fix: harden header iterable checks for prototype-pollution scenarios

[mcollina]

Summary

This PR hardens header processing against prototype-pollution side effects.

Undici previously used inherited Symbol.iterator lookups for some header inputs. If Object.prototype[Symbol.iterator] was polluted, plain header objects could be misclassified as iterables and silently lose headers.

This is not a standalone vulnerability in Undici; it requires a pre-existing prototype-pollution primitive. This change improves resilience in that scenario.

Changes

Updated iterable detection in:

• lib/core/request.js
• lib/handler/redirect-handler.js
• lib/util/cache.js

New behavior:

• Treat headers as iterable only when:
  • Symbol.iterator is an own property, or
  • the object has a non-plain prototype and an iterator function (e.g. Map, Headers)
• Otherwise treat headers as plain objects via Object.keys / Object.entries.

Tests

• test/request.js
  • plain object headers are preserved when Object.prototype[Symbol.iterator] is polluted
• test/interceptors/redirect.js
  • same-origin redirect preserves plain object headers under polluted iterator
• test/cache-interceptor/cache-utils.js (new)
  • normalizeHeaders works for polluted plain objects
  • normalizeHeaders still works for Map headers

Verification

• npx borp -p "test/request.js"
• npx borp -p "test/interceptors/redirect.js"
• npx borp -p "test/cache-interceptor/cache-utils.js"
• npx borp -p "test/interceptors/cache.js"
• npm run lint -- lib/core/request.js lib/util/cache.js lib/handler/redirect-handler.js test/request.js test/interceptors/redirect.js test/cache-interceptor/cache-utils.js

[codecov-commenter]

Codecov Report

❌ Patch coverage is 86.20690% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.19%. Comparing base (2453caf) to head (db2468d).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
lib/util/cache.js	78.94%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4824      +/-   ##
==========================================
+ Coverage   93.17%   93.19%   +0.01%     
==========================================
  Files         109      109              
  Lines       34187    34200      +13     
==========================================
+ Hits        31855    31873      +18     
+ Misses       2332     2327       -5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[metcoder95]

Shall we maybe create an utility function to share it across?