@blamejs/blamejs-shop 0.2.2 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
8
8
 
9
9
  ## v0.2.x
10
10
 
11
+ - v0.2.3 (2026-05-27) — **Admin console adopts the dark violet brand — the operator dashboard now matches the storefront.** The admin console has been restyled from its previous light theme and orange accent onto the same dark violet identity as the storefront: a neutral near-black canvas with violet reserved for accents, the self-hosted Hanken Grotesk and Space Mono typefaces in place of Inter, and Space Mono carrying the terminal-style chrome (header mark, navigation, micro-labels, figures, SKUs, order ids, and code). Stat cards, tables, status pills, forms, buttons, banners, nav cards, and the sign-in card are all recoloured for the dark surface with contrast preserved — order statuses keep their meaning (green for paid/shipped, amber for pending, violet for refunded, muted for cancelled), form inputs read clearly on the dark wells, and the revenue sparkline is drawn in the brand violet. Operators on the default theme get the new console on upgrade; no admin functionality, routes, or data change. **Changed:** *Dark violet admin theme* — The admin stylesheet is rebuilt on the storefront's palette — near-black surfaces, neutral hairline borders, and violet reserved for accents (active nav, primary buttons, the `/ admin` mark, focus states, and the revenue sparkline) rather than the former light paper and orange. Self-hosted Hanken Grotesk (display/body) and Space Mono (chrome/mono) replace Inter, loaded under the strict `font-src 'self'` policy. · *Components recoloured for the dark surface* — Stat cards, the orders table, status pills, filter chips, forms, buttons (primary/ghost/danger), banners, nav cards, the gift-card detail grid, and the sign-in card are all restyled for dark with contrast maintained. Order-status pills keep their semantics — green for paid/shipped/fulfilling/delivered, amber for pending, violet for refunded, muted for cancelled. Form inputs sit on recessed dark wells with light text and a violet focus ring.
12
+
11
13
  - v0.2.2 (2026-05-27) — **Bespoke line-art illustrations across the storefront — category tiles, image placeholders, and every empty state.** The storefront's stand-in graphics are now a single, cohesive set of hand-drawn line illustrations in the brand violet, replacing the previous mix of gradient-only tiles, single-letter image marks, and emoji. The six featured-collection tiles carry a matching icon (apparel, hardware, digital, subscriptions, bundles, gift cards). Products without an image — in the grid and on the product page — show a bespoke "no image yet" placeholder instead of a letter glyph. Every empty state has its own illustration: cart, search, wishlist, saved-for-later, addresses, returns, and orders. The artwork is inline SVG (no extra files fetched, consistent with the strict asset policy) and adapts to the surface — the fine detail strokes follow the text colour, so the same set reads correctly on a dark or a light background. **Changed:** *Category tiles carry line-art icons* — Each of the six featured-collection tiles now shows a violet line icon for its category, centered over the existing tile gradient. The tile links and labels are unchanged. · *Bespoke image placeholder replaces the letter mark* — When a product has no image, the grid card and the product-page gallery render a line-art "no image yet" placeholder — an isometric package on a faint grid (the product page adds a shield motif and a terminal-prompt accent) — instead of the previous single uppercase letter. The no-image grid card now uses the same media-card layout as image-bearing cards for a consistent grid. · *Every empty state has matching artwork* — The empty cart, no-search-results, empty wishlist, saved-for-later, addresses, returns, and orders states now show a bespoke line illustration in place of the previous emoji or unicode glyphs, so the storefront and account sections share one visual language. · *Inline, theme-adaptive SVG* — All of the new artwork is inline SVG with presentation attributes only — nothing is fetched from a CDN and no inline styles are used, consistent with the strict content-security and asset policies. The detail strokes use currentColor, so the set adapts to the background it sits on. The edge and container renderers emit identical markup.
12
14
 
13
15
  - v0.2.1 (2026-05-27) — **Theme tuning — stronger contrast, a cleaner product buy-box, and natural code-sample colors.** A polish pass over the new dark theme. The palette is rebalanced so the brand violet reads as a deliberate accent rather than the whole field: surfaces, borders, and shadows are now neutral dark, body text and prices are high-contrast near-white, and violet is concentrated on calls-to-action, the hero accent, and the newsletter band. The product page's buy-box is now a single contained card — price, variant, quantity, and add-to-cart group cleanly with proper spacing and alignment instead of blending into the column, and the wishlist/compare controls sit in their own separated row. The homepage code sample uses natural syntax-highlight colours (green strings, blue functions, violet keywords) with the usual window dots. The home collection tiles are calmer dark tiles with a subtle violet glow rather than solid magenta swatches. **Changed:** *Rebalanced palette for contrast* — Surfaces (`--surface`, card and raised tiers) and borders are now neutral dark instead of violet-tinted; secondary text and prices are high-contrast near-white; default shadows are neutral. The violet accent is reserved for primary buttons, the hero accent word, focus states, and the newsletter/framework bands — so contrast and hierarchy are clearer and the page no longer reads as a single wash of magenta. · *Product buy-box is a contained, aligned card* — Price, variant chip(s), quantity, and the full-width add-to-cart now sit in one bordered buy-box card with consistent spacing, the price rendered in high-contrast white, and the post-quantum-secured-checkout trust line as a calm note beneath it. The wishlist and compare controls are grouped into their own row, separated from the buy-box. No change to add-to-cart, variant, or currency behaviour. · *Natural code-sample colours and calmer collection tiles* — The homepage server-rendered code sample now uses a natural console palette — green strings, blue function names, violet keywords, grey comments — with red/yellow/green window dots. The home collection tiles are dark with a subtle, position-varied violet glow instead of solid violet gradient fills.
package/lib/admin.js CHANGED
@@ -2586,9 +2586,9 @@ function mount(router, deps) {
2586
2586
  //
2587
2587
  // Server-rendered HTML dashboard for `GET /admin/dashboard`. Reads
2588
2588
  // the four analytics aggregates and lays them out in a single page
2589
- // matching the storefront's brand palette (#191919 ink, #fa4f09
2590
- // accent, Montserrat headlines). No client-side JS — the SVG sparkline
2591
- // is rendered server-side from the revenue-by-day rows.
2589
+ // matching the storefront's dark violet brand (near-black canvas,
2590
+ // #AD38DB accent, Hanken Grotesk + Space Mono). No client-side JS —
2591
+ // the SVG sparkline is rendered server-side from the revenue-by-day rows.
2592
2592
 
2593
2593
  var DASHBOARD_LAYOUT =
2594
2594
  "<!DOCTYPE html>\n" +
@@ -2648,7 +2648,7 @@ function _sparkSvg(byDay, currency) {
2648
2648
  return (i === 0 ? "M" : "L") + x.toFixed(1) + "," + y.toFixed(1);
2649
2649
  }).join(" ");
2650
2650
  return "<div class=\"spark\"><svg viewBox=\"0 0 " + W + " " + H + "\" preserveAspectRatio=\"none\" aria-label=\"Revenue by day sparkline\">" +
2651
- "<path d=\"" + path + "\" fill=\"none\" stroke=\"#fa4f09\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"/>" +
2651
+ "<path d=\"" + path + "\" fill=\"none\" stroke=\"#AD38DB\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"/>" +
2652
2652
  "</svg></div>";
2653
2653
  }
2654
2654
 
@@ -1,9 +1,9 @@
1
1
  {
2
- "version": "0.2.2",
2
+ "version": "0.2.3",
3
3
  "assets": {
4
4
  "css/admin.css": {
5
- "integrity": "sha384-oUi6NkXA0ULSy8+8+LG0FV6jsgr7Y11Xf3VdnwUESnvUPaN7anYEC+QOAUXwgsap",
6
- "fingerprinted": "css/admin.7b692a8965624a0c.css"
5
+ "integrity": "sha384-FgqvXcZygYkJjjOtXAeu9xi6AtYqkchPnJKcS0OeHm8lynhd9r4RfdpoT7P7j7/l",
6
+ "fingerprinted": "css/admin.afd7b964c1f6fe1b.css"
7
7
  },
8
8
  "css/main.css": {
9
9
  "integrity": "sha384-iKbkn3AR4k733EgN+1Ju51qbKfz9yVmDk8lE2l99asnRGbSo4BJu4Lo+OTxcBME4",
@@ -3,8 +3,8 @@
3
3
  "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
4
4
  "packages": {
5
5
  "blamejs": {
6
- "version": "0.13.13",
7
- "tag": "v0.13.13",
6
+ "version": "0.13.14",
7
+ "tag": "v0.13.14",
8
8
  "license": "Apache-2.0",
9
9
  "author": "blamejs contributors",
10
10
  "source": "https://github.com/blamejs/blamejs",
@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
8
8
 
9
9
  ## v0.13.x
10
10
 
11
+ - v0.13.14 (2026-05-27) — **DNSSEC chain validation now bounds KeyTrap (CVE-2023-50387) amplification with hard caps.** b.network.dns.dnssec.verifyChain tried every DNSKEY whose 16-bit key tag matched an RRSIG, with no cap on how many candidates or total signature verifications a single response could drive. A hostile zone publishing many DNSKEYs sharing one key tag (plus matching RRSIGs) could force O(keys x signatures) full public-key verifications from one query — the KeyTrap denial-of-service (CVE-2023-50387). Validation is now bounded by non-configurable caps that match the BIND / Unbound mitigations: at most 4 same-tag candidate keys are tried per RRSIG, at most 64 DNSKEYs per zone link and 16 DS records per delegation are accepted, the chain is at most 128 links deep, and the whole response is held to a signature-validation budget that scales with chain depth (so a legitimate deep delegation is never false-rejected while bounded collisions stay bounded); exceeding any of these refuses the response rather than performing the work. Separately, a domain name that encodes to more than 255 octets is now refused at canonicalization (RFC 1035 §2.3.4), which also bounds the NSEC3 closest-encloser label enumeration, and the NSEC3 iteration ceiling is lowered from 500 to 150 to match the BIND 9.16.33+ / Unbound 1.17.1 fix for the sibling CVE-2023-50868. **Security:** *`verifyChain` caps colliding-key fan-out and total signature validations (KeyTrap / CVE-2023-50387)* — A zone advertising many same-key-tag DNSKEYs and RRSIGs can no longer drive unbounded public-key verifications. New refusals: `dnssec/too-many-colliding-keys` (>4 same-tag candidates per RRSIG), `dnssec/too-many-dnskeys` (>64 DNSKEYs per zone link), `dnssec/too-many-ds` (>16 DS records per delegation), `dnssec/too-many-links` (chain deeper than 128), and `dnssec/validation-budget-exceeded` (signature validations beyond the depth-scaled budget). The caps are intentionally non-configurable — they sit well above any legitimate zone, and the budget scales with chain depth so deep delegations validate normally. · *Domain-name octet cap + lower NSEC3 iteration ceiling* — A name that canonicalizes to more than 255 octets is refused (`dnssec/bad-name`, RFC 1035 §2.3.4), which bounds the per-label NSEC3 closest-encloser enumeration (CVE-2023-50868 class). The default NSEC3 iteration ceiling drops from 500 to 150, matching the BIND 9.16.33+ / Unbound 1.17.1 post-CVE defaults (RFC 9276 recommends 0).
12
+
11
13
  - v0.13.13 (2026-05-27) — **Archive extraction-path verification now refuses Windows reserved names, NTFS data streams, and trailing-dot/space per segment.** b.guardFilename.verifyExtractionPath (the per-entry gate b.archive.read.zip.extract / b.safeArchive run on every extracted file) checked traversal, absolute paths, drive-letter and UNC prefixes, null bytes, PATH_MAX overflow, and realpath containment — but not the per-segment Windows write-target hazards the disk validate / sanitize paths already reject. An archive entry named CON, NUL.txt, subdir/LPT1, file.txt:hidden, or secret.txt. stayed inside the extraction root, so the containment and realpath checks passed it, yet on Windows it would resolve to a device, write a hidden NTFS stream, or (after Windows strips the trailing dot/space) overwrite a sibling file. These are now refused: any path segment that collides with a Windows reserved device name, uses NTFS alternate-data-stream syntax (name:stream), or carries a trailing dot or leading/trailing whitespace. The checks are platform-unconditional — a verifier running on Linux still refuses names that are only dangerous on the Windows host that ultimately extracts the archive — with a per-check opt-out (reservedNamePolicy / adsPolicy / leadingTrailingPolicy: "allow") for Linux-only targets. **Security:** *`verifyExtractionPath` refuses per-segment Windows extraction hazards (reserved names / NTFS ADS / trailing dot-space)* — Closes a within-root write-target-redirection gap: an extracted entry could stay inside the destination yet, on Windows, resolve to a device (`CON` / `NUL` / `COM1` / `LPT1`), write a hidden alternate data stream (`file.txt:payload`), or overwrite a sibling after Windows strips a trailing dot/space (`config.`). The verification gate now rejects all three per path segment. Refusal is platform-unconditional (the verifier may run on a different OS than the extractor); set `reservedNamePolicy` / `adsPolicy` / `leadingTrailingPolicy` to `"allow"` to opt a check out on a Linux-only target. Single-entry, name-only residuals — 8.3 short-name aliasing, case-insensitive cross-entry collisions, and archive symlink/hardlink entry-target validation — remain the extract orchestrator's responsibility (it owns the case-folded seen-set and the link-target gate).
12
14
 
13
15
  - v0.13.12 (2026-05-27) — **Inbound MX listener now runs the connection-level gate cascade it documented — HELO identity, DNS blocklist, and greylisting.** b.mail.server.mx.create documented helo / rbl / greylist gate options, but the listener never invoked them — an operator who wired them got silent acceptance of mail those gates would have rejected. They are now wired into the live SMTP state machine: the HELO-identity gate evaluates at HELO/EHLO and refuses a spoofed or malformed identity with 550; the DNS-blocklist gate evaluates the connecting IP once per connection and refuses a listed source with 554; the greylisting gate defers a first-seen (ip, sender, recipient) tuple with a 450 tempfail so legitimate senders retry and pass. Each gate is skipped when the operator doesn't wire it. Because these gates do DNS and store lookups, the per-connection command pump was reworked to process commands asynchronously and strictly in arrival order, so pipelined commands (RFC 2920) cannot overtake a gate still resolving and the existing SMTP-smuggling and STARTTLS-stripping defenses are unchanged. The message-authentication gate (SPF/DKIM/DMARC alignment via b.guardEnvelope) needs the inbound SPF + DKIM verification results as inputs; that inbound-auth pipeline lands as a follow-up, and the documentation no longer implies that gate is active today. **Added:** *HELO-identity / RBL / greylist gates wired into `b.mail.server.mx`* — When wired, `opts.helo` (FCrDNS / HELO-shape / self-name checks) refuses a bad HELO identity at HELO/EHLO with 550; `opts.rbl` refuses a connecting IP found on a DNS blocklist with 554 (evaluated once per connection); `opts.greylist` defers a first-seen (ip, sender, recipient) tuple with 450 4.7.1. Their verdicts surface on the `rcpt_to` event (`rblListed`, `greylist`) and the `helo` event (`heloVerdict`), with dedicated `helo_gate_refused` / `rbl_refused` / `greylist_deferred` audit events. A gate the operator doesn't supply is skipped, never synthesized. **Changed:** *MX command pump processes commands asynchronously and in arrival order* — Gate evaluation involves DNS and store lookups, so the per-connection command pump now awaits each command before the next. Pipelined commands are serialized so a gate resolving cannot let a later command answer ahead of an earlier one; reply ordering, the bare-LF SMTP-smuggling refusal, and the STARTTLS-stripping defense are unchanged. No change to the listener's external behaviour when no gates are wired. **Deprecated:** *SPF/DKIM/DMARC-alignment gate documentation corrected to match what is active* — The `envelope` (SPF/DKIM/DMARC alignment) and `dmarc` gate options were documented as wireable but require inbound SPF + DKIM verification results the listener does not yet produce. They are removed from the documented option set until the inbound-authentication pipeline (composing `b.mail.spf` + `b.mail.dmarc` + DKIM verification) lands; run those checks on the delivered message via the agent handoff in the meantime.
@@ -352,7 +352,7 @@ This is the minimum-viable security posture for a production deployment. The fra
352
352
  - [ ] At boot, before any outbound socket opens: call `b.network.bootFromEnv({ env: process.env, audit: b.audit })` so operator-supplied NTP / DNS / proxy / DPI-trust / TCP socket settings (`BLAMEJS_NTP_*`, `BLAMEJS_DNS_*`, `HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`, `BLAMEJS_EXTRA_CA_CERTS`, `BLAMEJS_SOCKET_*`) apply uniformly
353
353
  - [ ] If the deployment sits behind a deep-packet-inspection proxy with its own re-signing CA: install the CA via `b.network.tls.addCa("/path/to/corp-ca.pem", { label: "corp-mitm" })` and pass `allowDpiTrust: true` to `b.security.assertProduction` — every CA addition audits with subject + fingerprint so a forensic review can reconstruct the trust path
354
354
  - [ ] For authenticated time (HIPAA / PCI / FIPS shops): use `b.network.ntp.nts.query({ host: ntsKeServer })` (RFC 8915) instead of plain SNTP; set `BLAMEJS_NTS_REQUIRE=1` to fail closed on negotiation failure
355
- - [ ] When a DNS answer drives a trust decision (DANE / TLSA pinning, SSHFP, CAA enforcement, OPENPGPKEY lookup) and the upstream resolver isn't itself trusted: verify the answer's DNSSEC signature with `b.network.dns.dnssec.verifyRrset(...)` rather than trusting the resolver's AD bit — an on-path or compromised resolver can set AD on a forged answer, but cannot forge the RRSIG. Validate the whole delegation chain root→TLD→zone with `b.network.dns.dnssec.verifyChain(...)` (default-pinned to the IANA root KSKs, or `trustAnchors` for a private root) so trust is anchored, not borrowed from the resolver. For a negative answer that drives a fail-closed decision (an allowlist lookup, a revocation check), verify the NSEC / NSEC3 proof with `b.network.dns.dnssec.verifyDenial(...)` so a forged NXDOMAIN cannot suppress a record; keep the default Opt-Out refusal unless the zone's opt-out spans are acceptable for that decision. For DANE / TLSA, once the TLSA RRset is DNSSEC-verified, pin the peer certificate with `b.network.dns.dane.matchCertificate(...)` — a DANE-EE(3) match authenticates the key with no public CA, while PKIX usages are flagged as still needing PKIX
355
+ - [ ] When a DNS answer drives a trust decision (DANE / TLSA pinning, SSHFP, CAA enforcement, OPENPGPKEY lookup) and the upstream resolver isn't itself trusted: verify the answer's DNSSEC signature with `b.network.dns.dnssec.verifyRrset(...)` rather than trusting the resolver's AD bit — an on-path or compromised resolver can set AD on a forged answer, but cannot forge the RRSIG. Validate the whole delegation chain root→TLD→zone with `b.network.dns.dnssec.verifyChain(...)` (default-pinned to the IANA root KSKs, or `trustAnchors` for a private root) so trust is anchored, not borrowed from the resolver. `verifyChain` bounds KeyTrap (CVE-2023-50387) amplification with non-configurable caps (≤4 same-tag candidate keys per RRSIG, ≤64 DNSKEYs/zone, ≤16 DS/delegation, ≤128 chain links, and a signature-validation budget that scales with chain depth so deep delegations validate while bounded collisions stay bounded) and caps NSEC3 iterations at 150 (CVE-2023-50868) — a hostile zone is refused, not allowed to exhaust CPU. For a negative answer that drives a fail-closed decision (an allowlist lookup, a revocation check), verify the NSEC / NSEC3 proof with `b.network.dns.dnssec.verifyDenial(...)` so a forged NXDOMAIN cannot suppress a record; keep the default Opt-Out refusal unless the zone's opt-out spans are acceptable for that decision. For DANE / TLSA, once the TLSA RRset is DNSSEC-verified, pin the peer certificate with `b.network.dns.dane.matchCertificate(...)` — a DANE-EE(3) match authenticates the key with no public CA, while PKIX usages are flagged as still needing PKIX
356
356
  - [ ] At boot in production: call `await b.security.assertProduction({ vault: "wrapped", dbAtRest: "encrypted", auditSigning: "wrapped", ntpStrict: true, requireEnv: ["BLAMEJS_VAULT_PASSPHRASE"], dataDir: "./data" })` to refuse to start on weak posture instead of warning
357
357
  - [ ] At boot: call `await b.configDrift.create({ dataDir, audit }).checkpoint({ allowedOrigins, csp, vaultMode, ... })` so the next boot detects + audits any silent runtime config change
358
358
  - [ ] At boot, before any listener opens: call `b.configDrift.verifyVendorIntegrity({ manifestPath: "./lib/vendor/MANIFEST.json", audit: b.audit })` so a tampered `lib/vendor/*.cjs` artifact aborts start instead of running with a swapped crypto bundle
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "version": 1,
3
- "frameworkVersion": "0.13.13",
4
- "createdAt": "2026-05-27T11:10:37.499Z",
3
+ "frameworkVersion": "0.13.14",
4
+ "createdAt": "2026-05-27T12:40:36.809Z",
5
5
  "exports": {
6
6
  "a2a": {
7
7
  "type": "object",
@@ -101,7 +101,16 @@ function _canonicalName(name) {
101
101
  parts.push(Buffer.from([lab.length]), lab);
102
102
  }
103
103
  parts.push(Buffer.from([0]));
104
- return Buffer.concat(parts);
104
+ var wire = Buffer.concat(parts);
105
+ // RFC 1035 §2.3.4 — a domain name is at most 255 octets on the wire.
106
+ // Enforcing it here also bounds the per-label count (and thus the NSEC3
107
+ // closest-encloser candidate enumeration, CVE-2023-50868 class), since
108
+ // each label costs at least 2 octets.
109
+ if (wire.length > 255) { // allow:raw-byte-literal — RFC 1035 total-name octet cap
110
+ throw new DnssecError("dnssec/bad-name",
111
+ "dnssec: name '" + name + "' encodes to " + wire.length + " octets, exceeds RFC 1035 cap of 255");
112
+ }
113
+ return wire;
105
114
  }
106
115
 
107
116
  function _u16(n) { return Buffer.from([(n >> 8) & 0xff, n & 0xff]); } // allow:raw-byte-literal — 16-bit big-endian split
@@ -340,7 +349,28 @@ var BASE32HEX = "0123456789ABCDEFGHIJKLMNOPQRSTUV"; // allow:raw-byte-l
340
349
  var TYPE_DS = 43; // allow:raw-byte-literal — IANA RR type DS
341
350
  var TYPE_CNAME = 5;
342
351
  var NSEC3_HASH_SHA1 = 1; // RFC 5155 §5 — the only registered NSEC3 hash
343
- var DEFAULT_MAX_NSEC3_ITERATIONS = 500; // allow:raw-time-literal — DoS ceiling on iterated SHA-1 (RFC 9276 wants 0; deployed zones still use >0)
352
+ var DEFAULT_MAX_NSEC3_ITERATIONS = 150; // allow:raw-time-literal — DoS ceiling on iterated SHA-1; matches BIND 9.16.33+/Unbound 1.17.1 post-CVE-2023-50868 (RFC 9276 wants 0; deployed zones still use >0)
353
+
354
+ // KeyTrap (CVE-2023-50387) amplification caps. A hostile zone can publish
355
+ // many DNSKEYs sharing one 16-bit key tag and many RRSIGs, forcing a
356
+ // validator into O(keys x sigs) full signature verifications from a single
357
+ // query. Bound both factors: the colliding-candidate fan-out per RRSIG, and
358
+ // the total signature-validation work. Matches the BIND
359
+ // `max-key-tag-collisions` + Unbound validation-budget mitigations.
360
+ //
361
+ // The per-response budget SCALES with declared chain depth so a legitimate
362
+ // deep delegation isn't false-rejected: a valid N-link chain does ~2N-1
363
+ // signature verifies (1 root DNSKEY + parent-DS + child-DNSKEY per child),
364
+ // so the budget is links.length * MAX_VALIDATIONS_PER_LINK (= 2 RRSIGs/link
365
+ // x MAX_COLLIDING_KEYS candidates), which always covers the legitimate work
366
+ // while still bounding the bounded-collision amplification. Chain length
367
+ // itself is capped (a delegation can't be deeper than a DNS name's label
368
+ // count, RFC 1035), so the scaled budget can't be inflated arbitrarily.
369
+ var MAX_COLLIDING_KEYS = 4; // allow:raw-byte-literal — same-tag DNSKEY candidates tried per RRSIG
370
+ var MAX_VALIDATIONS_PER_LINK = 8; // allow:raw-byte-literal — 2 RRSIGs/link x MAX_COLLIDING_KEYS; budget = links.length x this
371
+ var MAX_CHAIN_LINKS = 128; // allow:raw-byte-literal — max delegation depth (>= RFC 1035 max label count)
372
+ var MAX_DNSKEYS_PER_ZONE = 64; // allow:raw-byte-literal — DNSKEY RRset size cap per zone link
373
+ var MAX_DS_RECORDS = 16; // allow:raw-byte-literal — DS RRset size cap (parent-supplied)
344
374
 
345
375
  // RFC 4648 §7 base32hex decode (no padding, case-insensitive) — the
346
376
  // label encoding of an NSEC3 owner-name hash.
@@ -757,12 +787,31 @@ function _keysByTag(dnskeys, tag) {
757
787
  // returning the key that validated. A wrong colliding key yields
758
788
  // `dnssec/bad-signature` — that is not terminal, the next candidate is
759
789
  // tried; any other error (expired, alg) is terminal. RFC 4035 §5.3.1.
760
- function _verifyRrsetWithAnyKey(rrsetBase, rrsig, candidates, noKeyCode, noKeyMsg) {
790
+ function _verifyRrsetWithAnyKey(rrsetBase, rrsig, candidates, noKeyCode, noKeyMsg, budget) {
761
791
  if (candidates.length === 0) throw new DnssecError(noKeyCode, noKeyMsg);
792
+ // KeyTrap (CVE-2023-50387): refuse an absurd same-tag fan-out outright —
793
+ // legitimate zones have 1-2 keys per tag; hundreds is an amplification
794
+ // attack, not a real collision.
795
+ if (candidates.length > MAX_COLLIDING_KEYS) {
796
+ throw new DnssecError("dnssec/too-many-colliding-keys",
797
+ "dnssec.verifyChain: " + candidates.length + " DNSKEYs share key tag " +
798
+ rrsig.keyTag + " (cap " + MAX_COLLIDING_KEYS +
799
+ ") — refused as a KeyTrap (CVE-2023-50387) amplification vector");
800
+ }
762
801
  var lastErr = null;
763
802
  for (var i = 0; i < candidates.length; i++) {
764
803
  var kp = _dnskeyParts(candidates[i]);
765
804
  if (kp.algorithm !== rrsig.algorithm) { lastErr = new DnssecError("dnssec/alg-mismatch", "dnssec.verifyChain: candidate key algorithm does not match the RRSIG"); continue; }
805
+ // Per-response signature-validation budget — bound the total expensive
806
+ // pubkey verifies across the whole chain walk, not just per RRSIG.
807
+ if (budget) {
808
+ if (budget.remaining <= 0) {
809
+ throw new DnssecError("dnssec/validation-budget-exceeded",
810
+ "dnssec.verifyChain: per-response signature-validation budget " +
811
+ "exhausted — refused as a KeyTrap (CVE-2023-50387) amplification vector");
812
+ }
813
+ budget.remaining -= 1;
814
+ }
766
815
  try {
767
816
  verifyRrset(Object.assign({}, rrsetBase, { rrsig: rrsig, dnskey: { algorithm: kp.algorithm, publicKey: kp.publicKey } }));
768
817
  return candidates[i];
@@ -795,6 +844,20 @@ function _verifyRrsetWithAnyKey(rrsetBase, rrsig, candidates, noKeyCode, noKeyMs
795
844
  * passes to <code>verifyRrset</code> / <code>verifyDenial</code> for the
796
845
  * actual answer.
797
846
  *
847
+ * KeyTrap (CVE-2023-50387) amplification is bounded with non-configurable
848
+ * caps: at most 4 same-tag DNSKEY candidates are tried per RRSIG, at most
849
+ * 64 DNSKEYs per zone link and 16 DS records per delegation are accepted,
850
+ * the chain is at most 128 links deep, and the whole response is held to a
851
+ * signature-validation budget that scales with chain depth (so a
852
+ * legitimate deep delegation always fits while bounded collisions stay
853
+ * bounded). A hostile zone publishing many colliding keys / signatures is
854
+ * refused with <code>dnssec/too-many-colliding-keys</code> /
855
+ * <code>dnssec/too-many-dnskeys</code> / <code>dnssec/too-many-ds</code> /
856
+ * <code>dnssec/too-many-links</code> /
857
+ * <code>dnssec/validation-budget-exceeded</code> rather than driving
858
+ * O(keys x sigs) verifications. (NSEC3 iteration counts are separately
859
+ * capped at 150 per RFC 9276 / the CVE-2023-50868 fix.)
860
+ *
798
861
  * @opts
799
862
  * {
800
863
  * links: [ { // ordered root-first
@@ -816,14 +879,35 @@ function verifyChain(opts) {
816
879
  validateOpts.requireObject(opts, "dnssec.verifyChain", DnssecError);
817
880
  validateOpts(opts, ["links", "trustAnchors", "at"], "dnssec.verifyChain");
818
881
  if (!Array.isArray(opts.links) || opts.links.length === 0) throw new DnssecError("dnssec/bad-arg", "dnssec.verifyChain: opts.links must be a non-empty array");
882
+ // Cap delegation depth — a real chain can't be deeper than a DNS name's
883
+ // label count (RFC 1035), and the per-response validation budget below
884
+ // scales with this, so it must be bounded.
885
+ if (opts.links.length > MAX_CHAIN_LINKS) {
886
+ throw new DnssecError("dnssec/too-many-links",
887
+ "dnssec.verifyChain: " + opts.links.length + " chain links (cap " +
888
+ MAX_CHAIN_LINKS + ") — refused as an amplification vector");
889
+ }
819
890
  var anchors = opts.trustAnchors !== undefined ? opts.trustAnchors : DEFAULT_ROOT_ANCHORS;
820
891
  if (!Array.isArray(anchors) || anchors.length === 0) throw new DnssecError("dnssec/bad-arg", "dnssec.verifyChain: opts.trustAnchors must be a non-empty array");
821
892
 
893
+ // KeyTrap budget shared across every signature-validation in this
894
+ // response, scaled to the declared chain depth so a legitimate deep
895
+ // delegation (2N-1 verifies) always fits while bounded collisions stay
896
+ // bounded. Chain length is capped above, so this can't be inflated.
897
+ var budget = { remaining: opts.links.length * MAX_VALIDATIONS_PER_LINK };
898
+
822
899
  var trustedKeys = null, path = [];
823
900
  for (var i = 0; i < opts.links.length; i++) {
824
901
  var link = opts.links[i];
825
902
  if (!link || typeof link.zone !== "string" || link.zone === "") throw new DnssecError("dnssec/bad-link", "dnssec.verifyChain: links[" + i + "].zone is required");
826
903
  if (!Array.isArray(link.dnskeys) || link.dnskeys.length === 0) throw new DnssecError("dnssec/bad-link", "dnssec.verifyChain: links[" + i + "].dnskeys must be a non-empty array");
904
+ // KeyTrap: bound the DNSKEY RRset size per zone so a giant key set
905
+ // can't blow up the key-tag scan / candidate fan-out.
906
+ if (link.dnskeys.length > MAX_DNSKEYS_PER_ZONE) {
907
+ throw new DnssecError("dnssec/too-many-dnskeys",
908
+ "dnssec.verifyChain: links[" + i + "] has " + link.dnskeys.length +
909
+ " DNSKEYs (cap " + MAX_DNSKEYS_PER_ZONE + ") — refused as a KeyTrap (CVE-2023-50387) amplification vector");
910
+ }
827
911
  if (!link.dnskeyRrsig || typeof link.dnskeyRrsig !== "object") throw new DnssecError("dnssec/bad-link", "dnssec.verifyChain: links[" + i + "].dnskeyRrsig is required");
828
912
 
829
913
  // 1. The DNSKEY RRset is self-signed by one of its own keys (trying
@@ -832,7 +916,8 @@ function verifyChain(opts) {
832
916
  { name: link.zone, type: "DNSKEY", rdatas: link.dnskeys, at: opts.at },
833
917
  link.dnskeyRrsig,
834
918
  _keysByTag(link.dnskeys, link.dnskeyRrsig.keyTag),
835
- "dnssec/chain-no-signing-key", "dnssec.verifyChain: no DNSKEY in '" + link.zone + "' verifies the DNSKEY RRSIG"
919
+ "dnssec/chain-no-signing-key", "dnssec.verifyChain: no DNSKEY in '" + link.zone + "' verifies the DNSKEY RRSIG",
920
+ budget
836
921
  );
837
922
 
838
923
  // 2. Establish trust in the signing key.
@@ -851,11 +936,19 @@ function verifyChain(opts) {
851
936
  if (!Array.isArray(link.dsRdatas) || link.dsRdatas.length === 0 || !link.dsRrsig || typeof link.dsRrsig !== "object") {
852
937
  throw new DnssecError("dnssec/bad-link", "dnssec.verifyChain: links[" + i + "] needs dsRdatas + dsRrsig (DS served by the parent)");
853
938
  }
939
+ // Bound the parent-supplied DS RRset — the DS-match loop below
940
+ // iterates it, and an oversize set is an amplification vector.
941
+ if (link.dsRdatas.length > MAX_DS_RECORDS) {
942
+ throw new DnssecError("dnssec/too-many-ds",
943
+ "dnssec.verifyChain: links[" + i + "] has " + link.dsRdatas.length +
944
+ " DS records (cap " + MAX_DS_RECORDS + ") — refused as an amplification vector");
945
+ }
854
946
  _verifyRrsetWithAnyKey(
855
947
  { name: link.zone, type: "DS", rdatas: link.dsRdatas, at: opts.at },
856
948
  link.dsRrsig,
857
949
  _keysByTag(trustedKeys, link.dsRrsig.keyTag),
858
- "dnssec/chain-no-parent-key", "dnssec.verifyChain: no trusted parent key verifies the DS RRSIG for '" + link.zone + "'"
950
+ "dnssec/chain-no-parent-key", "dnssec.verifyChain: no trusted parent key verifies the DS RRSIG for '" + link.zone + "'",
951
+ budget
859
952
  );
860
953
  var dsMatched = false;
861
954
  for (var d = 0; d < link.dsRdatas.length; d++) {
@@ -681,6 +681,14 @@ function parse(input, opts) {
681
681
  "toml/redefine");
682
682
  }
683
683
  t = sub[sub.length - 1];
684
+ // The array's last element must itself be a table to descend
685
+ // into. A plain VALUE array (e.g. `a = [3]` then `[a.s]`) has a
686
+ // scalar last element — descending would set a property on a
687
+ // number and throw a raw TypeError; refuse it cleanly instead.
688
+ if (t === null || typeof t !== "object" || Array.isArray(t)) {
689
+ throw _err("cannot descend into '" + seg +
690
+ "' — it is a value array, not an array of tables", "toml/redefine");
691
+ }
684
692
  continue;
685
693
  }
686
694
  if (typeof sub !== "object" || sub === null) {
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@blamejs/core",
3
- "version": "0.13.13",
3
+ "version": "0.13.14",
4
4
  "description": "The Node framework that owns its stack.",
5
5
  "license": "Apache-2.0",
6
6
  "author": "blamejs contributors",
@@ -0,0 +1,22 @@
1
+ {
2
+ "$schema": "../scripts/release-notes-schema.json",
3
+ "version": "0.13.14",
4
+ "date": "2026-05-27",
5
+ "headline": "DNSSEC chain validation now bounds KeyTrap (CVE-2023-50387) amplification with hard caps",
6
+ "summary": "b.network.dns.dnssec.verifyChain tried every DNSKEY whose 16-bit key tag matched an RRSIG, with no cap on how many candidates or total signature verifications a single response could drive. A hostile zone publishing many DNSKEYs sharing one key tag (plus matching RRSIGs) could force O(keys x signatures) full public-key verifications from one query — the KeyTrap denial-of-service (CVE-2023-50387). Validation is now bounded by non-configurable caps that match the BIND / Unbound mitigations: at most 4 same-tag candidate keys are tried per RRSIG, at most 64 DNSKEYs per zone link and 16 DS records per delegation are accepted, the chain is at most 128 links deep, and the whole response is held to a signature-validation budget that scales with chain depth (so a legitimate deep delegation is never false-rejected while bounded collisions stay bounded); exceeding any of these refuses the response rather than performing the work. Separately, a domain name that encodes to more than 255 octets is now refused at canonicalization (RFC 1035 §2.3.4), which also bounds the NSEC3 closest-encloser label enumeration, and the NSEC3 iteration ceiling is lowered from 500 to 150 to match the BIND 9.16.33+ / Unbound 1.17.1 fix for the sibling CVE-2023-50868.",
7
+ "sections": [
8
+ {
9
+ "heading": "Security",
10
+ "items": [
11
+ {
12
+ "title": "`verifyChain` caps colliding-key fan-out and total signature validations (KeyTrap / CVE-2023-50387)",
13
+ "body": "A zone advertising many same-key-tag DNSKEYs and RRSIGs can no longer drive unbounded public-key verifications. New refusals: `dnssec/too-many-colliding-keys` (>4 same-tag candidates per RRSIG), `dnssec/too-many-dnskeys` (>64 DNSKEYs per zone link), `dnssec/too-many-ds` (>16 DS records per delegation), `dnssec/too-many-links` (chain deeper than 128), and `dnssec/validation-budget-exceeded` (signature validations beyond the depth-scaled budget). The caps are intentionally non-configurable — they sit well above any legitimate zone, and the budget scales with chain depth so deep delegations validate normally."
14
+ },
15
+ {
16
+ "title": "Domain-name octet cap + lower NSEC3 iteration ceiling",
17
+ "body": "A name that canonicalizes to more than 255 octets is refused (`dnssec/bad-name`, RFC 1035 §2.3.4), which bounds the per-label NSEC3 closest-encloser enumeration (CVE-2023-50868 class). The default NSEC3 iteration ceiling drops from 500 to 150, matching the BIND 9.16.33+ / Unbound 1.17.1 post-CVE defaults (RFC 9276 recommends 0)."
18
+ }
19
+ ]
20
+ }
21
+ ]
22
+ }
@@ -13545,6 +13545,15 @@ function testTomlSecurityRejections() {
13545
13545
  catch (e) { threwRedefine = e.code === "toml/redefine"; }
13546
13546
  check("toml: table redefinition rejected", threwRedefine);
13547
13547
 
13548
+ // Table header descending through a VALUE array (not an array-of-tables)
13549
+ // — `a = [3]` then `[a.s]` walks into the array's scalar element. A fuzz
13550
+ // input hit this; it must refuse cleanly, not throw a raw TypeError.
13551
+ var threwValueArrayDescend = null;
13552
+ try { b.parsers.toml.parse("a = [3]\n[a.s]\n"); }
13553
+ catch (e) { threwValueArrayDescend = e.code; }
13554
+ check("toml: table header descending into a value array rejected cleanly",
13555
+ threwValueArrayDescend === "toml/redefine");
13556
+
13548
13557
  // Size cap
13549
13558
  var threwSize = false;
13550
13559
  try { b.parsers.toml.parse("a = \"" + "x".repeat(2000) + "\"", { maxBytes: 1000 }); }
@@ -390,12 +390,106 @@ function testKeyTagCollision() {
390
390
  check("verifyChain: validates despite a colliding-tag key in the signed set", out.ok === true);
391
391
  }
392
392
 
393
+ // Sign a DS RRset (type 43) with a parent EC key — mirrors
394
+ // _signDnskeyRrset but for the DS record type.
395
+ function _signDsRrset(zone, dsRdatas, parentPriv, parentSignerRdata, inc, exp) {
396
+ var owner = _canonName(zone), ttl = _u32b(3600);
397
+ var labels = zone.replace(/\.$/, "") === "" ? 0 : zone.replace(/\.$/, "").split(".").length;
398
+ var keyTag = b.network.dns.dnssec.keyTag(parentSignerRdata);
399
+ var sorted = dsRdatas.slice().sort(Buffer.compare);
400
+ var rrs = [];
401
+ sorted.forEach(function (rd) { rrs.push(owner, _u16b(43), _u16b(1), ttl, _u16b(rd.length), rd); });
402
+ var prefix = Buffer.concat([_u16b(43), Buffer.from([13, labels]), ttl, _u32b(exp), _u32b(inc), _u16b(keyTag), _canonName(zone)]);
403
+ var signed = Buffer.concat([prefix].concat(rrs));
404
+ var signature = nodeCrypto.sign("sha256", signed, { key: parentPriv, dsaEncoding: "ieee-p1363" });
405
+ return { algorithm: 13, labels: labels, originalTtl: 3600, expiration: exp, inception: inc, keyTag: keyTag, signerName: zone, signature: signature };
406
+ }
407
+ function _dsRdata(tag, alg, digest) {
408
+ return Buffer.concat([_u16b(tag), Buffer.from([alg, 2]), digest]); // keyTag || alg || digestType=2(SHA-256) || digest
409
+ }
410
+
411
+ // The per-response signature-validation budget scales with chain depth, so
412
+ // a legitimate deep delegation (here 11 links → ~21 verifies, well past the
413
+ // old fixed 16) validates rather than hitting dnssec/validation-budget-
414
+ // exceeded (the regression Codex flagged on PR #236).
415
+ function testDeepChainBudget() {
416
+ var now = Math.floor(Date.now() / 1000), inc = now - 60, exp = now + 86400;
417
+ var N = 11;
418
+ var keys = [];
419
+ for (var i = 0; i < N; i++) {
420
+ var kp = nodeCrypto.generateKeyPairSync("ec", { namedCurve: "prime256v1" });
421
+ keys.push({ rd: _ecDnskey(kp.publicKey), priv: kp.privateKey, zone: "z" + i + "." });
422
+ }
423
+ var links = [];
424
+ for (var j = 0; j < N; j++) {
425
+ var k = keys[j];
426
+ var link = {
427
+ zone: k.zone,
428
+ dnskeys: [k.rd],
429
+ dnskeyRrsig: _signDnskeyRrset(k.zone, [k.rd], k.priv, k.rd, inc, exp),
430
+ };
431
+ if (j > 0) {
432
+ // DS of THIS zone's key, signed by the PARENT (previous link's key).
433
+ var digest = nodeCrypto.createHash("sha256").update(Buffer.concat([_canonName(k.zone), k.rd])).digest();
434
+ var dsRd = _dsRdata(b.network.dns.dnssec.keyTag(k.rd), 13, digest);
435
+ link.dsRdatas = [dsRd];
436
+ link.dsRrsig = _signDsRrset(k.zone, [dsRd], keys[j - 1].priv, keys[j - 1].rd, inc, exp);
437
+ }
438
+ links.push(link);
439
+ }
440
+ // Trust anchor = DS digest of the root (link 0) key.
441
+ var rootDigest = nodeCrypto.createHash("sha256").update(Buffer.concat([_canonName(keys[0].zone), keys[0].rd])).digest();
442
+ var anchor = [{ keyTag: b.network.dns.dnssec.keyTag(keys[0].rd), algorithm: 13, digestType: 2, digest: rootDigest }];
443
+ var out = b.network.dns.dnssec.verifyChain({ links: links, trustAnchors: anchor, at: new Date(now * 1000) });
444
+ check("deep chain (11 links, ~21 verifies) validates under the depth-scaled budget",
445
+ out.ok === true && out.path.length === N);
446
+ }
447
+
448
+ // KeyTrap (CVE-2023-50387) amplification caps. The caps fire on COUNT
449
+ // checks before any signature verification, so a single real EC DNSKEY
450
+ // rdata repeated to hit each threshold is enough.
451
+ function testKeyTrapCaps() {
452
+ function code(fn) { try { fn(); return "NO-THROW"; } catch (e) { return e.code; } }
453
+ var kp = nodeCrypto.generateKeyPairSync("ec", { namedCurve: "prime256v1" });
454
+ var rd = _ecDnskey(kp.publicKey);
455
+ var tag = b.network.dns.dnssec.keyTag(rd);
456
+ var now = Math.floor(Date.now() / 1000);
457
+ var rrsig = { algorithm: 13, labels: 1, originalTtl: 3600, expiration: now + 86400,
458
+ inception: now - 60, keyTag: tag, signerName: "test.", signature: Buffer.alloc(64) };
459
+ var anchor = [{ keyTag: tag, algorithm: 13, digestType: 2, digest: Buffer.alloc(32) }];
460
+
461
+ // > MAX_COLLIDING_KEYS (4) keys sharing one tag (5 identical rdatas all
462
+ // resolve to the same tag) → refused before any verify.
463
+ var fiveSameTag = [rd, rd, rd, rd, rd];
464
+ check("KeyTrap: >4 same-tag DNSKEY candidates refused",
465
+ code(function () { b.network.dns.dnssec.verifyChain({
466
+ links: [{ zone: "test.", dnskeys: fiveSameTag, dnskeyRrsig: rrsig }],
467
+ trustAnchors: anchor, at: new Date(now * 1000) }); }) === "dnssec/too-many-colliding-keys");
468
+
469
+ // > MAX_DNSKEYS_PER_ZONE (64) in one zone's RRset → refused.
470
+ var bigSet = []; for (var i = 0; i < 65; i++) bigSet.push(rd);
471
+ check("KeyTrap: oversize DNSKEY RRset (>64) refused",
472
+ code(function () { b.network.dns.dnssec.verifyChain({
473
+ links: [{ zone: "test.", dnskeys: bigSet, dnskeyRrsig: rrsig }],
474
+ trustAnchors: anchor, at: new Date(now * 1000) }); }) === "dnssec/too-many-dnskeys");
475
+
476
+ // A name encoding to > 255 octets (128 single-char labels = 257 octets)
477
+ // is refused at canonicalization (RFC 1035 §2.3.4) — bounds the NSEC3
478
+ // closest-encloser label enumeration.
479
+ var longName = new Array(129).join("a.") + "a"; // 129 labels of "a"
480
+ check("KeyTrap: name exceeding 255 octets refused",
481
+ code(function () { b.network.dns.dnssec.verifyDs({ ownerName: longName,
482
+ dnskeyRdata: rd, ds: { keyTag: tag, algorithm: 13, digestType: 2, digest: Buffer.alloc(32) } }); }) === "dnssec/bad-name");
483
+ }
484
+
393
485
  async function run() {
394
486
  testSurface();
395
487
  testRealVectors();
396
488
  testRefusals();
397
489
  testVerifyDs();
398
490
  testVerifyChain();
491
+ testKeyTrapCaps();
492
+ testDeepChainBudget();
399
493
  testNsec3Real();
400
494
  testNsec3Caps();
401
495
  testNsec3OptOut();
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@blamejs/blamejs-shop",
3
- "version": "0.2.2",
3
+ "version": "0.2.3",
4
4
  "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
5
5
  "main": "lib/index.js",
6
6
  "scripts": {