Harden server island POST endpoint to use own-property checks (#15765)

matthewp · astro-security[bot] · web-flow · commit ca76ff1dedaf · 2026-03-11T13:07:55.000-04:00
Co-authored-by: astro-security[bot] &lt;astro-security[bot]@users.noreply.github.com&gt;
diff --git a/.changeset/harden-server-island-validation.md b/.changeset/harden-server-island-validation.md
@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Hardens server island POST endpoint validation to use own-property checks for improved consistency
diff --git a/packages/astro/src/core/server-islands/endpoint.ts b/packages/astro/src/core/server-islands/endpoint.ts
@@ -84,12 +84,12 @@ export async function getRequestData(
 				const data = JSON.parse(raw);
 
 				// Validate that slots is not plaintext
-				if ('slots' in data && typeof data.slots === 'object') {
+				if (Object.hasOwn(data, 'slots') && typeof data.slots === 'object') {
 					return badRequest('Plaintext slots are not allowed. Slots must be encrypted.');
 				}
 
 				// Validate that componentExport is not plaintext
-				if ('componentExport' in data && typeof data.componentExport === 'string') {
+				if (Object.hasOwn(data, 'componentExport') && typeof data.componentExport === 'string') {
 					return badRequest(
 						'Plaintext componentExport is not allowed. componentExport must be encrypted.',
 					);
diff --git a/packages/astro/test/units/server-islands/endpoint.test.js b/packages/astro/test/units/server-islands/endpoint.test.js
@@ -146,6 +146,44 @@ describe('getRequestData', () => {
 			assert.equal(result.encryptedProps, '');
 			assert.equal(result.encryptedSlots, '');
 		});
+
+		it('only checks own properties for `slots` validation', async () => {
+			// Temporarily pollute Object.prototype to simulate inherited properties
+			Object.prototype.slots = { default: 'polluted' };
+			try {
+				const req = makePostRequest({
+					encryptedComponentExport: 'encExport',
+					encryptedProps: 'encProps',
+					encryptedSlots: 'encSlots',
+				});
+				const result = await getRequestData(req);
+				assert.ok(
+					!(result instanceof Response),
+					`Expected RenderOptions but got Response with status ${result instanceof Response ? result.status : 'N/A'} — inherited 'slots' should not trigger rejection`,
+				);
+			} finally {
+				delete Object.prototype.slots;
+			}
+		});
+
+		it('only checks own properties for `componentExport` validation', async () => {
+			// Temporarily pollute Object.prototype to simulate inherited properties
+			Object.prototype.componentExport = 'default';
+			try {
+				const req = makePostRequest({
+					encryptedComponentExport: 'encExport',
+					encryptedProps: 'encProps',
+					encryptedSlots: 'encSlots',
+				});
+				const result = await getRequestData(req);
+				assert.ok(
+					!(result instanceof Response),
+					`Expected RenderOptions but got Response with status ${result instanceof Response ? result.status : 'N/A'} — inherited 'componentExport' should not trigger rejection`,
+				);
+			} finally {
+				delete Object.prototype.componentExport;
+			}
+		});
 	});
 	// #endregion
 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'astro': patch
 +---
++
 +Hardens server island POST endpoint validation to use own-property checks for improved consistency