@blamejs/core 0.9.46 → 0.10.1

package/lib/middleware/protected-resource-metadata.js

@@ -26,6 +26,8 @@
 var framework_error = require("../framework-error");
 var validateOpts    = require("../validate-opts");
 var requestHelpers  = require("../request-helpers");
+var safeUrl         = require("../safe-url");
+var nodeCrypto      = require("node:crypto");
 
 var H = requestHelpers.HTTP_STATUS;
 
@@ -36,6 +38,15 @@ var ProtectedResourceMetadataError = framework_error.defineClass(
 
 var ALLOWED_BEARER_METHODS  = ["header", "body", "query"];
 var ALLOWED_DPOP_ALGS       = ["ES256", "ES384", "RS256", "PS256", "EdDSA", "ML-DSA-65", "ML-DSA-87"];
+// RFC 9728 §3.2 — signed_metadata signing algs. PQC-first per the
+// framework's hard rule §2 (ML-DSA-* preferred); classical algs
+// available for backwards-interop with relying parties without PQC
+// libraries on hand.
+var ALLOWED_SIGNED_METADATA_ALGS = ["ML-DSA-87", "ML-DSA-65", "EdDSA", "ES256", "ES384", "PS256", "PS384"];
+
+function _b64url(buf) {
+  return Buffer.from(buf).toString("base64url");
+}
 
 /**
  * @primitive b.middleware.protectedResourceMetadata
@@ -83,12 +94,30 @@ function create(opts) {
       "middleware/protected-resource-metadata/no-as",
       "authorizationServers must be a non-empty array of issuer URLs");
   }
+  // AUTH-17 — RFC 9728 §3 + RFC 8414 §3.1: authorizationServers entries
+  // are issuer URLs and MUST be https://. Pre-v0.9.x only required
+  // non-empty string, so an operator typo could ship `http://idp.test`
+  // (or, worse, `javascript:` / `data:`) to clients via the well-known
+  // document. allowHttp opts.allowHttp passes the framework's
+  // safe-url loopback exception through (matches b.auth.oauth's
+  // _validateUrl shape).
+  var allowHttp = opts.allowHttp === true;
   opts.authorizationServers.forEach(function (u, i) {
     if (typeof u !== "string" || u.length === 0) {
       throw new ProtectedResourceMetadataError(
         "middleware/protected-resource-metadata/bad-as",
         "authorizationServers[" + i + "] must be a non-empty string");
     }
+    try {
+      safeUrl.parse(u, {
+        allowedProtocols: allowHttp ? safeUrl.ALLOW_HTTP_ALL : safeUrl.ALLOW_HTTP_TLS,
+      });
+    } catch (_e) {
+      throw new ProtectedResourceMetadataError(
+        "middleware/protected-resource-metadata/bad-as-url",
+        "authorizationServers[" + i + "] = '" + u + "' is not a valid " +
+        (allowHttp ? "http(s)" : "https") + " URL (RFC 9728 §3 / RFC 8414 §3.1)");
+    }
   });
 
   var bearerMethods = opts.bearerMethodsSupported || ["header"];
@@ -127,8 +156,73 @@ function create(opts) {
   if (opts.dpopBoundAccessTokensRequired === true) doc.dpop_bound_access_tokens_required = true;
   if (opts.mtlsBoundAccessTokensRequired === true) doc.tls_client_certificate_bound_access_tokens = true;
 
+  // AUTH-18 — RFC 9728 §3.2 signed_metadata. Operators with an
+  // anti-tamper requirement pass `signMetadata: { key, alg, kid }`;
+  // the middleware emits `application/jwt` carrying the JWS-signed
+  // metadata. Default output remains cleartext `application/json`.
+  var signedJwt = null;
+  var signedDoc = null;
+  if (opts.signMetadata) {
+    var sm = opts.signMetadata;
+    if (!sm || typeof sm !== "object") {
+      throw new ProtectedResourceMetadataError(
+        "middleware/protected-resource-metadata/bad-sign",
+        "signMetadata must be an object { key, alg, kid? }");
+    }
+    if (!sm.alg || ALLOWED_SIGNED_METADATA_ALGS.indexOf(sm.alg) === -1) {
+      throw new ProtectedResourceMetadataError(
+        "middleware/protected-resource-metadata/bad-sign-alg",
+        "signMetadata.alg '" + sm.alg + "' not in allowlist: " +
+        ALLOWED_SIGNED_METADATA_ALGS.join(", "));
+    }
+    if (!sm.key) {
+      throw new ProtectedResourceMetadataError(
+        "middleware/protected-resource-metadata/bad-sign-key",
+        "signMetadata.key is required (KeyObject, PEM string/Buffer, or JWK object)");
+    }
+    var signingKey;
+    try {
+      if (sm.key instanceof nodeCrypto.KeyObject) {
+        signingKey = sm.key;
+      } else if (typeof sm.key === "string" || Buffer.isBuffer(sm.key)) {
+        signingKey = nodeCrypto.createPrivateKey({ key: sm.key, format: "pem" });
+      } else if (typeof sm.key === "object") {
+        signingKey = nodeCrypto.createPrivateKey({ key: sm.key, format: "jwk" });
+      } else {
+        throw new ProtectedResourceMetadataError(
+          "middleware/protected-resource-metadata/bad-sign-key",
+          "signMetadata.key must be KeyObject, PEM string/Buffer, or JWK object");
+      }
+    } catch (e) {
+      if (e instanceof ProtectedResourceMetadataError) throw e;
+      throw new ProtectedResourceMetadataError(
+        "middleware/protected-resource-metadata/bad-sign-key",
+        "signMetadata.key parse failed: " + ((e && e.message) || String(e)));
+    }
+    // RFC 9728 §3.2 — signed_metadata is a JWS carrying the same
+    // metadata claims as the cleartext document plus iss + sub
+    // (resource URI) for identification at consume-side.
+    signedDoc = Object.assign({}, doc, { iss: opts.resource, sub: opts.resource });
+    var jwsHeader = { alg: sm.alg, typ: "oauth-protected-resource+jwt" };
+    if (sm.kid) jwsHeader.kid = sm.kid;
+    var headerEnc  = _b64url(JSON.stringify(jwsHeader));
+    var payloadEnc = _b64url(JSON.stringify(signedDoc));
+    var input      = headerEnc + "." + payloadEnc;
+    // PQC algs (ML-DSA-*) + EdDSA pass null hash; ES* / PS* / RS* use
+    // their RFC 7518 hash + dsaEncoding shape.
+    var signParams = { key: signingKey };
+    var signAlgo   = null;
+    if (sm.alg === "ES256") { signAlgo = "sha256"; signParams.dsaEncoding = "ieee-p1363"; }
+    else if (sm.alg === "ES384") { signAlgo = "sha384"; signParams.dsaEncoding = "ieee-p1363"; }
+    else if (sm.alg === "PS256") { signAlgo = "sha256"; signParams.padding = nodeCrypto.constants.RSA_PKCS1_PSS_PADDING; signParams.saltLength = 32; }   // allow:raw-byte-literal — RFC 7518 PS256 salt
+    else if (sm.alg === "PS384") { signAlgo = "sha384"; signParams.padding = nodeCrypto.constants.RSA_PKCS1_PSS_PADDING; signParams.saltLength = 48; }   // allow:raw-byte-literal — RFC 7518 PS384 salt
+    var sig = nodeCrypto.sign(signAlgo, Buffer.from(input, "ascii"), signParams);
+    signedJwt = input + "." + _b64url(sig);
+  }
+
   var bodyText  = JSON.stringify(doc);
   var bodyBytes = Buffer.byteLength(bodyText, "utf8");
+  var signedBytes = signedJwt ? Buffer.byteLength(signedJwt, "utf8") : 0;
 
   function middleware(req, res, next) {
     if (req.url !== path && req.url.split("?")[0] !== path) {
@@ -143,6 +237,22 @@ function create(opts) {
       res.end();
       return;
     }
+    // RFC 9728 §3.2 — operators that wired signMetadata serve the JWS
+    // form when the client advertises Accept: application/jwt (or via
+    // the *.jwt path suffix). The cleartext document is still served
+    // on the default path / Accept: application/json.
+    var accept = (req.headers && req.headers.accept) || "";
+    var wantsSigned = signedJwt && (accept.indexOf("application/jwt") !== -1);
+    if (wantsSigned) {
+      res.writeHead(H.OK, {
+        "Content-Type":   "application/jwt",
+        "Content-Length": String(signedBytes),
+        "Cache-Control":  "public, max-age=3600",
+      });
+      if (req.method === "HEAD") { res.end(); return; }
+      res.end(signedJwt);
+      return;
+    }
     res.writeHead(H.OK, {
       "Content-Type":   "application/json",
       "Content-Length": String(bodyBytes),
@@ -152,8 +262,9 @@ function create(opts) {
     res.end(bodyText);
   }
 
-  middleware.document = doc;
-  middleware.path     = path;
+  middleware.document      = doc;
+  middleware.signedMetadata = signedJwt;
+  middleware.path          = path;
   return middleware;
 }
 
@@ -162,4 +273,5 @@ module.exports = {
   ProtectedResourceMetadataError: ProtectedResourceMetadataError,
   ALLOWED_BEARER_METHODS:        ALLOWED_BEARER_METHODS,
   ALLOWED_DPOP_ALGS:             ALLOWED_DPOP_ALGS,
+  ALLOWED_SIGNED_METADATA_ALGS:  ALLOWED_SIGNED_METADATA_ALGS,
 };

package/lib/network-dns-resolver.js

@@ -127,6 +127,13 @@ var DEFAULT_MAX_TTL_MS    = C.TIME.hours(24);
 var DEFAULT_MIN_TTL_MS    = C.TIME.seconds(60);
 var DEFAULT_STALE_WINDOW  = C.TIME.hours(6);
 var DEFAULT_PROFILE       = "strict";
+// BUG-1 / MAIL-26 — CWE-400/770. Bound the cache so a hostile peer
+// that can drive query-name selection (e.g. inbound SMTP forwarding
+// DKIM `s=` / `d=` tag-controlled lookups) cannot inflate the Map to
+// OOM. Default 5000 entries: a parsed-response object ~100 bytes ×
+// 5000 ≈ 500 KiB, several orders below operator-relevant memory
+// pressure. LRU eviction picks the oldest accessed entry on overflow.
+var DEFAULT_MAX_CACHE_ENTRIES = 5000;                                                                  // allow:raw-byte-literal — cache-entry count, not a byte/time value
 
 var QTYPE_BY_NAME = Object.freeze({
   A:      1,
@@ -200,9 +207,33 @@ function create(opts) {
     throw new ResolverError("resolver/bad-input",
       "create: serveStale must be a non-negative finite number or false");
   }
+  var maxCacheEntries = typeof opts.maxCacheEntries === "number"
+    ? opts.maxCacheEntries : DEFAULT_MAX_CACHE_ENTRIES;
+  if (!isFinite(maxCacheEntries) || maxCacheEntries < 1 ||
+      Math.floor(maxCacheEntries) !== maxCacheEntries) {
+    throw new ResolverError("resolver/bad-input",
+      "create: maxCacheEntries must be a positive integer");
+  }
 
   var cache = new Map();                  // key → { response, parsed, ttl, expiresAt, staleUntil }
 
+  // CWE-400/770 / BUG-1 — LRU eviction on insert when the cache is at
+  // capacity. v8 Map preserves insertion order; oldest key is the
+  // first entry returned by Map.keys().next().
+  function _evictIfFull() {
+    while (cache.size >= maxCacheEntries) {
+      var oldest = cache.keys().next();
+      if (oldest.done) break;
+      cache.delete(oldest.value);
+    }
+  }
+  // Touching a hit moves it to the LRU tail — delete-then-set keeps
+  // active queries hot under cache pressure.
+  function _touch(key, entry) {
+    cache.delete(key);
+    cache.set(key, entry);
+  }
+
   function _key(name, qtype) {
     return name.toLowerCase() + "|" + qtype;
   }
@@ -244,6 +275,7 @@ function create(opts) {
           "query: validate: true but cached response was AD=0 for " +
           name + "/" + qtype);
       }
+      _touch(key, hit);                     // LRU bump
       return _result(hit.parsed, hit.ttl, true, false, hit.validated);
     }
 
@@ -297,6 +329,7 @@ function create(opts) {
     var ttlMs = Math.max(minTtlMs, Math.min(maxTtlMs, rrTtl * C.TIME.seconds(1)));
     var expiresAt  = now + ttlMs;
     var staleUntil = serveStale > 0 ? expiresAt + serveStale : expiresAt;
+    _evictIfFull();
     cache.set(key, {
       parsed:     parsed,
       ttl:        ttlMs,

package/lib/network-tls.js

@@ -3048,6 +3048,51 @@ function _checkServerIdentityStrict(host, cert) {
   return checkServerIdentity9525(host, cert);
 }
 
+// CVE-2026-21637 — Node propagates a synchronous throw from an
+// operator-supplied SNICallback up through the TLS handshake listener;
+// the unhandled throw on an unexpected servername crashes the
+// listener. RFC 6066 §3 expects the server to abort the handshake on a
+// failed callback, NOT crash the process.
+//
+// `wrapSNICallback(operatorCb)` returns a wrapper that:
+//
+//   - Calls the operator callback in a try/catch.
+//   - Surface a synchronous throw via the async (err, null) callback so
+//     the TLS handshake aborts cleanly. Cb is best-effort: an operator
+//     callback that throws AFTER invoking the callback already (double
+//     invoke) gets the throw caught here without double-invoking again.
+//   - Emit an audit event so a burst of crashes-that-weren't surfaces
+//     in operator review.
+//   - Returns the operator's original callback unchanged if it's not a
+//     function (lets the caller pass undefined through without
+//     special-casing).
+//
+// router.js routes its operator-supplied tlsOptions.SNICallback through
+// this helper before handing the options off to https.createServer.
+// Any future framework primitive that takes operator SNICallback
+// values does the same.
+function wrapSNICallback(operatorCb) {
+  if (typeof operatorCb !== "function") return operatorCb;
+  return function _wrappedSNICallback(servername, cb) {
+    try {
+      operatorCb(servername, cb);
+    } catch (err) {
+      try {
+        audit().safeEmit({
+          action:   "network.tls.sni_callback_threw",
+          outcome:  "failure",
+          metadata: {
+            servername: typeof servername === "string" ? servername : null,
+            reason:     (err && err.message) ? err.message : String(err),
+          },
+        });
+      } catch (_auditErr) { /* drop-silent — audit best-effort */ }
+      try { cb(err, null); }
+      catch (_cbErr) { /* cb already invoked or unavailable */ }
+    }
+  };
+}
+
 module.exports = {
   addCa:               addCa,
   addCaBundle:         addCaBundle,
@@ -3073,6 +3118,7 @@ module.exports = {
   parseEchConfigList:  parseEchConfigList,
   connectWithEch:      connectWithEch,
   checkServerIdentity9525: checkServerIdentity9525,
+  wrapSNICallback:     wrapSNICallback,
   TlsTrustError:       TlsTrustError,
   NetworkTlsError:     NetworkTlsError,
   _resetForTest:       _resetForTest,

package/lib/outbox.js

@@ -342,27 +342,77 @@ function create(opts) {
   var stopping = false;
   var inFlight = null;
 
+  // SUBSTRATE-23 — `FOR UPDATE SKIP LOCKED` is Postgres / MySQL 8+ only.
+  // SQLite (single-writer at the DB level, but WAL mode lets multiple
+  // processes share the file with concurrent SELECTs) doesn't support
+  // SKIP LOCKED — feeding it Postgres syntax silently double-publishes
+  // every row when two processes poll in parallel. Detect the dialect
+  // at runtime; only emit FOR UPDATE SKIP LOCKED when the backend
+  // declares postgres / mysql.
+  //
+  // Operator-visible: dialect comes from `externalDb.dialect` (set at
+  // `b.externalDb.create({ dialect: "postgres" | "mysql" | "sqlite" }`).
+  // Other backends fall back to the conservative "mark-then-update"
+  // path that works on every SQL dialect at the cost of a tiny race
+  // window between the SELECT + UPDATE (mitigated by status='in-flight'
+  // marker — duplicate publishes still bounded by retry visibility).
+  function _supportsForUpdateSkipLocked() {
+    var d = externalDb.dialect;
+    return d === "postgres" || d === "mysql";
+  }
+
   async function _claimBatch() {
+    var supportsSkipLocked = _supportsForUpdateSkipLocked();
     return await externalDb.transaction(async function (xdb) {
       var nowExpr = _utcNowExpr(externalDb);
-      var rows = await xdb.query(
+      var selectSql =
         "SELECT id, topic, payload, key, headers, attempts" +
         " FROM " + quotedTable +
         " WHERE status = 'pending' AND next_attempt_at <= $1" +
         " ORDER BY next_attempt_at" +
-        " LIMIT $2" +
-        " FOR UPDATE SKIP LOCKED",
-        [nowExpr, batchSize]
-      );
+        " LIMIT $2";
+      if (supportsSkipLocked) {
+        selectSql += " FOR UPDATE SKIP LOCKED";
+      }
+      var rows = await xdb.query(selectSql, [nowExpr, batchSize]);
       if (!rows || !rows.rows || rows.rows.length === 0) return [];
       var ids = rows.rows.map(function (r) { return r.id; });
-      // Mark as 'in-flight' so a parallel publisher won't re-claim them
-      // when the row lock releases (after the SELECT-for-update txn).
-      await xdb.query(
-        "UPDATE " + quotedTable + " SET status = 'in-flight' WHERE id = ANY($1)",
-        [ids]
-      );
-      return rows.rows.map(function (r) {
+      // Atomic claim: when the dialect lacks SKIP LOCKED, the UPDATE
+      // WHERE status='pending' AND id IN (...) ensures only ONE publisher
+      // sees each row transition from 'pending' to 'in-flight' — the
+      // other publisher's UPDATE matches zero rows and its batch shrinks.
+      // We re-select after the UPDATE to know which IDs we actually
+      // claimed (sqlite UPDATE doesn't return affected rows the same
+      // way Postgres does).
+      var actuallyClaimed;
+      if (supportsSkipLocked) {
+        // Postgres/MySQL: row lock held; ANY($1) update is safe.
+        await xdb.query(
+          "UPDATE " + quotedTable + " SET status = 'in-flight' WHERE id = ANY($1)",
+          [ids]
+        );
+        actuallyClaimed = rows.rows;
+      } else {
+        // SQLite (or "other") path: emit a portable UPDATE that
+        // refuses overlap by gating on status='pending'. After the
+        // update we re-read the in-flight rows we own; rows that
+        // another publisher beat us to are skipped.
+        // Use placeholders so the SQL stays parameterized regardless
+        // of dialect array semantics.
+        var placeholders = ids.map(function (_, i) { return "$" + (i + 1); }).join(",");
+        await xdb.query(
+          "UPDATE " + quotedTable +
+          " SET status = 'in-flight' WHERE status = 'pending' AND id IN (" + placeholders + ")",
+          ids
+        );
+        var afterRows = await xdb.query(
+          "SELECT id, topic, payload, key, headers, attempts FROM " + quotedTable +
+          " WHERE status = 'in-flight' AND id IN (" + placeholders + ")",
+          ids
+        );
+        actuallyClaimed = (afterRows && afterRows.rows) || [];
+      }
+      return actuallyClaimed.map(function (r) {
         return {
           id:       r.id,
           topic:    r.topic,

package/lib/pqc-agent.js

@@ -253,13 +253,21 @@ function _getDefaultAgent() {
  *   logger.info("pqc-agent reloaded", res);
  */
 function reload() {
-  var hadAgent = _defaultAgent !== null;
-  if (hadAgent) {
-    try { _defaultAgent.destroy(); }
+  // CRYPTO-9 — null the cached agent BEFORE calling destroy. The
+  // previous order let a concurrent _getDefaultAgent() see the
+  // destroyed-not-null agent and hand it to a caller; the caller
+  // then tries to issue a request through a torn-down keep-alive
+  // pool and surfaces a "socket destroyed" error. Null-first means
+  // every concurrent _getDefaultAgent() either sees the live agent
+  // (request lands on the about-to-be-torn-down pool — natural
+  // graceful drain) or the null sentinel (builds fresh).
+  var prior = _defaultAgent;
+  _defaultAgent = null;
+  if (prior) {
+    try { prior.destroy(); }
     catch (_e) { /* destroy is best-effort */ }
-    _defaultAgent = null;
   }
-  return { destroyed: hadAgent };
+  return { destroyed: prior !== null };
 }
 
 module.exports = {

package/lib/retry.js

@@ -39,7 +39,6 @@
 
 var C = require("./constants");
 var lazyRequire = require("./lazy-require");
-var nodeCrypto = require("node:crypto");
 var numericChecks = require("./numeric-checks");
 // safe-async re-exports withRetry + CircuitBreaker from this module, so a
 // direct top-level require would create a cycle. Lazy-require defers the
@@ -239,10 +238,19 @@ function isRetryable(err) {
  *
  * Compute the backoff in milliseconds for a given (1-based) `attempt`
  * number. Exponential growth `baseDelayMs * 2^(attempt-1)` capped at
- * `maxDelayMs`, then subtract a cryptographic jitter sample scaled by
- * `jitterFactor` so retrying clients do not realign on the same
- * boundary. Throws TypeError when `attempt` is not a positive integer.
- * `opts` defaults to `b.retry.DEFAULT_RETRY` when absent.
+ * `maxDelayMs`, then subtract a Math.random-sourced jitter sample
+ * scaled by `jitterFactor` so retrying clients spread across the
+ * millisecond window instead of realigning on the same boundary
+ * (thundering-herd avoidance). Throws TypeError when `attempt` is
+ * not a positive integer. `opts` defaults to `b.retry.DEFAULT_RETRY`
+ * when absent.
+ *
+ * Jitter is intentionally NOT a CSPRNG sample — the per-request delay
+ * is observable to every peer client by construction (the request
+ * that comes in carries its own arrival timing), so there is no
+ * confidentiality property a stronger random source would protect.
+ * Math.random is the right tool for thundering-herd avoidance and
+ * costs ~50x less than a CSPRNG randomInt() under a retry storm.
  *
  * @opts
  *   baseDelayMs:  number,   // initial backoff (default 100)
@@ -263,10 +271,16 @@ function backoffDelay(attempt, opts) {
   opts = opts || DEFAULT_RETRY;
   var base = opts.baseDelayMs * Math.pow(2, attempt - 1);
   var capped = Math.min(base, opts.maxDelayMs);
-  // Cryptographically-strong jitter so a timing-attack mitigation isn't
-  // undermined by Math.random's predictable PRNG.
-  var jitterDenom = 1_000_000;
-  var jitter = capped * opts.jitterFactor * (nodeCrypto.randomInt(0, jitterDenom) / jitterDenom);
+  // CRYPTO-12 — jitter exists to spread retry storms across the
+  // millisecond window so N peer clients waking from the same
+  // upstream outage don't all hit the recovering service at the same
+  // tick. The value is observable to every client by construction
+  // (the request that comes in carries its own timing); there's no
+  // confidentiality property to protect, so a CSPRNG would burn
+  // 30-50K randomInt/sec under a retry storm without any security
+  // payoff. Math.random's PRNG is the right tool for
+  // thundering-herd avoidance.
+  var jitter = capped * opts.jitterFactor * Math.random();                                           // allow:math-random-noncrypto — jitter for thundering-herd, not a confidentiality primitive
   return Math.floor(capped - jitter);
 }
 

package/lib/router.js

@@ -463,6 +463,14 @@ class Router {
   }
 
   _registerRoute(method, pattern, args) {
+    // CVE-2026-4923 — refuse pattern with more than 3 consecutive `*`
+    // metacharacters. The framework's segment matcher doesn't compile
+    // regex from operator input, but the policy stays crisp at the
+    // registration boundary.
+    if (typeof pattern === "string" && /\*{4,}/.test(pattern)) {
+      throw new Error(method + " " + pattern + ": route pattern refused " +
+        "(CVE-2026-4923) — more than 3 consecutive '*' metacharacters");
+    }
     var split = this._splitArgs(args);
     if (split.spec) _validateRouteSpec(split.spec, method, pattern);
     var handlers = split.handlers;
@@ -656,7 +664,21 @@ class Router {
       allowedProtocols: safeUrl.ALLOW_HTTP_ALL,
     });
     req.pathname = parsed.pathname;
-    req.query = Object.fromEntries(parsed.searchParams);
+    // CVE-2026-21717 V8 HashDoS defense — cap distinct query keys
+    // before forming the dense object. Integer-shaped keys past 1000
+    // entries degrade V8 hidden-class transitions to O(n²).
+    var queryEntries = [];
+    var queryKeyCount = 0;
+    for (var pair of parsed.searchParams) {
+      queryKeyCount += 1;
+      if (queryKeyCount > 1000) {                                                                  // allow:raw-byte-literal — CVE-2026-21717 V8 HashDoS query-key cap
+        res.statusCode = 400;
+        res.end("400 Bad Request: too many query keys");
+        return;
+      }
+      queryEntries.push(pair);
+    }
+    req.query = Object.fromEntries(queryEntries);
 
     // Run middleware
     for (var mw of this.middleware) {