@blamejs/blamejs-shop 0.4.31 → 0.4.33

package/lib/vendor/blamejs/lib/safe-url.js

@@ -53,6 +53,11 @@ var nodeUrl = require("node:url");
 var { URL } = require("node:url");
 
 var audit = lazyRequire(function () { return require("./audit"); });
+// ssrf-guard requires safe-url at top of file (the SSRF gate parses through
+// the framework's defensive URL parser); lazyRequire breaks that cycle so the
+// canonicalizer can reuse ssrf-guard's IP-literal canonicalization without an
+// at-load circular require.
+var ssrfGuard = lazyRequire(function () { return require("./ssrf-guard"); });
 
 /**
  * @primitive b.safeUrl.ALLOW_HTTP_TLS
@@ -168,9 +173,9 @@ var ALLOW_ANY      = Object.freeze(["http:", "https:", "ws:", "wss:"]);
  * Extends `FrameworkError`. Carries a stable `.code`:
  * `safe-url/missing` / `safe-url/too-long` / `safe-url/malformed` /
  * `safe-url/protocol-disallowed` / `safe-url/userinfo-disallowed` /
- * `safe-url/idn-homograph` / `safe-url/bad-opt`. HTTP middleware
- * inspects `.code` to translate the throw into a 400 without
- * leaking parser internals.
+ * `safe-url/idn-homograph` / `safe-url/uncanonicalizable` /
+ * `safe-url/bad-opt`. HTTP middleware inspects `.code` to translate
+ * the throw into a 400 without leaking parser internals.
  *
  * @example
  *   var b = require("blamejs");
@@ -205,6 +210,38 @@ function _makeError(errorClass, code, message) {
 // payloads) override via opts.maxUrlLength.
 var DEFAULT_MAX_URL_LENGTH = C.BYTES.kib(8);
 
+// RFC 3986 §6.2.2 percent-encoding normalization applied CONSERVATIVELY to a
+// path segment string: uppercase the two hex digits of every valid escape
+// (§6.2.2.2) and decode an escape of an unreserved character to its literal
+// (§6.2.2.3). A malformed escape (`%`, `%g`, `%4`) is passed through verbatim
+// so no information is invented. Query and fragment are NOT touched —
+// reordering / re-decoding there can change application semantics (a `%26`
+// inside a value is NOT the same as a literal `&`).
+function _normalizePctPath(path) {
+  if (typeof path !== "string" || path.indexOf("%") === -1) return path;
+  var out = "";
+  for (var i = 0; i < path.length; i += 1) {
+    var ch = path.charAt(i);
+    if (ch === "%") {
+      // The escape's two hex digits — sliced to a fixed two-char window so
+      // the regex test runs on a length-bounded string (no ReDoS surface).
+      var pair = path.slice(i + 1, i + 3);
+      if (pair.length === 2 && codepointClass.HEX_PAIR_RE.test(pair)) {
+        var cc = parseInt(pair, 16);
+        if (codepointClass.isUnreserved(cc)) {
+          out += String.fromCharCode(cc);
+        } else {
+          out += "%" + pair.toUpperCase();
+        }
+        i += 2;
+        continue;
+      }
+    }
+    out += ch;
+  }
+  return out;
+}
+
 /**
  * @primitive b.safeUrl.parse
  * @signature b.safeUrl.parse(url, opts?)
@@ -416,9 +453,139 @@ function format(url) {
   }
 }
 
+/**
+ * @primitive b.safeUrl.canonicalize
+ * @signature b.safeUrl.canonicalize(input, opts?)
+ * @since     0.15.6
+ * @status    stable
+ * @related   b.safeUrl.parse, b.ssrfGuard.canonicalizeHost, b.ssrfGuard.checkUrl
+ *
+ * Return the single canonical, comparable form of a URL so two
+ * spellings of the same destination compare equal as strings. The use
+ * cases are host allowlists, dedup / cache keys, and SSRF pre-checks —
+ * exactly the places an attacker reaches for an obfuscated host
+ * (`http://0177.0.0.1/`, `http://2130706433/`, `http://[::ffff:7f00:1]/`,
+ * an IDN homograph, a trailing-dot or default-port variation) to slip
+ * past a naive `===` allowlist. Routing every comparison through one
+ * audited canonicalizer closes that class instead of leaving each
+ * caller to re-derive normalization (which is how the bypasses happen).
+ *
+ * The canonical form is built from `parse`'s defensive gates plus the
+ * security-relevant normalization set:
+ *
+ *   - Scheme and host lowercased (the WHATWG URL parser does this).
+ *   - Host IDN labels emitted as their punycode `xn--` A-label; a
+ *     mixed-script / confusable host label THROWS exactly as
+ *     `parse` does (a homograph is never silently passed) unless the
+ *     caller opts in via `allowMixedScript` / `allowedScripts`.
+ *   - A trailing dot on the host is removed (`example.com.` →
+ *     `example.com`) — DNS-equivalent but breaks string comparison.
+ *   - An IP-literal host in ANY notation collapses to one canonical
+ *     string via `b.ssrfGuard.canonicalizeHost` (the SAME byte parser
+ *     the SSRF classifier matches on): IPv4 decimal / octal / hex /
+ *     shorthand → dotted-quad; IPv6 (incl. IPv4-mapped + any
+ *     zero-compression) → RFC 5952 lower-hex, bracketed.
+ *   - The default port for the scheme is stripped (`:80` http/ws,
+ *     `:443` https/wss — the parser does this).
+ *   - Path `.` / `..` segments resolved (WHATWG), then RFC 3986 §6.2.2
+ *     percent-normalization applied to the path: hex digits uppercased,
+ *     escapes of unreserved characters decoded. Query and fragment are
+ *     left BYTE-FOR-BYTE as parsed — reordering or re-decoding there can
+ *     change application semantics.
+ *
+ * Throws `SafeUrlError` (or `opts.errorClass`): the `parse` codes for a
+ * missing / too-long / malformed / disallowed-scheme / userinfo /
+ * homograph input, plus `safe-url/uncanonicalizable` when a parsed URL
+ * cannot be reduced to a safe canonical form. This is a config /
+ * entry-point validator — it THROWS on bad input, it does NOT return a
+ * best-effort string.
+ *
+ * @opts
+ *   allowedSchemes:   string[],   // default ALLOW_ANY (http/https/ws/wss); canonicalize is a compare tool, not a fetch gate
+ *   allowUserinfo:    boolean,    // default false; opt-in to keep user:pass@ (still discouraged)
+ *   allowMixedScript: boolean,    // default false; opt-in to mixed-script host labels
+ *   allowedScripts:   string[],   // narrow mixed-script allowlist (e.g. ["latin","cyrillic"])
+ *   maxUrlLength:     number,     // default 8192 (RFC 7230 §3.1.1)
+ *   errorClass:       Function,   // throw this instead of SafeUrlError
+ *
+ * @example
+ *   var b = require("blamejs");
+ *
+ *   // Every obfuscated loopback spelling collapses to one string.
+ *   b.safeUrl.canonicalize("http://0177.0.0.1/");      // → "http://127.0.0.1/"
+ *   b.safeUrl.canonicalize("http://2130706433/");      // → "http://127.0.0.1/"
+ *   b.safeUrl.canonicalize("http://127.1/");           // → "http://127.0.0.1/"
+ *
+ *   // Case, default port, trailing dot, and `..` all normalize.
+ *   b.safeUrl.canonicalize("https://Example.COM:443/a/../b");
+ *   // → "https://example.com/b"
+ *
+ *   // A disallowed scheme throws SafeUrlError.
+ *   try { b.safeUrl.canonicalize("ftp://example.com/"); }
+ *   catch (e) { e.code; }   // → "safe-url/protocol-disallowed"
+ */
+function canonicalize(input, opts) {
+  opts = opts || {};
+  var allowedSchemes = Array.isArray(opts.allowedSchemes) && opts.allowedSchemes.length > 0
+    ? opts.allowedSchemes
+    : ALLOW_ANY;
+
+  // Route through parse — it owns the length cap, the scheme allowlist,
+  // userinfo refusal, and the IDN-homograph defense. A parse throw (with
+  // its stable .code) propagates unchanged so callers branch on the same
+  // codes parse documents.
+  var parsed = parse(input, {
+    allowedProtocols: allowedSchemes,
+    maxUrlLength:     opts.maxUrlLength,
+    allowUserinfo:    opts.allowUserinfo,
+    allowMixedScript: opts.allowMixedScript,
+    allowedScripts:   opts.allowedScripts,
+    errorClass:       opts.errorClass,
+  });
+
+  try {
+    // The parser already lowercased the scheme + host, stripped the
+    // default port, emitted IDN as punycode, and resolved `.`/`..`. The
+    // canonicalizer adds: IP-literal collapse (shared with the SSRF
+    // classifier), trailing-dot removal, and path percent-normalization.
+    var scheme = parsed.protocol;                 // e.g. "https:"
+    var rawHost = parsed.hostname;                // already lowercase / punycode / default-port-free
+    var canonHost = ssrfGuard().canonicalizeHost(rawHost);
+    // canonicalizeHost returns IPv6 UNbracketed; a URL authority needs the
+    // brackets back. net.isIP via the colon is a sufficient discriminator
+    // (a DNS label can't contain a colon).
+    var host = canonHost.indexOf(":") !== -1 ? "[" + canonHost + "]" : canonHost;
+
+    // Userinfo (`user:pass@`) is deliberately DROPPED from the canonical form.
+    // The canonical string is built to be compared, used as a dedup / cache
+    // key, or logged; carrying a credential into any of those leaks it, and
+    // the username/password are not part of the resource's target identity for
+    // an allowlist / SSRF decision. parse() already refuses userinfo unless
+    // allowUserinfo:true; even then, the canonical output omits it (never reads
+    // parsed.password), so two URLs that differ only in credentials canonicalize
+    // equal.
+
+    var port = parsed.port !== "" ? ":" + parsed.port : "";
+    var path = _normalizePctPath(parsed.pathname);
+    // Query + fragment: byte-for-byte as the parser emitted them. Reordering
+    // a query or re-decoding a value changes semantics — out of scope for a
+    // safe canonicalizer.
+    var query = parsed.search;
+    var fragment = parsed.hash;
+
+    return scheme + "//" + host + port + path + query + fragment;
+  } catch (e) {
+    if (e && e.isSafeUrlError) throw e;
+    throw _makeError(opts.errorClass, "safe-url/uncanonicalizable",
+      "safeUrl.canonicalize could not reduce the URL to a canonical form: " +
+        ((e && e.message) || String(e)));
+  }
+}
+
 module.exports = {
   parse:           parse,
   format:          format,
+  canonicalize:    canonicalize,
   SafeUrlError:    SafeUrlError,
   ALLOW_HTTP_TLS:  ALLOW_HTTP_TLS,
   ALLOW_HTTP_ALL:  ALLOW_HTTP_ALL,

package/lib/vendor/blamejs/lib/safe-vcard.js

@@ -63,6 +63,7 @@
 
 var C = require("./constants");
 var { defineClass } = require("./framework-error");
+var gateContract = require("./gate-contract");
 
 var SafeVcardError = defineClass("SafeVcardError", { alwaysPermanent: true });
 
@@ -90,12 +91,7 @@ var PROFILES = Object.freeze({
   }),
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
-});
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
 
 // Property-name allowlist per RFC 6350 §6 (vCard 4.0 property
 // registry) + RFC 2426 §3 (legacy 3.0 properties retained for
@@ -217,24 +213,6 @@ function parse(text, opts) {
   return { vcards: vcards };
 }
 
-/**
- * @primitive b.safeVcard.compliancePosture
- * @signature b.safeVcard.compliancePosture(name)
- * @since     0.9.81
- * @status    stable
- * @related   b.safeVcard.parse
- *
- * Map a compliance-posture name to its profile. Returns the profile
- * string for a known posture, `null` for unknown names.
- *
- * @example
- *   b.safeVcard.compliancePosture("hipaa");   // -> "strict"
- *   b.safeVcard.compliancePosture("loose");   // -> null
- */
-function compliancePosture(name) {
-  return COMPLIANCE_POSTURES[name] || null;
-}
-
 // ---- Internal ----
 
 function _resolveCaps(opts) {
@@ -462,12 +440,19 @@ function _preview(s) {
   return s.length > 64 ? s.slice(0, 64) + "..." : s;                                                       // log-preview length cap
 }
 
-module.exports = {
-  parse:               parse,
-  compliancePosture:   compliancePosture,
-  PROFILES:            PROFILES,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  KNOWN_PROPERTIES:    KNOWN_PROPERTIES,
-  EMBED_PROPERTIES:    EMBED_PROPERTIES,
-  SafeVcardError:      SafeVcardError,
-};
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
+module.exports = gateContract.defineParser({
+  name:       "vcard",
+  entry:      parse,
+  entryName:  "parse",
+  errorClass: SafeVcardError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    KNOWN_PROPERTIES: KNOWN_PROPERTIES,
+    EMBED_PROPERTIES: EMBED_PROPERTIES,
+  },
+});

package/lib/vendor/blamejs/lib/scheduler.js

@@ -43,6 +43,7 @@ var lazyRequire = require("./lazy-require");
 var audit  = lazyRequire(function () { return require("./audit"); });
 var log    = lazyRequire(function () { return require("./log").boot("scheduler"); });
 var clusterStorage = require("./cluster-storage");
+var sql = require("./sql");
 var validateOpts = require("./validate-opts");
 var C = require("./constants");
 var { SchedulerError } = require("./framework-error");
@@ -51,6 +52,18 @@ var DEFAULT_MAX_JOB_MS             = C.TIME.minutes(10);
 var DEFAULT_TICK_RETENTION_MS      = C.TIME.days(7);
 var DEFAULT_TICK_PRUNE_INTERVAL_MS = C.TIME.minutes(1);
 
+// b.sql opts for every _blamejs_scheduler_ticks statement: thread the ACTIVE
+// backend dialect (clusterStorage.dialect() — "sqlite" single-node,
+// "postgres" | "mysql" in cluster mode) so the emitted identifier quoting +
+// dialect idioms (ON CONFLICT DO NOTHING vs the MySQL no-op fold) match the
+// backend the SQL dispatches to. Defaulting to "sqlite" works on Postgres
+// only by accident (both double-quote identifiers) and emits the wrong
+// quoting on MySQL. clusterStorage.execute still rewrites the bare table name
+// + translates `?` placeholders at dispatch; this controls only the builder-
+// side quoting + idiom selection. The table name stays BARE (no quoteName)
+// so clusterStorage's prefix rewrite still fires.
+function _ticksSqlOpts() { return { dialect: clusterStorage.dialect() }; }
+
 // ---- Cron parsing ----
 
 var CRON_SHORTHANDS = {
@@ -475,6 +488,10 @@ function create(opts) {
       lastError: null,
       running:   false,
       runningSince: 0,
+      // Monotonic run tag. The watchdog and each fire bump it, so a run the
+      // watchdog abandoned can't clobber state / emit a stale settle event
+      // when its slow promise finally resolves.
+      runGeneration: 0,
       fires:     0,
       misses:    0,    // skipped because previous run still in-flight
       nonLeaderSkips: 0,
@@ -497,7 +514,7 @@ function create(opts) {
         task.nextRun = Date.now() + spec.every;
       }
       task.exprDesc = "every " + spec.every + "ms" +
-                      (spec.baseline ? " from " + spec.baseline : "") +
+                      (spec.baseline ? " anchored " + spec.baseline : "") +
                       (tz ? " " + tz : "");
     }
 
@@ -527,6 +544,8 @@ function create(opts) {
             (maxJobMs / C.TIME.seconds(1)) + "s — forcing reset");
         } catch (_e) { /* logger best-effort */ }
         _emit("system.scheduler.task.watchdog", { name: task.name }, "failure");
+        // Supersede the abandoned run so its late settle is ignored.
+        task.runGeneration++;
         task.running = false;
       } else {
         task.misses++;
@@ -562,13 +581,23 @@ function create(opts) {
       var tickKey = task.name + ":" + nominalRun;
       var claimedBy = (typeof clusterInstance.currentNodeId === "function")
         ? clusterInstance.currentNodeId() : "unknown";
-      clusterStorage.execute(
-        "INSERT INTO _blamejs_scheduler_ticks " +
-        "(tickKey, name, scheduledAtUnix, claimedAtUnix, claimedBy) " +
-        "VALUES (?, ?, ?, ?, ?) " +
-        "ON CONFLICT (tickKey) DO NOTHING",
-        [tickKey, task.name, nominalRun, Date.now(), claimedBy]
-      ).then(function (result) {
+      // BARE logical table name — clusterStorage rewrites _blamejs_scheduler_ticks
+      // to the configured prefix and placeholderizes the ? markers. The
+      // PRIMARY KEY race on tickKey deduplicates the split-brain window; the
+      // loser's ON CONFLICT DO NOTHING reports zero rowCount and skips.
+      var claimBuilt = sql.upsert("_blamejs_scheduler_ticks", _ticksSqlOpts())   // allow:hand-rolled-sql — bare logical name for clusterStorage rewrite
+        .columns(["tickKey", "name", "scheduledAtUnix", "claimedAtUnix", "claimedBy"])
+        .values({
+          tickKey:         tickKey,
+          name:            task.name,
+          scheduledAtUnix: nominalRun,
+          claimedAtUnix:   Date.now(),
+          claimedBy:       claimedBy,
+        })
+        .onConflict(["tickKey"])
+        .doNothing()
+        .toSql();
+      clusterStorage.execute(claimBuilt.sql, claimBuilt.params).then(function (result) {
         var won = (result && result.rowCount > 0);
         if (won) {
           _runFire(task);
@@ -604,10 +633,10 @@ function create(opts) {
     var threshold = Date.now() - (
       typeof olderThanMs === "number" ? olderThanMs : tickRetentionMs
     );
-    var result = await clusterStorage.execute(
-      "DELETE FROM _blamejs_scheduler_ticks WHERE scheduledAtUnix < ?",
-      [threshold]
-    );
+    var pruneBuilt = sql.delete("_blamejs_scheduler_ticks", _ticksSqlOpts())   // allow:hand-rolled-sql — bare logical name for clusterStorage rewrite
+      .where("scheduledAtUnix", "<", threshold)
+      .toSql();
+    var result = await clusterStorage.execute(pruneBuilt.sql, pruneBuilt.params);
     var removed = (result && result.rowCount) || 0;
     if (removed > 0) {
       _emit("system.scheduler.tick.pruned", {
@@ -642,6 +671,10 @@ function create(opts) {
     task.runningSince = Date.now();
     task.lastRun = new Date().toISOString();
     var startedAt = Date.now();
+    // Tag this run. The settle handlers below only write back if the tag still
+    // matches — so a run the watchdog reset (or a newer fire) can't clobber the
+    // current run's state or emit a stale success/failure when it settles late.
+    var gen = (task.runGeneration = (task.runGeneration || 0) + 1);
 
     var promise;
     try {
@@ -655,6 +688,7 @@ function create(opts) {
     }
 
     Promise.resolve(promise).then(function (_v) {
+      if (task.runGeneration !== gen) return;   // watchdog/newer fire superseded this run
       task.running = false;
       task.runningSince = 0;
       task.lastFinish = new Date().toISOString();
@@ -666,6 +700,7 @@ function create(opts) {
         viaJob:     !!task.job,
       });
     }, function (e) {
+      if (task.runGeneration !== gen) return;   // watchdog/newer fire superseded this run
       task.running = false;
       task.runningSince = 0;
       task.lastFinish = new Date().toISOString();