fix: use Object.hasOwn for action name lookup (#15721)

matthewp · web-flow · commit e6e146cb0ac5 · 2026-03-02T15:47:26.000-05:00
diff --git a/.changeset/fix-action-prototype-traversal.md b/.changeset/fix-action-prototype-traversal.md
@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Fixes action route handling to return 404 for requests to prototype method names like `constructor` or `toString` used as action paths
diff --git a/packages/astro/src/core/base-pipeline.ts b/packages/astro/src/core/base-pipeline.ts
@@ -198,7 +198,7 @@ export abstract class Pipeline {
 		}
 
 		for (const key of pathKeys) {
-			if (!(key in server)) {
+			if (!Object.hasOwn(server, key)) {
 				throw new AstroError({
 					...ActionNotFoundError,
 					message: ActionNotFoundError.message(pathKeys.join('.')),
diff --git a/packages/astro/test/actions.test.js b/packages/astro/test/actions.test.js
@@ -166,6 +166,19 @@ describe('Astro Actions', () => {
 			assert.equal(data.code, 'NOT_FOUND');
 		});
 
+		it('Returns 404 for prototype methods used as action names', async () => {
+			for (const name of ['constructor', '__proto__', 'toString', 'valueOf']) {
+				const res = await fixture.fetch(`/_actions/${name}`, {
+					method: 'POST',
+					body: JSON.stringify({}),
+					headers: {
+						'Content-Type': 'application/json',
+					},
+				});
+				assert.equal(res.status, 404, `Expected 404 for /_actions/${name}`);
+			}
+		});
+
 		it('Should fail when calling an action without using Astro.callAction', async () => {
 			const res = await fixture.fetch('/invalid/');
 			assert.equal(res.status, 500);
@@ -606,6 +619,20 @@ describe('Astro Actions', () => {
 			const data = await res.json();
 			assert.equal(data.code, 'NOT_FOUND');
 		});
+
+		it('Returns 404 for prototype methods used as action names', async () => {
+			for (const name of ['constructor', '__proto__', 'toString', 'valueOf']) {
+				const req = new Request(`http://example.com/_actions/${name}`, {
+					method: 'POST',
+					headers: {
+						'Content-Type': 'application/json',
+					},
+					body: JSON.stringify({}),
+				});
+				const res = await app.render(req);
+				assert.equal(res.status, 404, `Expected 404 for /_actions/${name}`);
+			}
+		});
 	});
 });
 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'astro': patch
 +---
++
 +Fixes action route handling to return 404 for requests to prototype method names like `constructor` or `toString` used as action paths
Original file line number	Diff line number	Diff line change
`@@ -198,7 +198,7 @@ export abstract class Pipeline {`
`198`	`198`	`}`
`199`	`199`
`200`	`200`	`for (const key of pathKeys) {`
`201`		`- if (!(key in server)) {`
	`201`	`+ if (!Object.hasOwn(server, key)) {`
`202`	`202`	`throw new AstroError({`
`203`	`203`	`...ActionNotFoundError,`
`204`	`204`	`message: ActionNotFoundError.message(pathKeys.join('.')),`