Skip to content

Harden server island POST endpoint to use own-property checks#15765

Merged
matthewp merged 1 commit intomainfrom
fix/bugbot-126
Mar 11, 2026
Merged

Harden server island POST endpoint to use own-property checks#15765
matthewp merged 1 commit intomainfrom
fix/bugbot-126

Conversation

@matthewp
Copy link
Copy Markdown
Contributor

@matthewp matthewp commented Mar 5, 2026
edited
Loading

Note there isn't a security issue here, this is defense in depth.

Changes

  • Updates server island POST endpoint validation in getRequestData() to use Object.hasOwn() instead of the in operator when checking for plaintext slots and componentExport properties
  • This ensures only own properties on the parsed JSON data are validated, improving consistency with standard property-checking patterns

Testing

  • Added two unit tests to packages/astro/test/units/server-islands/endpoint.test.js verifying that validation checks only consider own properties on the parsed request data
  • All existing endpoint tests continue to pass

Docs

No docs changes needed.

@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Mar 5, 2026

🦋 Changeset detected

Latest commit: 26de729

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions github-actions bot added the pkg: astro Related to the core `astro` package (scope) label Mar 5, 2026
@codspeed-hq
Copy link
Copy Markdown

codspeed-hq bot commented Mar 5, 2026

Merging this PR will not alter performance

✅ 18 untouched benchmarks

Comparing fix/bugbot-126 (26de729) with main (f49a27f)1

Open in CodSpeed

Footnotes

  1. No successful run was found on main (8d76860) during the generation of this report, so f49a27f was used instead as the comparison base. There might be some changes unrelated to this pull request in this report.

@matthewp matthewp marked this pull request as ready for review March 5, 2026 16:11
@matthewp matthewp merged commit ca76ff1 into main Mar 11, 2026
43 of 44 checks passed
@matthewp matthewp deleted the fix/bugbot-126 branch March 11, 2026 17:07
@astrobot-houston astrobot-houston mentioned this pull request Mar 11, 2026
Merged
dadezzz pushed a commit to dadezzz/ice-notes that referenced this pull request Mar 15, 2026
@dadezzz
fix(deps): update dependency astro to v6.0.3 (#496)
bac6675 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [astro](https://astro.build) ([source](https://github.com/withastro/astro/tree/HEAD/packages/astro)) | [`6.0.2` → `6.0.3`](https://renovatebot.com/diffs/npm/astro/6.0.2/6.0.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/astro/6.0.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/astro/6.0.2/6.0.3?slim=true) |

---

### Release Notes

<details>
<summary>withastro/astro (astro)</summary>

### [`v6.0.3`](https://github.com/withastro/astro/blob/HEAD/packages/astro/CHANGELOG.md#603)

[Compare Source](https://github.com/withastro/astro/compare/astro@6.0.2...astro@6.0.3)

##### Patch Changes

- [#&#8203;15711](withastro/astro#15711) [`b2bd27b`](withastro/astro@b2bd27b) Thanks [@&#8203;OliverSpeir](https://github.com/OliverSpeir)! - Improves Astro core's dev environment handling for prerendered routes by ensuring route/CSS updates and prerender middleware behavior work correctly across both SSR and prerender environments.

  This enables integrations that use Astro's prerender dev environment (such as Cloudflare with `prerenderEnvironment: 'node'`) to get consistent route matching and HMR behavior during development.

- [#&#8203;15852](withastro/astro#15852) [`1cdaf9f`](withastro/astro@1cdaf9f) Thanks [@&#8203;ematipico](https://github.com/ematipico)! - Fixes a regression where the the routes emitted by the `astro:build:done` hook didn't have the `distURL` array correctly populated.

- [#&#8203;15765](withastro/astro#15765) [`ca76ff1`](withastro/astro@ca76ff1) Thanks [@&#8203;matthewp](https://github.com/matthewp)! - Hardens server island POST endpoint validation to use own-property checks for improved consistency

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS41IiwidXBkYXRlZEluVmVyIjoiNDMuNTkuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: Renovate Bot <renovate@zarantonello.dev>
Co-committed-by: Renovate Bot <renovate@zarantonello.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ematipico ematipico ematipico approved these changes

Assignees

No one assigned

Labels

pkg: astro Related to the core `astro` package (scope)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matthewp @ematipico