apostrophe 4.31.0-alpha.1 → 4.31.0

package/.claude/settings.local.json

@@ -0,0 +1,15 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(timeout 180 npx mocha:*)",
+      "Bash(timeout 600 npx mocha:*)",
+      "Bash(npm ls:*)",
+      "Bash(timeout 540 npx mocha:*)",
+      "Bash(echo:*)",
+      "Bash(timeout 10 node:*)",
+      "Bash(timeout 300 npx mocha:*)",
+      "Bash(timeout 60 npx mocha:*)",
+      "Bash(timeout 120 npx mocha:*)"
+    ]
+  }
+}

package/CHANGELOG.md

@@ -1,70 +1,30 @@
 # Changelog
 
-## 4.31.0
-
-### Minor Changes
-
-- 33bb4c0: Added support for `draggable: false` on non-inline `array` schema fields. Previously this option was only respected when `inline: true`. When set on a standard (modal-based) array field, drag-and-drop reordering and keyboard reordering are now disabled in the array editor's slat list.
-- dfd25cf: Introduced support for postgres://, sqlite://, and multipostgres:// database URIs in addition to mongodb://. The new db-connect API supports all of the database operations currently used in our own core, pro and multisite modules. For more information see the documentation.
-- 950927d: The session secret and the uploadfs `disabledFileKey` can now be supplied via the `APOS_SESSION_SECRET` and `APOS_UPLOADFS_DISABLED_FILE_KEY` environment variables. As with other Apostrophe environment variables, these take precedence over the corresponding `app.js` configuration.
-- cf1a639: Fixed an issue where using the Tab key to navigate within modals could incorrectly jump focus to a wrong element instead of the next input field.
-
-  Fixed Tab navigation escaping out of modals when the form contained hidden sections or elements that became disabled after editing.
-
-- 77a2968: Fix layout widget not regaining full focus on switching back to Edit content mode.
-- f67c272: Fixed adding or removing an area field from a schema breaking existing documents on an external front such as Astro.
-
-  - `AposArea` now renders only schema-backed areas. A missing area no longer throws, and an area orphaned by removing its field from the schema (while its content remains in the document) renders nothing instead of breaking sibling areas in edit mode. Logged-in editors get a diagnostic message in place of an orphaned area; anonymous visitors see nothing.
-  - Editable documents sent to an external front now materialize empty area objects for schema area fields added after the document was created, so they can be edited in context.
-  - `apos.util.getManagerOf` accepts a `{ log }` option to suppress its error log when probing objects that may not have a manager.
-
-- bc8f7be: Editors can now control the layout-widget gap through the styles system, both site-wide via a global `layoutGap` preset and per widget via a `gap` styles field. New Layout widget option `className` allows for additional CSS class names to be added to the widget Grid container.
-
-### Patch Changes
-
-- 2e2f3b4: Accessibility: corrected ARIA semantics on the top admin navigation bar.
-- 2e2f3b4: Accessibility: improvements to the document context title (admin bar middle group) and the underlying `AposContextMenu` machinery.
-- 2e2f3b4: Accessibility: improve the locale switcher (`AposLocalePicker`).
-- 2e2f3b4: Accessibility: the Recently Edited Documents tray icon (admin bar) now exposes its action through `aria-label`.
-- 2e2f3b4: Accessibility: fix `.apos-sr-only` so screen-reader-only content is exposed to the accessibility tree.
-- 2e2f3b4: Accessibility: icon-only context-utility buttons in the admin bar tray (e.g. the global settings cog) now expose their action through `aria-label`.
-- 41670a3: Security fix: the password reset request feature will refuse to operate unless the baseUrl option or the APOS_BASE_URL environment variable has been set (note that this is automatic in multisite projects). This fix is necessary to prevent a vulnerability that can be used to convince ApostropheCMS to send emails containing links to other sites. It is only a vulnerability if you have enabled the passwordReset: true option for the login module. Thanks to [SPIDY](https://github.com/Mujahidkhan525) for reporting the issue.
-- 9f458b5: Fix illegal HTML id attribute values generated by the admin UI
-- 08845c5: - Removed duplicate <meta charset> tag from `outerLayoutBase.html`
-  - Standardized charset to utf-8 (the legacy configuration option is now ignored). Per the spec this is the only legal setting, so we classify this as a bug fix
-  - Altered unused/legacy i18n template helper to return `utf-8`, ensuring backwards compatibility
-- b9b32bd: Keyboard shortcuts for widget operations (copy, cut, paste, duplicate, remove) no longer block the browser's native clipboard behavior when no widget is focused. Previously, selecting and copying text on a page while logged in was prevented by the admin UI intercepting those shortcuts unconditionally.
-- 2191c8a: Fix more admin UI a11y issues
-- 08dfcac: Security: a malicious full name containing HTML was executed as HTML in the tooltip displayed with an "i" icon next to the title of the current page, creating an
-  XSS attack risk versus other users. Since most projects permit users to change their full name (the "title" property), All projects with multiple users should be
-  updated promptly to close this vulnerability. Thanks to [Muhammad Uwais](https://github.com/MuhammadUwais) for reporting the issue.
-- 5d1a028: Security: launder now uses and exports the best available naughtyHref function for detecting malicious URLs. sanitize-html now depends on it, and apostrophe now uses type: 'url' for the link URL field of image widgets, which leverages it. Prior to this fix, it was possible for any user with editing privileges, including a contributor, to trigger arbitrary JavaScript via a javascript: URL in the link URL field of an image widget. A migration has been included to strip any such malicious URLs already present in the database. All users of apostrophe are encouraged to upgrade to get this security fix. Thanks to [Muhammad Uwais](https://github.com/MuhammadUwais) for reporting the issue.
-- 8098017: Security: the HTML import feature of the rich text widget no longer permits images to be fetched
-  from arbitrary hosts. This could be used to probe internal networks, and to exfiltrate images from
-  internal hosts if their URLs were known. Instead, the `imageImportAllowedHostnames` option of the
-  `@apostrophecms/rich-text-widget` must be configured to opt into that feature.
-
-  Thanks to [Yiğit Şengezer](https://github.com/yigitsengezer) and [Sainithin0309](https://github.com/Sainithin0309) for reporting this issue.
-
-- b7f9ad5: Sites with a custom filterByIndexPage method no longer experience failures in the sitemap module and potential creeping CPU performance penalties. A regression introduced with our static site support, but not specific to static sites.
-- b360b05: fixes issue where orderable table array items drag the entire floating window
-- e9b3bac: apostrophe and oembetter have been updated to eliminate a number of services that formerly supported
-  oembed for the general public, but no longer do so. While there is no security risk today, removing
-  these ensures that if these domains are ever allowed to lapse, they do not become an XSS
-  attack vector in the future.
-
-  Because oembed responses are not always iframes, it is important that this list be maintained
-  over time. In addition, developers always have the option to prune it on their own by setting
-  the new minimumAllowlist and minimumEndpoints options of the @apostrophecms/oembed module.
-
-  Thanks to [Sainithin0309](https://github.com/Sainithin0309) for pointing out the potential
-  long-term security concern.
-
-- Updated dependencies [862d760]
-- Updated dependencies [5d1a028]
-- Updated dependencies [8d4c882]
-  - sanitize-html@2.17.5
-  - launder@1.7.2
+## 4.31.0 (2026-06-10)
+
+### Adds
+
+- Added support for `draggable: false` on non-inline `array` schema fields. Previously this option was only respected when `inline: true`. When set on a standard (modal-based) array field, drag-and-drop reordering and keyboard reordering are now disabled in the array editor's slat list.
+- Introduced support for postgres://, sqlite://, and multipostgres:// database URIs in addition to mongodb://. The new db-connect API supports all of the database operations currently used in our own core, pro and multisite modules. For more information see the documentation.
+- JSX support for templates within ApostropheCMS. JSX is now co-equal with Nunjucks, with a gradual migration strategy. Anyone who is familiar with React will be very comfortable writing JSX templates, which also offer a superior debugging experience, and templates can be migrated gradually. JSX is a great option for those who don't wish to create parallel Astro and ApostropheCMS projects, but still prefer a modern syntax. For more information, see the new [JSX templates guide](https://apostrophecms.com/docs/guide/jsx-templates.html).
+- The session secret and the uploadfs `disabledFileKey` can now be supplied via the `APOS_SESSION_SECRET` and `APOS_UPLOADFS_DISABLED_FILE_KEY` environment variables. As with other Apostrophe environment variables, these take precedence over the corresponding `app.js` configuration.
+
+### Fixes
+
+- Fixed an issue where using the Tab key to navigate within modals could incorrectly jump focus to a wrong element instead of the next input field.
+Fixed Tab navigation escaping out of modals when the form contained hidden sections or elements that became disabled after editing.
+- Fixed adding or removing an area field from a schema breaking existing documents on an external front such as Astro.
+- For Astro: `AposArea` now renders only schema-backed areas. A missing area no longer throws, and an area orphaned by removing its field from the schema (while its content remains in the document) renders nothing instead of breaking sibling areas in edit mode. Logged-in editors get a diagnostic message in place of an orphaned area; anonymous visitors see nothing.
+- Editable documents sent to an external front (Asgtro) now materialize empty area objects for schema area fields added after the document was created, so they can be edited in context.
+- `apos.util.getManagerOf` accepts a `{ log }` option to suppress its error log when probing objects that may not have a manager.
+- Fix more admin UI a11y issues.
+- Selecting an item in a relationship "browse" dialog no longer scrolls the title and Cancel/Select buttons out of view when the item is far down the list.
+- Sites with a custom filterByIndexPage method no longer experience failures in the sitemap module and potential creeping CPU performance penalties. A regression introduced with our static site support, but not specific to static sites.
+
+### Security
+
+- Server-side prototype pollution (CWE-1321) via dot-notation paths. `apos.util.set()` and `apos.util.get()` now refuse to traverse `__proto__`, `constructor` and `prototype` path segments. Previously an authenticated editor could send a PATCH REST API request whose patch operators (for example `$pullAll` with a key of `__proto__.publicApiProjection`) wrote to `Object.prototype`. A polluted `publicApiProjection` defeated the `publicApiCheck()` authorization gate on piece-type REST endpoints for subsequent unauthenticated requests, for the lifetime of the Node.js process. All users should update. Thanks to [tonghuaroot](https://github.com/tonghuaroot), [H3xV0rT3x](https://github.com/H3xV0rT3x), and [5h1kh4r](https://github.com/5h1kh4r) for reporting the vulnerability.
+- When `@apostrophecms/file` pretty URLs are enabled (`prettyUrls: true`), the upstream request used to serve the file is no longer built from the incoming `Host` header. The self-request is now resolved against the site's configured `baseUrl` (via `req.baseUrl`), falling back to the request host only when no `baseUrl` is configured. This closes a server-side request forgery (SSRF) vector in which the `Host` header could steer the proxied fetch at another host. The real-world risk was low: the path is constrained to an existing attachment's `/uploads/attachments/<cuid>-<slug>.<ext>`, and cuids are unique and immutable, so any reachable content was already public via the front door. Thanks to [EchoSkorJjj](https://github.com/EchoSkorJjj) for reporting the issue.
 
 ## 4.30.0
 

package/modules/@apostrophecms/file/index.js

@@ -248,14 +248,15 @@ module.exports = {
             const uglyUrl = self.apos.attachment.url(file.attachment, {
               prettyUrl: false
             });
-            // For relative URLs (local uploadfs, not CDN), resolve
-            // against the current server's origin so the proxy can
-            // make the self-request.  During static builds
-            // `attachment.url()` may return only a path.
-            const proxyUrl = uglyUrl.startsWith('/')
-              ? `${req.protocol}://${req.get('host')}${uglyUrl}`
-              : uglyUrl;
-            return await streamProxy(req, proxyUrl, { error: self.apos.util.error });
+            // `uglyUrl` may be relative (local uploadfs) or absolute
+            // (S3/CDN). For the relative case `streamProxy` resolves it
+            // against `req.baseUrl`, which reflects the configured
+            // `baseUrl` (or locale hostname) and only falls back to the
+            // request host when the site has none. We deliberately do
+            // not build the upstream URL from the raw `Host` header
+            // here, as that is attacker-controlled and would allow the
+            // self-request to be redirected to an arbitrary host (SSRF).
+            return await streamProxy(req, uglyUrl, { error: self.apos.util.error });
           } catch (e) {
             self.apos.util.error('Error in pretty URL route:', e);
             return res.status(500).send('error');

package/modules/@apostrophecms/image/ui/apos/components/AposMediaUploader.vue

@@ -252,6 +252,9 @@ export default {
     @include apos-transition();
 
     & {
+      // Contain the visually hidden (`.apos-sr-only`, position: absolute)
+      // file input so focusing it does not scroll a distant ancestor.
+      position: relative;
       display: flex;
       box-sizing: border-box;
       align-items: center;

package/modules/@apostrophecms/ui/ui/apos/scss/global/_inputs.scss

@@ -372,6 +372,8 @@
   @include type-base;
 
   & {
+    // Do not remove - it fixes unintended `sr-only` side effect.
+    position: relative;
     display: flex;
     align-items: center;
     color: var(--a-base-2);

package/modules/@apostrophecms/util/index.js

@@ -35,6 +35,13 @@ const util = require('util');
 const { stripIndent } = require('common-tags');
 const glob = require('../../../lib/glob.js');
 
+// Dot-path segments that must never be traversed when walking a
+// user-supplied path in `apos.util.get` and `apos.util.set`. Following any
+// of these reaches the prototype chain and enables server-side prototype
+// pollution (CWE-1321), e.g. a PATCH `$pullAll` key of
+// `__proto__.publicApiProjection`.
+const unsafePathSegments = new Set([ '__proto__', 'constructor', 'prototype' ]);
+
 module.exports = {
   options: {
     alias: 'util',
@@ -755,6 +762,10 @@ module.exports = {
             if (o == null) {
               return undefined;
             }
+            if (unsafePathSegments.has(p)) {
+              // Never read through the prototype chain (CWE-1321)
+              return undefined;
+            }
             o = o[p];
           }
         }
@@ -819,6 +830,12 @@ module.exports = {
           }
         }
         path = path.split('.');
+        for (p of path) {
+          if (unsafePathSegments.has(p)) {
+            // Refuse to write through the prototype chain (CWE-1321)
+            throw self.apos.error('invalid', `Unsafe property name "${p}" in dot path`);
+          }
+        }
         for (i = 0; (i < (path.length - 1)); i++) {
           p = path[i];
           o = o[p];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "apostrophe",
-  "version": "4.31.0-alpha.1",
+  "version": "4.31.0",
   "description": "The Apostrophe Content Management System.",
   "main": "index.js",
   "repository": {
@@ -120,15 +120,15 @@
     "webpack": "^5.106.1",
     "webpack-merge": "^5.7.3",
     "xregexp": "^2.0.0",
-    "boring": "^1.1.1",
     "broadband": "^1.1.0",
-    "express-cache-on-demand": "^1.0.4",
-    "launder": "^1.7.2-alpha.1",
+    "launder": "^1.7.1",
+    "@apostrophecms/db-connect": "^1.0.1",
     "oembetter": "^1.2.0",
-    "sanitize-html": "^2.17.5-alpha.1",
-    "postcss-viewport-to-container-toggle": "^2.3.0",
+    "boring": "^1.1.1",
+    "express-cache-on-demand": "^1.0.4",
+    "sanitize-html": "^2.17.5",
     "uploadfs": "^1.26.1",
-    "@apostrophecms/db-connect": "^1.0.0"
+    "postcss-viewport-to-container-toggle": "^2.3.0"
   },
   "devDependencies": {
     "chai": "^4.3.10",
@@ -137,8 +137,8 @@
     "mocha": "^11.7.5",
     "nyc": "^17.1.0",
     "stylelint": "^16.5.0",
-    "stylelint-config-apostrophe": "^4.4.0",
-    "eslint-config-apostrophe": "^6.0.2"
+    "eslint-config-apostrophe": "^6.0.2",
+    "stylelint-config-apostrophe": "^4.4.0"
   },
   "browserslist": [
     "ie >= 10"

package/test/add-missing-schema-fields-project/node_modules/.package-lock.json

@@ -0,0 +1,131 @@
+{
+  "name": "add-missing-schema-fields-project",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "../..": {
+      "version": "4.28.0",
+      "license": "MIT",
+      "dependencies": {
+        "@apostrophecms/emulate-mongo-3-driver": "workspace:^",
+        "@apostrophecms/vue-material-design-icons": "^1.0.0",
+        "@ctrl/tinycolor": "^4.1.0",
+        "@floating-ui/dom": "^1.5.3",
+        "@opentelemetry/api": "^1.9.0",
+        "@opentelemetry/semantic-conventions": "^1.0.1",
+        "@paralleldrive/cuid2": "^2.2.2",
+        "@tiptap/extension-color": "^2.4.0",
+        "@tiptap/extension-floating-menu": "^2.0.3",
+        "@tiptap/extension-highlight": "^2.0.3",
+        "@tiptap/extension-link": "^2.0.3",
+        "@tiptap/extension-placeholder": "^2.0.3",
+        "@tiptap/extension-subscript": "^2.0.3",
+        "@tiptap/extension-superscript": "^2.0.3",
+        "@tiptap/extension-table": "^2.0.3",
+        "@tiptap/extension-table-cell": "^2.0.3",
+        "@tiptap/extension-table-header": "^2.0.3",
+        "@tiptap/extension-table-row": "^2.0.3",
+        "@tiptap/extension-text-align": "^2.0.3",
+        "@tiptap/extension-text-style": "^2.0.3",
+        "@tiptap/extension-underline": "^2.0.3",
+        "@tiptap/starter-kit": "^2.0.3",
+        "@tiptap/vue-3": "^2.0.3",
+        "@vue/compiler-sfc": "^3.3.8",
+        "autoprefixer": "^10.4.1",
+        "bluebird": "^3.7.2",
+        "body-parser": "^1.18.2",
+        "boring": "workspace:^",
+        "broadband": "workspace:^",
+        "cheerio": "^1.0.0-rc.10",
+        "chokidar": "^3.5.2",
+        "common-tags": "^1.8.0",
+        "concat-with-sourcemaps": "^1.1.0",
+        "connect-mongo": "^5.1.0",
+        "cookie-parser": "^1.4.5",
+        "cors": "^2.8.5",
+        "css-loader": "^5.2.4",
+        "cssnano": "^7.1.1",
+        "csv-parse": "^5.6.0",
+        "dayjs": "^1.9.8",
+        "dompurify": "^3.2.5",
+        "encodeurl": "^2.0.0",
+        "express": "^4.16.4",
+        "express-bearer-token": "^3.0.0",
+        "express-cache-on-demand": "workspace:^",
+        "express-session": "^1.18.2",
+        "fs-extra": "^7.0.1",
+        "glob": "^10.4.5",
+        "he": "^1.2.0",
+        "html-to-text": "^9.0.5",
+        "i18next": "^20.3.2",
+        "i18next-http-middleware": "^3.1.5",
+        "import-fresh": "^3.3.0",
+        "is-wsl": "^2.2.0",
+        "jsdom": "^24.1.0",
+        "klona": "^2.0.4",
+        "launder": "^1.4.0",
+        "lodash": "^4.17.21",
+        "mini-css-extract-plugin": "^1.6.0",
+        "minimatch": "^3.0.4",
+        "mkdirp": "^0.5.5",
+        "multer": "^2.0.2",
+        "node-fetch": "^2.6.1",
+        "nodemailer": "^7.0.10",
+        "nunjucks": "^3.2.1",
+        "oembetter": "^1.1.3",
+        "parseurl": "^1.3.3",
+        "passport": "^0.6.0",
+        "passport-local": "^1.0.0",
+        "path-to-regexp": "^1.8.0",
+        "performance-now": "^2.1.0",
+        "pinia": "^2.1.7",
+        "postcss": "^8.4.47",
+        "postcss-html": "^1.3.0",
+        "postcss-loader": "^8.1.1",
+        "postcss-scss": "^4.0.3",
+        "postcss-viewport-to-container-toggle": "workspace:^",
+        "prompts": "^2.4.1",
+        "qs": "^6.10.1",
+        "regexp-quote": "0.0.0",
+        "resolve": "^1.19.0",
+        "resolve-from": "^5.0.0",
+        "sanitize-html": "workspace:^",
+        "sass": "^1.80.3",
+        "sass-loader": "^16.0.0",
+        "server-destroy": "^1.0.1",
+        "sluggo": "^1.0.0",
+        "sortablejs": "^1.15.0",
+        "sortablejs-vue3": "^1.2.11",
+        "tiny-emitter": "^2.1.0",
+        "tough-cookie": "^4.0.0",
+        "underscore.string": "^3.3.4",
+        "uploadfs": "workspace:^",
+        "void-elements": "^3.1.0",
+        "vue": "^3.5.20",
+        "vue-advanced-cropper": "^2.8.8",
+        "vue-loader": "^17.1.0",
+        "vue-style-loader": "^4.1.3",
+        "webpack": "^5.72.0",
+        "webpack-merge": "^5.7.3",
+        "xregexp": "^2.0.0"
+      },
+      "devDependencies": {
+        "eslint": "^9.39.1",
+        "eslint-config-apostrophe": "workspace:^",
+        "form-data": "^4.0.4",
+        "mocha": "^11.7.1",
+        "nyc": "^17.1.0",
+        "stylelint": "^16.5.0",
+        "stylelint-config-apostrophe": "workspace:^"
+      },
+      "engines": {
+        "node": ">=16.0.0"
+      }
+    },
+    "node_modules/apostrophe": {
+      "resolved": "../..",
+      "link": true
+    }
+  }
+}

package/test/files.js

@@ -132,6 +132,34 @@ describe('Files', function() {
     }
   });
 
+  it('should ignore a spoofed Host header when proxying the pretty URL (SSRF regression)', async function() {
+    const req = apos.task.getAnonReq();
+    try {
+      apos.file.options.prettyUrls = true;
+      const files = await apos.file.find(req).toArray();
+      assert.strictEqual(files.length, 1);
+      const file = files[0];
+      const attachment = apos.attachment.first(file);
+      const url = apos.attachment.url(attachment);
+      assert(url);
+      // Send an attacker-controlled Host header (e.g. the cloud metadata
+      // address from the advisory). The upstream fetch must be resolved
+      // against the server-trusted baseUrl, not this header, so the
+      // legitimate content is still served and the request is never
+      // steered at the spoofed host.
+      const response = await apos.http.get(url, {
+        headers: {
+          Host: '169.254.169.254'
+        },
+        fullResponse: true
+      });
+      assert.strictEqual(response.status, 200);
+      assert.strictEqual(response.body, attachment.data);
+    } finally {
+      apos.file.options.prettyUrls = false;
+    }
+  });
+
 });
 
 describe('Files with i18n locale prefixes', function() {

package/test/utils.js

@@ -372,6 +372,109 @@ describe('Utils', async function() {
       assert(data.shoes[0].size === 8);
     });
 
+    // Server-Side Prototype Pollution (CWE-1321) regression coverage.
+    // apos.util.set and apos.util.get traverse user-supplied dot-notation
+    // paths. A segment of `__proto__`, `constructor` or `prototype` must
+    // never be followed, or an authenticated editor could write to
+    // Object.prototype (for example via the $pullAll patch operator) and
+    // poison authorization checks process-wide. See GHSA-6h5j-32cf-4253.
+
+    it('utils.set must reject a __proto__ segment instead of polluting Object.prototype', function() {
+      const data = {};
+      try {
+        assert.throws(() => {
+          apos.util.set(data, '__proto__.polluted', 'yes');
+        }, { name: 'invalid' });
+        assert.strictEqual({}.polluted, undefined);
+        assert.strictEqual(data.polluted, undefined);
+      } finally {
+        // Belt and suspenders: if the guard ever regresses, do not leak a
+        // polluted prototype into the rest of the suite.
+        delete Object.prototype.polluted;
+      }
+    });
+
+    it('utils.set must reject a constructor.prototype segment', function() {
+      const data = {};
+      try {
+        assert.throws(() => {
+          apos.util.set(data, 'constructor.prototype.polluted', 'yes');
+        }, { name: 'invalid' });
+        assert.strictEqual({}.polluted, undefined);
+      } finally {
+        delete Object.prototype.polluted;
+      }
+    });
+
+    it('utils.set must reject a trailing __proto__ segment rather than replacing the prototype', function() {
+      const data = {};
+      assert.throws(() => {
+        apos.util.set(data, '__proto__', { polluted: 'yes' });
+      }, { name: 'invalid' });
+      assert.strictEqual(Object.getPrototypeOf(data), Object.prototype);
+      assert.strictEqual(data.polluted, undefined);
+    });
+
+    it('utils.set must reject a dangerous segment exposed after an @ reference', function() {
+      const data = {
+        items: [
+          {
+            _id: 'abc',
+            sub: {}
+          }
+        ]
+      };
+      try {
+        assert.throws(() => {
+          apos.util.set(data, '@abc.__proto__.polluted', 'yes');
+        }, { name: 'invalid' });
+        assert.strictEqual({}.polluted, undefined);
+      } finally {
+        delete Object.prototype.polluted;
+      }
+    });
+
+    it('utils.get must not traverse into the prototype chain via __proto__', function() {
+      // Without the guard this returns Object.prototype.toString (a function).
+      assert.strictEqual(apos.util.get({ a: 1 }, '__proto__.toString'), undefined);
+      assert.strictEqual(apos.util.get({ a: 1 }, '__proto__'), undefined);
+    });
+
+    it('implementPatchOperators must not let a $pullAll key pollute Object.prototype', function() {
+      // The reported attack vector: an authenticated editor PATCH body of
+      // { $pullAll: { '__proto__.publicApiProjection': [] } } reached
+      // apos.util.set with a fully attacker-controlled key.
+      const patch = {
+        $pullAll: {
+          '__proto__.publicApiProjection': []
+        }
+      };
+      try {
+        assert.throws(() => {
+          apos.schema.implementPatchOperators(patch, {});
+        }, { name: 'invalid' });
+        assert.strictEqual({}.publicApiProjection, undefined);
+      } finally {
+        delete Object.prototype.publicApiProjection;
+      }
+    });
+
+    it('implementPatchOperators must not let a direct dot-notation key pollute Object.prototype', function() {
+      // The second documented entry point: a top-level dotted key whose value
+      // is fully attacker-controlled.
+      const patch = {
+        '__proto__.publicApiProjection': { title: 1 }
+      };
+      try {
+        assert.throws(() => {
+          apos.schema.implementPatchOperators(patch, {});
+        }, { name: 'invalid' });
+        assert.strictEqual({}.publicApiProjection, undefined);
+      } finally {
+        delete Object.prototype.publicApiProjection;
+      }
+    });
+
     it('should slugify', function () {
       // Basic
       assert.equal(