
+  return Object.assign(Object.create(null), Object.fromEntries(pairs));
 }
 
 // `_isHttps` defers to `requestHelpers.requestProtocol` so the