npm - @blamejs/blamejs-shop - Versions diffs - 0.4.30 → 0.4.32 - Mend

@blamejs/blamejs-shop 0.4.30 → 0.4.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (338) hide show

package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-exclusive-temp.test.js ADDED Viewed

@@ -0,0 +1,216 @@
+"use strict";
+/**
+ * b.atomicFile temp-file create hardening (CWE-377 insecure temporary
+ * file / CWE-59 symlink follow).
+ *
+ * Every atomic write stages bytes into a sibling temp file
+ * (`<filepath>.tmp-<csprng>`) before renaming over the destination. The
+ * temp create must be EXCLUSIVE and NO-FOLLOW: an attacker who guesses
+ * (or, on a shared dir, races) the temp path and pre-plants a regular
+ * file or a symlink there must NOT have that file truncated or written
+ * through. O_EXCL makes the open fail with EEXIST when anything already
+ * exists at the path; O_NOFOLLOW refuses a symlink in the final
+ * component where the platform defines it.
+ *
+ * Coverage:
+ *   - write / writeSync round-trip (the atomicity contract is intact)
+ *   - the exact create flag set the substrate uses refuses a pre-existing
+ *     regular file (EEXIST) instead of truncating it
+ *   - the same flag set refuses a pre-existing symlink (does not follow
+ *     it to a victim path) on platforms where symlinks are creatable
+ *   - a symlink planted at the DESTINATION is replaced by the rename, not
+ *     followed — the victim the symlink pointed at is left untouched
+ */
+var fs   = require("fs");
+var path = require("path");
+var helpers = require("../helpers");
+var b       = helpers.b;
+var check   = helpers.check;
+// The production temp-create flag set (lib/atomic-file.js _openExclTemp /
+// lib/http-client.js downloadStream). Reproduced here so the test asserts
+// the SAME security property the substrate depends on; O_NOFOLLOW is
+// undefined on Windows, hence the `|| 0` fold both here and in the source.
+var EXCL_FLAGS = fs.constants.O_WRONLY | fs.constants.O_CREAT |
+  fs.constants.O_EXCL | (fs.constants.O_NOFOLLOW || 0);
+function _tmpDir() {
+  return b.testing.tempDir("atomicfile-excl");
+}
+async function testWriteRoundTrips() {
+  var dir = _tmpDir();
+  try {
+    var p = path.join(dir.path, "state.bin");
+    var payload = Buffer.from("round-trip payload ✓", "utf8");
+    var res = await b.atomicFile.write(p, payload, { computeHash: true });
+    check("write: bytesWritten matches", res.bytesWritten === payload.length);
+    check("write: dest exists",          fs.existsSync(p));
+    check("write: content round-trips",  fs.readFileSync(p).equals(payload));
+    // No temp left behind on the success path.
+    var leftovers = fs.readdirSync(dir.path).filter(function (n) {
+      return n.indexOf("state.bin.tmp-") === 0;
+    });
+    check("write: no temp file leaked", leftovers.length === 0);
+    // Overwrite the same destination — the temp create must succeed each
+    // time even though `p` already exists (we stage to a fresh temp path,
+    // never to `p` itself), and the new bytes must win.
+    var payload2 = Buffer.from("second write", "utf8");
+    await b.atomicFile.write(p, payload2);
+    check("write: overwrite replaces content", fs.readFileSync(p).equals(payload2));
+  } finally {
+    dir.cleanup();
+  }
+}
+function testWriteSyncRoundTrips() {
+  var dir = _tmpDir();
+  try {
+    var p = path.join(dir.path, "sync-state.bin");
+    var payload = Buffer.from("sync payload", "utf8");
+    var res = b.atomicFile.writeSync(p, payload);
+    check("writeSync: bytesWritten matches", res.bytesWritten === payload.length);
+    check("writeSync: content round-trips",  fs.readFileSync(p).equals(payload));
+    var leftovers = fs.readdirSync(dir.path).filter(function (n) {
+      return n.indexOf("sync-state.bin.tmp-") === 0;
+    });
+    check("writeSync: no temp file leaked", leftovers.length === 0);
+  } finally {
+    dir.cleanup();
+  }
+}
+function testExclusiveRefusesExistingFile() {
+  var dir = _tmpDir();
+  try {
+    var p = path.join(dir.path, "victim.bin");
+    fs.writeFileSync(p, "ATTACKER PRE-CREATED THIS", { mode: 0o600 });
+    var threw = null;
+    var fd = null;
+    try {
+      fd = fs.openSync(p, EXCL_FLAGS, 0o600);
+    } catch (e) { threw = e; }
+    finally { if (fd !== null) { try { fs.closeSync(fd); } catch (_c) { /* ignore */ } } }
+    check("excl flags: existing regular file refused with EEXIST",
+          threw != null && threw.code === "EEXIST");
+    // The pre-existing bytes must be intact — O_EXCL refused before any
+    // truncation could happen (the old "w"/O_TRUNC flag would have wiped it).
+    check("excl flags: pre-existing file NOT truncated",
+          fs.readFileSync(p, "utf8") === "ATTACKER PRE-CREATED THIS");
+  } finally {
+    dir.cleanup();
+  }
+}
+function testNoFollowRefusesSymlink() {
+  var dir = _tmpDir();
+  try {
+    var victim = path.join(dir.path, "victim-secret.txt");
+    fs.writeFileSync(victim, "SECRET", { mode: 0o600 });
+    var link = path.join(dir.path, "staged.tmp");
+    var symlinkOk = true;
+    try {
+      fs.symlinkSync(victim, link);
+    } catch (_e) {
+      // Windows without the SeCreateSymbolicLink privilege (common on CI
+      // and dev boxes) cannot create symlinks. The O_NOFOLLOW property is
+      // still exercised by the EEXIST-on-existing-file test above; skip
+      // only the symlink-specific assertion here.
+      symlinkOk = false;
+    }
+    if (symlinkOk) {
+      var threw = null;
+      var fd = null;
+      try {
+        fd = fs.openSync(link, EXCL_FLAGS, 0o600);
+      } catch (e) { threw = e; }
+      finally { if (fd !== null) { try { fs.closeSync(fd); } catch (_c) { /* ignore */ } } }
+      check("excl flags: pre-existing symlink refused (not followed)",
+            threw != null && (threw.code === "EEXIST" || threw.code === "ELOOP"));
+      // The victim the symlink pointed at must be untouched — neither
+      // truncated nor written through.
+      check("excl flags: symlink target (victim) NOT written through",
+            fs.readFileSync(victim, "utf8") === "SECRET");
+    } else {
+      check("excl flags: symlink case skipped (platform lacks symlink privilege)", true);
+    }
+  } finally {
+    dir.cleanup();
+  }
+}
+async function testSymlinkAtDestinationReplacedNotFollowed() {
+  // A symlink planted at the DESTINATION path (not the temp path) must be
+  // replaced by the atomic rename, not followed to its target. The temp
+  // file is created next to the dest, then renamed over the symlink — the
+  // rename swaps the directory entry, leaving the symlink's old target
+  // (the victim) untouched.
+  var dir = _tmpDir();
+  try {
+    var victim = path.join(dir.path, "outside-victim.bin");
+    fs.writeFileSync(victim, "DO NOT OVERWRITE", { mode: 0o600 });
+    var dest = path.join(dir.path, "dest-link.bin");
+    var symlinkOk = true;
+    try { fs.symlinkSync(victim, dest); }
+    catch (_e) { symlinkOk = false; }
+    if (!symlinkOk) {
+      check("dest-symlink case skipped (platform lacks symlink privilege)", true);
+      return;
+    }
+    var payload = Buffer.from("fresh contents", "utf8");
+    await b.atomicFile.write(dest, payload);
+    // dest is now a regular file with the new bytes (the rename replaced
+    // the symlink entry). Open ONE no-follow fd and take both the type
+    // check (fstat) and the byte read from that same descriptor — no
+    // lstat-then-read against the path, which would be a check-then-use
+    // file-system race (CWE-367). O_NOFOLLOW makes the open itself fail
+    // if dest were still a symlink, so a successful open already proves
+    // the rename replaced the link with a regular file.
+    var destFd = fs.openSync(dest, fs.constants.O_RDONLY | (fs.constants.O_NOFOLLOW || 0));
+    try {
+      var fst = fs.fstatSync(destFd);
+      check("dest-symlink: destination is a regular file after write",
+            fst.isFile() && !fst.isSymbolicLink());
+      var destBytes = Buffer.alloc(fst.size);
+      var got = 0;
+      while (got < fst.size) {
+        var n = fs.readSync(destFd, destBytes, got, fst.size - got, null);
+        if (n === 0) break;
+        got += n;
+      }
+      check("dest-symlink: destination holds the new bytes",
+            got === payload.length && destBytes.equals(payload));
+    } finally {
+      fs.closeSync(destFd);
+    }
+    // ... and the victim the symlink pointed at was NOT written through.
+    check("dest-symlink: symlink target (victim) untouched",
+          fs.readFileSync(victim, "utf8") === "DO NOT OVERWRITE");
+  } finally {
+    dir.cleanup();
+  }
+}
+async function run() {
+  await testWriteRoundTrips();
+  testWriteSyncRoundTrips();
+  testExclusiveRefusesExistingFile();
+  testNoFollowRefusesSymlink();
+  await testSymlinkAtDestinationReplacedNotFollowed();
+}
+module.exports = { run: run };
+if (require.main === module) {
+  run().then(function () { console.log("OK"); })
+       .catch(function (e) { console.error(e.stack || e); process.exit(1); });
+}

package/lib/vendor/blamejs/test/layer-0-primitives/audit-checkpoint-false-rollback.test.js ADDED Viewed

@@ -0,0 +1,203 @@
+"use strict";
+// SMOKE_RUN_SOLO — the smoke runner (test/smoke.js) runs this file ALONE
+// with the whole machine instead of inside the parallel layer-0 pool.
+// The test drives the encrypted-at-rest durability path end to end:
+// db.enc re-encryption (flushToDisk), the atomicFile.writeSync tip
+// sidecar, an in-place crash corruption of the tmpfs working file, and a
+// decrypt-from-db.enc reboot — every step a blocking fsync on the real
+// data dir. Under SMOKE_PARALLEL=64 on a virtualized filesystem (the
+// Dropbox-backed working tree, Docker-Desktop FS-virt) 64 sibling forks
+// contend for fsync on the same volume and these synchronous writes
+// overrun the per-file watchdog. There is no single async event to poll
+// past — the contention is whole-process I/O, so the file runs solo and
+// finishes in its normal time. Passes alone and at SMOKE_PARALLEL=16.
+/**
+ * audit.checkpoint() durability vs the boot-time rollback check.
+ *
+ * In encrypted-at-rest mode the live SQLite copy is a tmpfs working file;
+ * durability comes from re-encrypting it into db.enc (flushToDisk /
+ * periodic encrypt / process-exit handler / orderly close). The boot-time
+ * rollback detector compares MAX(monotonicCounter) in the restored DB
+ * against the audit.tip sidecar and REFUSES boot when the DB is below the
+ * tip (the snapshot was rolled back to an older state, or rows were
+ * deleted).
+ *
+ * checkpoint() writes the audit.tip sidecar with atomicFile.writeSync — a
+ * durable write to a real disk path in dataDir — immediately after
+ * inserting the checkpoint row, but WITHOUT first re-encrypting the
+ * audit_log rows it anchors into db.enc. So the tip's durability outruns
+ * the rows' durability: if the process dies between checkpoint() and the
+ * next encrypt, the durable db.enc is BEHIND the durable tip.
+ *
+ * On reboot the tmpfs working copy is gone / discarded as corrupt (the
+ * unclean-shutdown case decryptToTmp falls back from), so the DB is
+ * restored from db.enc — below the tip. The rollback detector then refuses
+ * boot with db/audit-rollback-detected even though the chain is perfectly
+ * intact (it was a normal crash, not a rollback attack or a deletion).
+ *
+ * This test reproduces that crash window and asserts the CORRECT behavior:
+ * a clean reopen with the chain readable, no false rollback refusal. If
+ * checkpoint() left the tip ahead of the durable rows (issue #62), the
+ * reopen throws db/audit-rollback-detected and this test FAILS.
+ *
+ * Scratch dir lives under the repo-local .test-output (not os.tmpdir):
+ * the crash simulation corrupts the working file in place, which static
+ * analysis (CodeQL js/insecure-temporary-file) flags as an insecure
+ * OS-temp-dir write. A gitignored per-test dir outside the shared OS temp
+ * dir sidesteps that false positive and keeps test isolation clean.
+ */
+var helpers = require("../helpers");
+var b                    = helpers.b;
+var check                = helpers.check;
+var fs                   = helpers.fs;
+var path                 = helpers.path;
+var setupTestDb          = helpers.setupTestDb;
+var teardownTestDb       = helpers.teardownTestDb;
+var setTestPassphraseEnv = helpers.setTestPassphraseEnv;
+var SCHEMA = [{ name: "ckpt_t", columns: { _id: "TEXT PRIMARY KEY", v: "TEXT" } }];
+function currentMaxCounter() {
+  var row = b.db.prepare("SELECT MAX(monotonicCounter) AS m FROM audit_log").get();
+  return row && row.m ? Number(row.m) : 0;
+}
+function readTipCounter(tmpDir) {
+  var tipPath = path.join(tmpDir, "audit.tip");
+  var tip = JSON.parse(fs.readFileSync(tipPath, "utf8"));
+  return Number(tip.atMonotonicCounter);
+}
+// Simulate an unclean crash: close the SQLite handle WITHOUT re-encrypting
+// (so db.enc keeps the last flushed snapshot), then corrupt the tmpfs
+// working copy + stamp it newer than db.enc so the next boot's
+// decryptToTmp discards it and restores the durable db.enc. This is the
+// exact shape produced by an unclean shutdown / full tmpfs — the carrier
+// of the post-checkpoint rows is lost, db.enc is the only durable state.
+function simulateCrashDiscardingTmpfs(tmpDir) {
+  b.db._resetForTest(); // drops the handle; leaves the working file on disk
+  var workingDir = path.join(tmpDir, "tmpfs");
+  var workingFile = fs.readdirSync(workingDir).filter(function (f) {
+    return /\.db$/.test(f);
+  })[0];
+  var workingPath = path.join(workingDir, workingFile);
+  var corruptFd = fs.openSync(workingPath, "r+");
+  try {
+    fs.writeSync(corruptFd,
+      Buffer.from("not a sqlite database -- crash\n".repeat(8)), 0, undefined, 0);
+  } finally {
+    fs.closeSync(corruptFd);
+  }
+  var future = new Date(Date.now() + 60000);
+  fs.utimesSync(workingPath, future, future);
+}
+async function reinitDbOnly(tmpDir) {
+  // Re-wire audit-sign from the same passphrase; do NOT reset the vault so
+  // the existing db.enc key still decrypts. Mirrors setupTestDb's pre-init
+  // reset minus the vault reset (the boot-recovery path).
+  setTestPassphraseEnv();
+  b.audit._resetForTest();
+  // Same disk-residency posture as setupTestDb: the fixture's scratch dir is
+  // the repo-local .test-output (not a real tmpfs mount), so the v0.15.0
+  // non-tmpfs tmpDir gate must be opted past explicitly here too — otherwise
+  // db.init refuses with db/tmpdir-not-tmpfs on Linux (the gate is
+  // platform-specific, so this only surfaces off Windows).
+  await b.db.init({
+    dataDir:             tmpDir,
+    tmpDir:              path.join(tmpDir, "tmpfs"),
+    schema:              SCHEMA,
+    allowNonTmpfsTmpDir: true,
+  });
+}
+async function run() {
+  var scratchBase = path.join(__dirname, "..", ".test-output");
+  fs.mkdirSync(scratchBase, { recursive: true });
+  var tmpDir = fs.mkdtempSync(path.join(scratchBase, "audit-ckpt-rollback-"));
+  try {
+    await setupTestDb(tmpDir, SCHEMA);
+    check("test runs in encrypted at-rest mode", b.db.getMode() === "encrypted");
+    // Register an app namespace so safeEmit rows land in the chain (the
+    // async handler drops events under unregistered namespaces).
+    b.audit.registerNamespace("orders");
+    // ---- Baseline: a clean checkpoint that IS flushed to durable disk ----
+    b.audit.safeEmit({ action: "orders.baseline.one", outcome: "success" });
+    b.audit.safeEmit({ action: "orders.baseline.two", outcome: "success" });
+    await b.audit.flush();
+    var baselineCkpt = await b.audit.checkpoint();
+    check("baseline checkpoint anchored", baselineCkpt && baselineCkpt.atMonotonicCounter > 0);
+    await b.db.flushToDisk(); // db.enc + tip now agree at the baseline counter
+    var baselineCounter = currentMaxCounter();
+    check("baseline tip agrees with durable rows",
+          readTipCounter(tmpDir) === baselineCounter);
+    // ---- More audit activity, then a checkpoint that is NOT flushed ----
+    // These rows + the new checkpoint row live only in the tmpfs working
+    // copy; db.enc is unchanged. checkpoint() advances the durable tip.
+    b.audit.safeEmit({ action: "orders.post.one", outcome: "success" });
+    b.audit.safeEmit({ action: "orders.post.two", outcome: "success" });
+    b.audit.safeEmit({ action: "orders.post.three", outcome: "success" });
+    await b.audit.flush();
+    var advancedCounter = currentMaxCounter();
+    check("new audit activity advanced the in-memory counter past baseline",
+          advancedCounter > baselineCounter);
+    var postCkpt = await b.audit.checkpoint();
+    check("post-batch checkpoint anchored at the advanced counter",
+          postCkpt && postCkpt.atMonotonicCounter === advancedCounter);
+    // The tip is now durable and points at the advanced counter — but the
+    // rows it anchors were never re-encrypted into db.enc.
+    check("durable tip advanced to the post-checkpoint counter",
+          readTipCounter(tmpDir) === advancedCounter);
+    // ---- Crash: lose the tmpfs carrier; db.enc stays at the baseline ----
+    simulateCrashDiscardingTmpfs(tmpDir);
+    // ---- Reboot: must NOT falsely refuse with a rollback error ----
+    // The chain is intact — db.enc holds a valid prefix of the same chain,
+    // every row hashes correctly, no row was deleted. A normal crash that
+    // lost unflushed rows is not a rollback attack. checkpoint() should
+    // have flushed the rows durably before (or with) the tip so the tip
+    // never references a counter that isn't on durable disk.
+    var rollbackError = null;
+    try {
+      await reinitDbOnly(tmpDir);
+    } catch (e) {
+      rollbackError = e;
+    }
+    check("reopen after crash does NOT falsely refuse with a rollback error" +
+          (rollbackError ? " (got: " + rollbackError.code + " — " + rollbackError.message + ")" : ""),
+          rollbackError === null);
+    // If the reopen succeeded, the recovered chain must be readable and the
+    // app table intact — a real clean recovery, not a degraded boot.
+    if (rollbackError === null) {
+      var rows = await b.audit.query({ action: "orders.baseline.one" });
+      check("recovered audit chain is readable (baseline row present)", rows.length === 1);
+      var ckptVerify = await b.audit.verifyCheckpoints();
+      check("recovered checkpoints verify clean", ckptVerify.ok === true);
+    }
+  } finally {
+    try { b.db._resetForTest(); } catch (_e) { /* best effort */ }
+    await teardownTestDb(tmpDir);
+  }
+  console.log("OK — audit checkpoint false-rollback tests");
+}
+module.exports = { run: run };
+if (require.main === module) {
+  // Rethrow on failure so Node exits non-zero, instead of logging the
+  // caught error object — a taint analyzer traces a logged error back to
+  // the test passphrase fixture (a non-secret constant) and raises a
+  // false clear-text-logging alert.
+  run().then(function () { process.exit(0); })
+       .catch(function (err) { process.exitCode = 1; throw err; });
+}

package/lib/vendor/blamejs/test/layer-0-primitives/audit-query-self-log.test.js ADDED Viewed

@@ -0,0 +1,126 @@
+"use strict";
+/**
+ * b.audit.query self-logging (PCI DSS 10.2.3) — every read of audit_log
+ * is itself recorded as an `audit.read` event.
+ *
+ * The self-log suppression is decided per-invocation from the call's own
+ * `criteria.action`, never from shared module state. A prior design used a
+ * module-global `_selfLogging` boolean toggled across record()'s await
+ * (chain mutex + SQL yield); a CONCURRENT query() racing a mid-flight
+ * self-log observed the flag set and silently skipped emitting its own
+ * audit.read — under-logging reads exactly when load is highest. These
+ * tests pin: two concurrent reads BOTH log, a single read logs exactly
+ * once (no double/recursive log), and a query targeting `audit.read`
+ * itself does not auto-log.
+ *
+ * Run standalone: `node test/layer-0-primitives/audit-query-self-log.test.js`
+ * Or via smoke:   `node test/smoke.js`
+ */
+var helpers = require("../helpers");
+var b              = helpers.b;
+var fs             = helpers.fs;
+var os             = helpers.os;
+var path           = helpers.path;
+var check          = helpers.check;
+var waitUntil      = helpers.waitUntil;
+var setupTestDb    = helpers.setupTestDb;
+var teardownTestDb = helpers.teardownTestDb;
+function _tmp() { return fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-audit-self-")); }
+// Count audit.read rows directly via the query path that does NOT auto-log
+// (criteria.action === "audit.read"), so counting never perturbs the count.
+async function _readCount() {
+  var rows = await b.audit.query({ action: "audit.read" });
+  return rows.length;
+}
+// ---- Concurrent reads each emit their own audit.read ----
+async function testConcurrentReadsBothLog() {
+  var tmpDir = _tmp();
+  await setupTestDb(tmpDir);
+  try {
+    // Seed a non-read row so the concurrent queries return something and,
+    // more importantly, so each emits its own self-log.
+    await b.audit.record({ action: "consent.granted", outcome: "success" });
+    var before = await _readCount();
+    // Fire two concurrent reads. Pre-fix, the second to enter would see the
+    // module-global flag set by the first (mid-record) and skip its self-log,
+    // so only ONE audit.read would land. Post-fix, BOTH land.
+    var qA = b.audit.query({ action: "consent.granted", actorUserId: "reader-a" });
+    var qB = b.audit.query({ action: "consent.granted", actorUserId: "reader-b" });
+    await Promise.all([qA, qB]);
+    await waitUntil(async function () {
+      return (await _readCount()) >= before + 2;
+    }, { timeoutMs: 5000, label: "M3: both concurrent reads emit audit.read" });
+    var after = await _readCount();
+    check("two concurrent reads emit two audit.read rows (no under-logging)",
+          after === before + 2);
+  } finally {
+    await teardownTestDb(tmpDir);
+  }
+}
+// ---- A single read emits exactly one audit.read (no double/recursion) ----
+async function testSingleReadLogsExactlyOnce() {
+  var tmpDir = _tmp();
+  await setupTestDb(tmpDir);
+  try {
+    await b.audit.record({ action: "consent.granted", outcome: "success" });
+    var before = await _readCount();
+    await b.audit.query({ action: "consent.granted" });
+    var after = await _readCount();
+    check("a single read emits exactly one audit.read (no double/recursive log)",
+          after === before + 1);
+  } finally {
+    await teardownTestDb(tmpDir);
+  }
+}
+// ---- Querying audit.read itself does not auto-log (no Russell spiral) ----
+async function testAuditReadQueryDoesNotSelfLog() {
+  var tmpDir = _tmp();
+  await setupTestDb(tmpDir);
+  try {
+    // Generate at least one audit.read so the table is non-empty.
+    await b.audit.query({ action: "consent.granted" });
+    var before = await _readCount();
+    // Querying for audit.read must NOT emit another audit.read.
+    await b.audit.query({ action: "audit.read" });
+    var after = await _readCount();
+    check("querying action='audit.read' does not auto-log a new audit.read",
+          after === before);
+  } finally {
+    await teardownTestDb(tmpDir);
+  }
+}
+async function run() {
+  await testConcurrentReadsBothLog();
+  await testSingleReadLogsExactlyOnce();
+  await testAuditReadQueryDoesNotSelfLog();
+}
+module.exports = { run: run };
+if (require.main === module) {
+  run().then(function () { console.log("OK"); })
+       // Re-throw rather than console.error the error object: a DB-setup
+       // failure can carry passphrase-derived material on the error, and
+       // logging it would be clear-text logging of sensitive data
+       // (CWE-312). The non-zero exit + thrown stack still surface the
+       // failure to the runner.
+       .catch(function (e) { process.exitCode = 1; throw e; });
+}