fix: header security issues

[jasonsaayman]

Summary by cubic

Hardened FormData detection and header merging to block prototype‑pollution header injection (GHSA-6chq-wfr3-2hj9). Tightened URL encoding to avoid null‑byte decoding in query params.

Description

• Summary of changes
  • isFormData: reject plain objects with Object.prototype/null prototype; require a real append; keep support for native FormData and form-data.
  • HTTP adapter: only use data.getHeaders when it’s a real function and not Object.prototype.getHeaders.
  • AxiosURLSearchParams: simplify regex and remove %00 handling (no null‑byte decoding).
• Reasoning
  • Block attacker‑controlled getHeaders and related methods from merging malicious headers.
  • Eliminate null‑byte transformations in query encoding.
• Additional context
  • Addresses GHSA-6chq-wfr3-2hj9.

Testing

• Added a unit test that simulates Object.prototype pollution and verifies:
  • Prototype getHeaders is ignored.
  • No injected headers (e.g., x-injected, forged authorization) reach the server; legitimate auth remains intact.
• No other tests changed.

^{Written for commit f898f0a. Summary will update on new commits.}

[cubic-dev-ai]

1 issue found across 4 files

Confidence score: 5/5

• Low merge risk overall: the only finding is low severity (3/10) and limited to a unit test expectation in tests/unit/adapters/http.test.js, not production runtime logic.
• Most notable issue is that treating an arbitrary request error as success could let the test pass without actually validating that prototype-polluted headers are ignored, which weakens test assurance.
• Pay close attention to tests/unit/adapters/http.test.js - tighten the error assertion so the test proves the intended security-related behavior rather than passing on unrelated failures.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="tests/unit/adapters/http.test.js">

<violation number="1" location="tests/unit/adapters/http.test.js:2570">
P3: Don't treat an arbitrary request error as success here; it lets the test pass without proving that prototype-polluted headers were ignored.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[jasonsaayman]

@cubic-dev-ai please review again!

[cubic-dev-ai]

@cubic-dev-ai please review again!

@jasonsaayman I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

No issues found across 3 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.