@blamejs/blamejs-shop 0.0.44

package/lib/vendor/blamejs/lib/safe-mount-info.js

@@ -0,0 +1,306 @@
+"use strict";
+/**
+ * @module     b.safeMountInfo
+ * @nav        Primitives
+ * @title      Safe MountInfo
+ * @order      131
+ * @slug       safe-mount-info
+ *
+ * @card
+ *   Canonical /proc/self/mountinfo parser that always reads field 4
+ *   (root-within-source-FS) — defeats the bind-mount detection bug
+ *   class where ad-hoc parsers picked the wrong field.
+ *
+ * @intro
+ *   Linux `/proc/self/mountinfo` is the per-process kernel-published
+ *   mount table. The format is fixed per [kernel
+ *   Documentation/filesystems/proc.rst §3.5](https://www.kernel.org/doc/Documentation/filesystems/proc.txt):
+ *
+ *     <id> <parent> <major:minor> <root> <mountpoint> <options>
+ *     [<optional-fields>...] - <fstype> <source> <super-options>
+ *
+ *   The `<root>` field (positional index 3, 0-based) is "root within
+ *   source FS" — `"/"` for a regular mount, a non-root path for a
+ *   bind-mount (e.g. `/Users/me/data` mounted onto `/data` inside a
+ *   container). Bind-mount detection MUST consult this field; ad-hoc
+ *   parsers that scan the options string for the word "bind" miss
+ *   the truth (kernel doesn't emit "bind" as an option — bind state
+ *   is observable ONLY via field 4).
+ *
+ *   Pre-v0.11.6 the only lib/ caller (lib/watcher.js) parsed mountinfo
+ *   correctly inline. Future callers — container-escape detection,
+ *   sealed-store path validation, sandbox auto-probe — would have to
+ *   re-derive the discipline. This primitive centralizes it: a
+ *   single canonical parser that ALWAYS reads field 4, ALWAYS
+ *   handles the `" - "` optional-fields separator, ALWAYS skips
+ *   malformed lines without throwing.
+ *
+ *   Refusal posture:
+ *     - `safe-mount-info/read-failed`     — /proc/self/mountinfo
+ *       unreadable (non-Linux, restricted sandbox, host filesystem
+ *       hidden). Operators get the typed error AND opts.fallback
+ *       value (default null) to take.
+ *     - `safe-mount-info/parse-failed`    — single malformed line
+ *       within /proc/self/mountinfo. Silent-skip (per-line) by
+ *       default; opts.strict: true upgrades to throw on first
+ *       malformed line.
+ *
+ *   Threat model:
+ *     - **Container-escape detection** (CVE-2019-5736 Docker /
+ *       CVE-2022-0185 fsconfig / CVE-2024-21626 leaky-vessels) —
+ *       bind-mount + root-field analysis is the canonical signal.
+ *       Wrong-field readers (operations on field 5 / 6 / options-
+ *       indexOf-"bind") miss escape-attempt patterns.
+ *     - **Sealed-store integrity** — sealed dbs / vault state
+ *       atop a bind-mounted host directory cross trust boundaries
+ *       on container restart. Detection requires reading field 4
+ *       and matching the mount-point against operator-trusted paths.
+ *
+ *   Composes:
+ *     - lib/safe-decompress / lib/audit — operator-supplied audit
+ *       handle receives `system.safe_mount_info.refused` events on
+ *       read-failed and parse-failed (drop-silent — observability emission must not crash the hot path that emitted the event).
+ *
+ * RFC / kernel-doc citations:
+ *   - [Linux Documentation/filesystems/proc.rst §3.5 — /proc/<pid>/mountinfo](https://www.kernel.org/doc/Documentation/filesystems/proc.txt)
+ *   - [CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) — runc leaky-vessels (bind-mount detection)
+ *   - [CVE-2022-0185](https://nvd.nist.gov/vuln/detail/CVE-2022-0185) — fsconfig integer underflow
+ */
+
+var nodeFs = require("node:fs");
+var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+var numericBounds = require("./numeric-bounds");
+var { defineClass } = require("./framework-error");
+
+var audit = lazyRequire(function () { return require("./audit"); });
+
+var SafeMountInfoError = defineClass("SafeMountInfoError", { alwaysPermanent: true });
+
+var DEFAULT_PATH = "/proc/self/mountinfo";
+
+/**
+ * @primitive b.safeMountInfo.parse
+ * @signature b.safeMountInfo.parse(text, opts?)
+ * @since     0.11.6
+ * @status    stable
+ * @related   b.safeMountInfo.read, b.safeMountInfo.bestMatch
+ *
+ * Parse `/proc/self/mountinfo` text bytes into structured entries.
+ * Each entry carries `{ id, parent, devMajMin, root, mountPoint,
+ * options, fstype, source, superOptions }` — `root` is the
+ * positional field 4 ("root within source FS") that bind-mount
+ * detection requires.
+ *
+ * Malformed lines are skipped by default (operator's mountinfo MAY
+ * contain a stray line during a concurrent mount/unmount). Set
+ * `opts.strict: true` to throw on first malformed line.
+ *
+ * @opts
+ *   strict:  boolean,        // default false; throw on malformed line
+ *   maxLines: number,        // default 4096; cap to bound parser work
+ *
+ * @example
+ *   var entries = b.safeMountInfo.parse(rawText);
+ *   var bindMounts = entries.filter(function (e) { return e.root !== "/"; });
+ */
+function parse(text, opts) {
+  opts = opts || {};
+  validateOpts(opts, ["strict", "maxLines"], "safeMountInfo.parse");
+  if (typeof text !== "string") {
+    throw new SafeMountInfoError(
+      "safe-mount-info/bad-input",
+      "safeMountInfo.parse: text must be a string");
+  }
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.maxLines,
+    "safeMountInfo.parse: opts.maxLines",
+    SafeMountInfoError, "safe-mount-info/bad-arg");
+  var maxLines = (typeof opts.maxLines === "number") ? opts.maxLines : 4096;         // allow:raw-byte-literal — line cap matches max kernel-published mount count
+  var strict = opts.strict === true;
+  var lines  = text.split("\n");
+  // `text.split("\n").length` counts the trailing empty segment that
+  // `/proc/self/mountinfo` produces with its final newline. Adjust
+  // the count so the cap reflects ACTUAL records, not segments —
+  // otherwise exactly-`maxLines` valid records gets rejected as
+  // `too-many-lines` because the segment count is `maxLines + 1`.
+  var trailingEmpty = (lines.length > 0 && lines[lines.length - 1] === "");
+  var recordCount = trailingEmpty ? lines.length - 1 : lines.length;
+  if (recordCount > maxLines) {
+    throw new SafeMountInfoError(
+      "safe-mount-info/too-many-lines",
+      "safeMountInfo.parse: mountinfo has " + recordCount +
+      " lines, exceeds maxLines " + maxLines);
+  }
+  var out = [];
+  for (var i = 0; i < lines.length; i += 1) {
+    var ln = lines[i];
+    if (!ln) continue;
+    // Format: <id> <parent> <major:minor> <root> <mountpoint> <options>
+    //         [<optional-fields>...] - <fstype> <source> <super-options>
+    // The separator " - " divides the optional-fields half from the
+    // post-fields half.
+    var sepIdx = ln.indexOf(" - ");
+    if (sepIdx === -1) {
+      if (strict) {
+        throw new SafeMountInfoError(
+          "safe-mount-info/parse-failed",
+          "safeMountInfo.parse: line " + (i + 1) + " missing ' - ' separator");
+      }
+      continue;
+    }
+    var preFields  = ln.slice(0, sepIdx).split(" ");
+    var postFields = ln.slice(sepIdx + 3).split(" ");
+    if (preFields.length < 6 || postFields.length < 1) {                             // allow:raw-byte-literal — kernel-mandated minimum field counts
+      if (strict) {
+        throw new SafeMountInfoError(
+          "safe-mount-info/parse-failed",
+          "safeMountInfo.parse: line " + (i + 1) + " has " + preFields.length +
+          " pre-fields, " + postFields.length + " post-fields (need >=6, >=1)");
+      }
+      continue;
+    }
+    out.push({
+      id:           preFields[0],
+      parent:       preFields[1],
+      devMajMin:    preFields[2],
+      root:         preFields[3],                                                    // *** field 4 (0-indexed 3) — bind-mount detection
+      mountPoint:   preFields[4],
+      options:      preFields[5],
+      // optional-fields (variable length, between [6] and the " - ")
+      // are exposed via `optionalFields` for advanced callers.
+      optionalFields: preFields.slice(6, preFields.length).filter(function (f) { return f.length > 0; }),
+      fstype:       postFields[0],
+      source:       postFields[1] || null,
+      superOptions: postFields[2] || null,
+    });
+  }
+  return out;
+}
+
+/**
+ * @primitive b.safeMountInfo.read
+ * @signature b.safeMountInfo.read(opts?)
+ * @since     0.11.6
+ * @status    stable
+ * @related   b.safeMountInfo.parse, b.safeMountInfo.bestMatch
+ *
+ * Read + parse `/proc/self/mountinfo` in one call. Returns the same
+ * array shape as `parse(text)`. On non-Linux platforms (where /proc
+ * doesn't exist) returns `opts.fallback` (default `null`); audit
+ * emission per `safe-mount-info.refused` with code `read-failed`.
+ *
+ * @opts
+ *   path:     string,        // override path (default /proc/self/mountinfo)
+ *   fallback: any,           // returned on read failure (default null)
+ *   audit:    object,        // optional b.audit handle for refusal events
+ *   strict:   boolean,       // forwarded to parse()
+ *   maxLines: number,        // forwarded to parse()
+ *
+ * @example
+ *   var entries = b.safeMountInfo.read();
+ *   if (entries === null) {
+ *     // non-Linux / sandboxed / no /proc
+ *   }
+ */
+function read(opts) {
+  opts = opts || {};
+  validateOpts(opts,
+    ["path", "fallback", "audit", "strict", "maxLines"],
+    "safeMountInfo.read");
+  var path = typeof opts.path === "string" && opts.path.length > 0
+    ? opts.path
+    : DEFAULT_PATH;
+  var text;
+  try { text = nodeFs.readFileSync(path, "utf8"); }
+  catch (e) {
+    _refuseEmit(opts, "safe-mount-info/read-failed",
+      "/proc/self/mountinfo unreadable: " + ((e && e.message) || String(e)));
+    return ("fallback" in opts) ? opts.fallback : null;
+  }
+  return parse(text, opts);
+}
+
+/**
+ * @primitive b.safeMountInfo.bestMatch
+ * @signature b.safeMountInfo.bestMatch(entries, path)
+ * @since     0.11.6
+ * @status    stable
+ * @related   b.safeMountInfo.read, b.safeMountInfo.isBindMount
+ *
+ * Find the mountinfo entry whose `mountPoint` is the longest prefix
+ * of `path`. Returns `null` when no entry covers `path`. The "longest
+ * prefix" semantic is what bind-mount detection / sealed-store-path
+ * validation needs — a mounted subdir wins over the root mount.
+ *
+ * @example
+ *   var entries  = b.safeMountInfo.read();
+ *   var atPath   = b.safeMountInfo.bestMatch(entries, "/var/lib/blamejs");
+ *   if (atPath && atPath.root !== "/") {
+ *     // path lives on a bind-mount (potentially crossing host/guest)
+ *   }
+ */
+function bestMatch(entries, path) {
+  if (!Array.isArray(entries) || entries.length === 0) return null;
+  if (typeof path !== "string" || path.length === 0) return null;
+  var best = null;
+  var bestLen = -1;
+  for (var i = 0; i < entries.length; i += 1) {
+    var e = entries[i];
+    if (!e || typeof e.mountPoint !== "string" || e.mountPoint.length === 0) continue;
+    var mp = e.mountPoint;
+    if (path === mp ||
+        (path.length > mp.length &&
+         path.indexOf(mp) === 0 &&
+         (mp === "/" || path.charCodeAt(mp.length) === 47 /* "/" */))) {              // allow:raw-byte-literal — ASCII forward-slash
+      if (mp.length > bestLen) {
+        bestLen = mp.length;
+        best = e;
+      }
+    }
+  }
+  return best;
+}
+
+/**
+ * @primitive b.safeMountInfo.isBindMount
+ * @signature b.safeMountInfo.isBindMount(entry)
+ * @since     0.11.6
+ * @status    stable
+ * @related   b.safeMountInfo.bestMatch
+ *
+ * `true` when the mountinfo entry's `root` field is something other
+ * than `"/"` (i.e. the mount is a bind from a non-root path within
+ * the source filesystem). The canonical bind-mount test — does NOT
+ * consult the options string (the kernel doesn't emit "bind" there).
+ *
+ * @example
+ *   var entries = b.safeMountInfo.read();
+ *   var atData  = b.safeMountInfo.bestMatch(entries, "/data");
+ *   var isBind  = b.safeMountInfo.isBindMount(atData);
+ */
+function isBindMount(entry) {
+  if (!entry || typeof entry !== "object") return false;
+  return typeof entry.root === "string" && entry.root.length > 0 && entry.root !== "/";
+}
+
+function _refuseEmit(opts, code, message) {
+  var auditImpl = opts.audit || (audit() && audit().safeEmit ? audit() : null);
+  if (auditImpl && typeof auditImpl.safeEmit === "function") {
+    try {
+      auditImpl.safeEmit({
+        action:   "system.safe_mount_info.refused",
+        outcome:  "denied",
+        metadata: { code: code, reason: message },
+      });
+    } catch (_e) { /* drop-silent — observability emission must not crash the hot path that emitted the event */ }
+  }
+}
+
+module.exports = {
+  parse:                  parse,
+  read:                   read,
+  bestMatch:              bestMatch,
+  isBindMount:            isBindMount,
+  SafeMountInfoError:     SafeMountInfoError,
+  DEFAULT_PATH:           DEFAULT_PATH,
+};

package/lib/vendor/blamejs/lib/safe-path.js

@@ -0,0 +1,254 @@
+"use strict";
+/**
+ * @module b.safePath
+ * @nav    Filesystem
+ * @title  Safe Path
+ *
+ * @intro
+ *   Path-traversal-safe multi-segment resolve. Operators consuming
+ *   operator-OR-user-supplied path segments (uploaded filenames,
+ *   tarball entries, archive extraction, dynamic include paths) pass
+ *   `base + rel` to `b.safePath.resolve` and get back the absolute
+ *   canonicalized path — guaranteed to lie strictly within `base` —
+ *   or a typed `SafePathError` with a stable `code` on refusal.
+ *
+ *   Refusal classes (each a documented code, never best-effort):
+ *
+ *     - `safe-path/absolute-rel`           — rel is absolute, UNC, or carries a drive letter
+ *     - `safe-path/escapes-base`           — `..` segments escape base after lexical resolve
+ *     - `safe-path/null-byte`              — NUL anywhere (closes Node poison-NUL class)
+ *     - `safe-path/control-char`           — C0 control char other than NUL
+ *     - `safe-path/bidi`                   — bidi-override codepoint (CVE-2021-42574 Trojan Source)
+ *     - `safe-path/win-reserved`           — Windows reserved name (CON/PRN/AUX/NUL/COM0-9/LPT0-9)
+ *                                            on EVERY platform — closes CVE-2025-27210 cross-mount class
+ *     - `safe-path/win-trailing`           — segment ends with `.` or ` ` under windows-mode resolve
+ *     - `safe-path/separator-in-segment`   — encoded path-separator in a segment (URL / fullwidth /
+ *                                            overlong UTF-8 / division-slash)
+ *     - `safe-path/ads-marker`             — NTFS Alternate Data Stream `foo:bar` marker
+ *     - `safe-path/realpath-escapes-base`  — symlink resolution escapes base (opt-in via opts.realpath)
+ *
+ *   Per-segment filename validation composes `b.guardFilename`'s
+ *   reserved-name + overlong UTF-8 + bidi tables; the multi-segment
+ *   resolve + base-escape check is the new code.
+ *
+ * @card
+ *   Traversal-safe multi-segment path resolve. Every documented failure mode → coded refusal. Composes b.guardFilename.
+ */
+
+var nodePath = require("node:path");
+var nodeFs = require("node:fs");
+var { defineClass } = require("./framework-error");
+
+var SafePathError = defineClass("SafePathError", { alwaysPermanent: true });
+
+// Windows reserved device names — CON, PRN, AUX, NUL, COM0–COM9,
+// LPT0–LPT9, CONIN$, CONOUT$. Enforced on EVERY platform to defend
+// the cross-mount case where a POSIX server writes a path that a
+// Windows operator later mounts (closes CVE-2025-27210 class).
+var WIN_RESERVED_RE = /^(con|prn|aux|nul|com[0-9¹²³]|lpt[0-9¹²³]|conin\$|conout\$)(?:\..*)?$/i;
+// Path separators outside the platform-native set. Each entry MUST
+// be rejected as a segment-internal character. Includes both raw +
+// canonical-encoded forms.
+var ENCODED_SEPARATOR_RE = /(%2[fF]|%5[cC]|%C0%AF|%C1%9C|[／＼∕⧸⁄])/;
+// Bidi-override codepoints (RTL/LTR markers + isolate enclosures).
+var BIDI_RE = /[‪-‮⁦-⁩‎‏]/;
+// C0 control byte range (excluding NUL which has its own dedicated
+// refusal so the error code matches the historical poison-NUL class).
+// eslint-disable-next-line no-control-regex
+var C0_RE = /[\x01-\x1F\x7F]/;
+
+function _refuse(code, message) {
+  throw new SafePathError(code, message);
+}
+
+/**
+ * @primitive b.safePath.resolve
+ * @signature b.safePath.resolve(base, rel, opts?)
+ * @since     0.10.9
+ * @status    stable
+ * @related   b.safePath.validate, b.guardFilename.validate, b.atomicFile.write
+ *
+ * Resolve `rel` against `base` and return the absolute canonicalized
+ * path — guaranteed to lie strictly within `base`. Throws
+ * `SafePathError` with a stable refusal code on any rejection.
+ *
+ * @opts
+ *   realpath:         boolean,         // default false; true → fs.realpathSync check (symlink-escape)
+ *   platform:         string,          // "windows" forces win-trailing / UNC refusal regardless of host
+ *   allowAbsoluteRel: boolean,         // default false; opt-in for absolute rel that still resolves inside base
+ *
+ * @example
+ *   var p = b.safePath.resolve("/srv/uploads", req.body.path);
+ *   // → "/srv/uploads/<safe-rel>"  OR  throws SafePathError on traversal
+ */
+function resolve(base, rel, opts) {
+  return _resolveCore(base, rel, opts || {});
+}
+
+/**
+ * @primitive b.safePath.resolveOrNull
+ * @signature b.safePath.resolveOrNull(base, rel, opts?)
+ * @since     0.10.9
+ * @status    stable
+ * @related   b.safePath.resolve, b.safePath.validate
+ *
+ * Same contract as `resolve` but returns `null` on refusal instead of
+ * throwing. Useful for hot-path callers that want a boolean-ish gate
+ * without try/catch overhead.
+ *
+ * @opts
+ *   realpath:         boolean,
+ *   platform:         string,
+ *   allowAbsoluteRel: boolean,
+ *
+ * @example
+ *   var p = b.safePath.resolveOrNull("/srv/uploads", req.body.path);
+ *   if (p === null) { res.statusCode = 400; res.end("bad path"); return; }
+ */
+function resolveOrNull(base, rel, opts) {
+  try { return _resolveCore(base, rel, opts || {}); }
+  catch (_e) { return null; }
+}
+
+/**
+ * @primitive b.safePath.validate
+ * @signature b.safePath.validate(base, rel, opts?)
+ * @since     0.10.9
+ * @status    stable
+ * @related   b.safePath.resolve
+ *
+ * Same gate as `resolve` but returns a verdict object instead of
+ * throwing — `{ ok: true, resolved }` on success, `{ ok: false,
+ * code, message }` on refusal. Use when the caller wants to log the
+ * refusal class without throw/catch.
+ *
+ * @opts
+ *   realpath:         boolean,
+ *   platform:         string,
+ *   allowAbsoluteRel: boolean,
+ *
+ * @example
+ *   var v = b.safePath.validate("/srv/uploads", req.body.path);
+ *   if (!v.ok) { res.end("rejected: " + v.code); return; }
+ */
+function validate(base, rel, opts) {
+  try { return { ok: true, resolved: _resolveCore(base, rel, opts || {}) }; }
+  catch (e) { return { ok: false, code: e.code || "safe-path/unknown", message: e.message }; }
+}
+
+function _resolveCore(base, rel, opts) {
+  if (typeof base !== "string" || base.length === 0) {
+    _refuse("safe-path/bad-input", "b.safePath.resolve: base must be a non-empty string");
+  }
+  if (typeof rel !== "string") {
+    _refuse("safe-path/bad-input", "b.safePath.resolve: rel must be a string");
+  }
+  var platform = opts.platform || process.platform;
+  var isWin = platform === "win32" || platform === "windows";
+
+  // NUL byte ANYWHERE — its own refusal so the audit code matches
+  // the historical Node poison-NUL class.
+  if (rel.indexOf("\0") !== -1) {
+    _refuse("safe-path/null-byte", "b.safePath.resolve: NUL byte in rel");
+  }
+  // Other C0 + DEL.
+  if (C0_RE.test(rel)) {                                                                              // allow:regex-no-length-cap — anchored C0/DEL set, length bounded by rel
+    _refuse("safe-path/control-char", "b.safePath.resolve: C0 control char in rel");
+  }
+  // Bidi override (Trojan Source).
+  if (BIDI_RE.test(rel)) {                                                                            // allow:regex-no-length-cap — fixed bidi set, length bounded by rel
+    _refuse("safe-path/bidi",
+      "b.safePath.resolve: bidi-override codepoint in rel (CVE-2021-42574 class)");
+  }
+  // Encoded path separators inside what should be a single segment.
+  if (ENCODED_SEPARATOR_RE.test(rel)) {                                                               // allow:regex-no-length-cap — fixed separator-shape set
+    _refuse("safe-path/separator-in-segment",
+      "b.safePath.resolve: encoded path-separator codepoint in rel");
+  }
+  // Absolute rel (POSIX, Windows drive-letter, UNC) — refuse unless
+  // operator opted in.
+  var isAbsolute = nodePath.isAbsolute(rel) ||
+                   /^[A-Za-z]:[\\/]/.test(rel) ||                                                     // allow:regex-no-length-cap — anchored drive-letter shape
+                   /^\\\\/.test(rel) ||                                                               // allow:regex-no-length-cap — UNC `\\` prefix
+                   /^\/\//.test(rel);                                                                 // allow:regex-no-length-cap — POSIX `//` prefix
+  if (isAbsolute && !opts.allowAbsoluteRel) {
+    _refuse("safe-path/absolute-rel",
+      "b.safePath.resolve: rel is absolute/UNC/drive-letter (set opts.allowAbsoluteRel for opt-in)");
+  }
+
+  // Per-segment walk. Reserved-name + ADS + win-trailing + segment-
+  // shape checks happen here.
+  var sep = isWin ? /[\\/]/ : /\//;
+  var segments = rel.split(sep);                                                                      // allow:regex-no-length-cap — fixed separator
+  for (var si = 0; si < segments.length; si += 1) {
+    var seg = segments[si];
+    if (seg.length === 0) continue;            // empty (leading/trailing/double-sep)
+    if (seg === "." || seg === "..") continue; // resolution handled below
+    var segLc = seg.toLowerCase();
+    var baseName = segLc.indexOf(".") === -1 ? segLc : segLc.slice(0, segLc.indexOf("."));
+    if (WIN_RESERVED_RE.test(seg) || WIN_RESERVED_RE.test(baseName)) {                                // allow:regex-no-length-cap — anchored reserved-name set
+      _refuse("safe-path/win-reserved",
+        "b.safePath.resolve: segment '" + seg + "' is a Windows reserved name (CVE-2025-27210 class)");
+    }
+    if (isWin) {
+      var last = seg.charAt(seg.length - 1);
+      if (last === "." || last === " ") {
+        _refuse("safe-path/win-trailing",
+          "b.safePath.resolve: segment '" + seg + "' ends with '.' or ' ' (Windows silently strips)");
+      }
+    }
+    // NTFS Alternate Data Stream marker — refuse `foo:bar` ANYWHERE
+    // except where the colon is part of a Windows drive prefix (the
+    // absolute-rel branch above already refused those).
+    if (seg.indexOf(":") !== -1) {
+      _refuse("safe-path/ads-marker",
+        "b.safePath.resolve: segment '" + seg + "' contains ':' (NTFS Alternate Data Stream marker; CVE-2024-12217 class)");
+    }
+  }
+
+  // Lexical resolve.
+  var baseResolved = nodePath.resolve(base);
+  var joined = nodePath.resolve(baseResolved, rel);
+  // Cross-check via posix.normalize so a Windows host with mixed
+  // separators still surfaces escapes consistently.
+  var sepChar = isWin ? "\\" : "/";
+  if (joined !== baseResolved && joined.slice(0, baseResolved.length + 1) !== baseResolved + sepChar) {
+    _refuse("safe-path/escapes-base",
+      "b.safePath.resolve: rel resolves outside base ('" + joined + "' not inside '" + baseResolved + "')");
+  }
+  if (opts.realpath === true) {
+    var baseRealpath;
+    try { baseRealpath = nodeFs.realpathSync.native(baseResolved); }
+    catch (e) {
+      _refuse("safe-path/realpath-base-unresolvable",
+        "b.safePath.resolve: opts.realpath set but base realpath failed: " + (e && e.message));
+    }
+    // Walk up the joined path from the leaf, finding the longest
+    // ancestor that exists, and check its realpath. Operators want
+    // refusal when ANY ancestor symlink escapes — nodeFs.realpathSync on a
+    // non-existent path would throw.
+    var ancestor = joined;
+    while (ancestor.length > baseResolved.length) {
+      try {
+        var ancRealpath = nodeFs.realpathSync.native(ancestor);
+        if (ancRealpath !== baseRealpath &&
+            ancRealpath.slice(0, baseRealpath.length + 1) !== baseRealpath + sepChar) {
+          _refuse("safe-path/realpath-escapes-base",
+            "b.safePath.resolve: symlink resolution at '" + ancestor +
+            "' escapes base realpath '" + baseRealpath + "'");
+        }
+        break;
+      } catch (_ie) {
+        ancestor = nodePath.dirname(ancestor);
+      }
+    }
+  }
+  return joined;
+}
+
+module.exports = {
+  resolve:        resolve,
+  resolveOrNull:  resolveOrNull,
+  validate:       validate,
+  SafePathError:  SafePathError,
+};

package/lib/vendor/blamejs/lib/safe-redirect.js

@@ -0,0 +1,106 @@
+"use strict";
+/**
+ * safe-redirect — open-redirect (CWE-601) defense for operator-supplied
+ * post-login `?next=` / `?return_to=` parameters and similar redirect
+ * targets.
+ *
+ * The vulnerability: an attacker phishes a victim with a link like
+ * `https://app.example.com/login?next=https://attacker.example.com`.
+ * After login, a naive `res.writeHead(302, { Location: req.query.next })`
+ * sends the user to attacker.example.com under the trust of app.example.com.
+ *
+ *   var safe = b.safeRedirect.resolve(rawNext, {
+ *     base:           "https://app.example.com",
+ *     allowedOrigins: ["https://app.example.com"],
+ *     allowedHosts:   ["app.example.com"],
+ *     fallback:       "/dashboard",
+ *   });
+ *   // → safe path or fallback (never attacker.example.com)
+ *
+ * Decision rules (in order):
+ *
+ *   1. rawTarget is null / empty / non-string → fallback
+ *   2. rawTarget starts with "//" or "\\" → fallback (protocol-relative
+ *      open redirect — `//attacker.com/path` interpreted as
+ *      `https://attacker.com/path` by browsers)
+ *   3. rawTarget contains a control char / null / CR / LF → fallback
+ *      (header-injection vector)
+ *   4. rawTarget is a relative path starting with "/" → safe (same-
+ *      origin by definition)
+ *   5. rawTarget is a fragment / search-only ("#x" / "?q=1") → safe
+ *   6. rawTarget is a full URL → parse + check origin against
+ *      allowedOrigins (or host against allowedHosts when the operator
+ *      doesn't care about scheme/port match)
+ *   7. anything else (data:, javascript:, malformed) → fallback
+ *
+ * Returns the safe URL string (path + query + fragment for relative;
+ * full URL for allowed full URLs; fallback otherwise). Operators
+ * pass the result directly to `res.writeHead(302, { Location: ... })`.
+ */
+
+var safeUrl = require("./safe-url");
+var validateOpts = require("./validate-opts");
+
+var DEFAULT_FALLBACK = "/";
+
+function _hasControlChar(s) {
+  for (var i = 0; i < s.length; i += 1) {
+    var c = s.charCodeAt(i);
+    if (c < 0x20 || c === 0x7f) return true;                                     // allow:raw-byte-literal — ASCII control range thresholds
+  }
+  return false;
+}
+
+function resolve(rawTarget, opts) {
+  opts = opts || {};
+  validateOpts(opts, ["base", "allowedOrigins", "allowedHosts", "fallback"], "safeRedirect.resolve");
+
+  var fallback = typeof opts.fallback === "string" ? opts.fallback : DEFAULT_FALLBACK;
+  if (typeof rawTarget !== "string" || rawTarget.length === 0) return fallback;
+  if (_hasControlChar(rawTarget)) return fallback;
+
+  // Reject protocol-relative ("//host/...") and back-slash variant
+  // ("\\host\..." — IE / older browsers may interpret as auth).
+  if (rawTarget.length >= 2) {
+    var p0 = rawTarget.charAt(0);
+    var p1 = rawTarget.charAt(1);
+    if ((p0 === "/" || p0 === "\\") && (p1 === "/" || p1 === "\\")) return fallback;
+  }
+
+  // Same-origin relative (path / query / fragment) — safe by definition.
+  if (rawTarget.charAt(0) === "/" || rawTarget.charAt(0) === "?" ||
+      rawTarget.charAt(0) === "#") {
+    return rawTarget;
+  }
+
+  // Full URL — parse and check against allowlist.
+  var allowedOrigins = Array.isArray(opts.allowedOrigins) ? opts.allowedOrigins : null;
+  var allowedHosts   = Array.isArray(opts.allowedHosts)   ? opts.allowedHosts   : null;
+  if (!allowedOrigins && !allowedHosts) {
+    // Operator gave no allowlist — refuse all full URLs (the safe default).
+    return fallback;
+  }
+
+  var parsed;
+  try { parsed = safeUrl.parse(rawTarget, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS }); }
+  catch (_e) { return fallback; }
+
+  if (allowedOrigins) {
+    for (var i = 0; i < allowedOrigins.length; i += 1) {
+      if (parsed.origin === allowedOrigins[i]) return rawTarget;
+    }
+  }
+  if (allowedHosts) {
+    for (var j = 0; j < allowedHosts.length; j += 1) {
+      if (parsed.host === allowedHosts[j] || parsed.hostname === allowedHosts[j]) {
+        return rawTarget;
+      }
+    }
+  }
+  return fallback;
+}
+
+module.exports = {
+  resolve:           resolve,
+  DEFAULT_FALLBACK:  DEFAULT_FALLBACK,
+};