@blamejs/blamejs-shop 0.4.31 → 0.4.33

package/lib/vendor/blamejs/lib/sse.js

@@ -247,6 +247,21 @@ function create(req, res, opts) {
   // proxyBuffer: false to suppress the nginx-specific header.
   var proxyBuffer = opts.proxyBuffer !== false;
 
+  // Slow-consumer bound. SSE is server-push: when a client stalls, res.write()
+  // returns false but the app keeps pushing, so Node buffers the unsent bytes
+  // in res.writableLength without limit — one stuck connection grows the heap
+  // until exhaustion (memory-exhaustion DoS). Cap the per-channel buffer and
+  // evict the slow consumer past it. A healthy client (writableLength ~0) is
+  // never affected. Config-time input → throw on a bad value.
+  var maxBufferedBytes = opts.maxBufferedBytes;
+  if (maxBufferedBytes === undefined) maxBufferedBytes = C.BYTES.mib(1);
+  if (typeof maxBufferedBytes !== "number" || !isFinite(maxBufferedBytes) ||
+      maxBufferedBytes <= 0 || Math.floor(maxBufferedBytes) !== maxBufferedBytes) {
+    throw errorClass.factory("sse/bad-opts",
+      "sse.create: maxBufferedBytes must be a positive integer byte count (got " +
+      JSON.stringify(maxBufferedBytes) + ")");
+  }
+
   var lastEventId = _readLastEventId(req);
 
   // Headers. text/event-stream is the contract; Cache-Control: no-cache
@@ -275,6 +290,17 @@ function create(req, res, opts) {
         "sse.send: channel closed");
     }
     res.write(s);
+    // res.writableLength is the count of bytes Node has buffered but not yet
+    // flushed to the socket. A healthy client drains it (≈0); a stalled one
+    // lets it climb. Past the per-channel cap, evict the slow consumer rather
+    // than buffer without bound. h2 streams + h1 responses both expose it.
+    var buffered = (typeof res.writableLength === "number") ? res.writableLength : 0;
+    if (buffered > maxBufferedBytes) {
+      close({ reason: "backpressure-exceeded" });
+      throw errorClass.factory("sse/backpressure",
+        "sse.send: client too slow — buffered " + buffered +
+        " bytes exceeds maxBufferedBytes " + maxBufferedBytes + "; channel closed");
+    }
   }
 
   function send(eventOpts) {

package/lib/vendor/blamejs/lib/ssrf-guard.js

@@ -148,12 +148,27 @@ var IPV6_6TO4_PREFIX      = _ipv6ToBytes("2002::");
 // or attempted exfil to a sinkhole.
 var IPV6_DISCARD_PREFIX   = _ipv6ToBytes("100::");
 
-// ---- Cloud metadata addresses (string-equality, exact match) ----
+// ---- Cloud metadata addresses (matched on CANONICAL bytes, not string) ----
+// The documentation strings below are the human-readable canonical forms.
+// Matching is byte-canonical (see _isCloudMetadataAddr): an IPv6 address has
+// many textual representations (compressed `::`, fully-expanded
+// `fd00:ec2:0:0:0:0:0:254`, mixed-case) that all decode to the same 16 bytes.
+// A string-equality membership test matched only ONE spelling, so a hostile
+// (or merely DoH-decoded — network-dns.js emits the expanded form) answer of
+// `fd00:ec2:0:0:0:0:0:254` slipped past as "private" and rode the documented
+// `allowInternal:true` waiver straight into the IMDS credential endpoint.
 var CLOUD_METADATA_IPS = [
   "169.254.169.254",       // AWS, GCP, Azure, OpenStack, DO
   "169.254.170.2",         // AWS ECS task role
   "fd00:ec2::254",         // AWS IMDS over IPv6
 ];
+// Canonical byte forms of the metadata IPs — v4 as a 4-byte Buffer, v6 as a
+// 16-byte Buffer. Built once at load via the same parsers classify() uses,
+// so every textual representation that decodes to these bytes is caught.
+var CLOUD_METADATA_BYTES = CLOUD_METADATA_IPS.map(function (ip) {
+  var fam = net.isIP(ip);
+  return fam === 4 ? _ipv4ToBytes(ip) : _ipv6ToBytes(ip);
+});
 
 // ---- Helpers ----
 
@@ -180,6 +195,14 @@ function _ipv4ToInt(ip) {
           nums[3];
 }
 
+function _ipv4ToBytes(ip) {
+  // Canonical 4-byte form of an IPv4 address. Returns null on malformed
+  // input so a metadata-membership test never matches garbage.
+  var n = _ipv4ToInt(ip);
+  if (!Number.isFinite(n)) return null;
+  return Buffer.from([(n >>> 24) & 0xff, (n >>> 16) & 0xff, (n >>> 8) & 0xff, n & 0xff]);
+}
+
 function _ipv6ToBytes(ip) {
   // Node's net.isIPv6 returns 6 for valid IPv6; we then expand
   // shorthand via manual parsing. node:net doesn't export an
@@ -224,6 +247,123 @@ function _expandIpv6(ip) {
   return left.concat(fill).concat(right);
 }
 
+function _ipv6BytesToString(bytes) {
+  // RFC 5952 §4 canonical textual form from 16 canonical bytes: lower-hex,
+  // no leading zeros per group, the LONGEST run of two-or-more zero groups
+  // compressed to "::" (leftmost run on a length tie — §4.2.3), and the
+  // shortened-but-not-IPv4-dotted form (the framework keeps IPv4-mapped as
+  // pure hex so every mapped spelling collapses to one string). Driven off
+  // the same 16-byte buffer classify() matches on, so the emitted string and
+  // the security verdict can never disagree about which address this is.
+  var groups = [];
+  for (var i = 0; i < IPV6_GROUPS; i++) {
+    groups.push(((bytes[i * 2] << 8) | bytes[i * 2 + 1]) & 0xffff);
+  }
+  var bestStart = -1, bestLen = 0, curStart = -1, curLen = 0;
+  for (var g = 0; g < IPV6_GROUPS; g++) {
+    if (groups[g] === 0) {
+      if (curStart === -1) { curStart = g; curLen = 1; } else { curLen += 1; }
+      if (curLen > bestLen) { bestLen = curLen; bestStart = curStart; }
+    } else {
+      curStart = -1;
+      curLen = 0;
+    }
+  }
+  // A single zero group is NOT compressed (RFC 5952 §4.2.2).
+  if (bestLen < 2) bestStart = -1;
+  var parts = [];
+  for (var k = 0; k < IPV6_GROUPS; k++) {
+    if (bestStart !== -1 && k === bestStart) {
+      parts.push("");
+      k += bestLen - 1;
+      // A run reaching the final group needs a trailing empty part so the
+      // join yields the "::"-terminated form (e.g. fe80:: not fe80:).
+      if (k === IPV6_GROUPS - 1) parts.push("");
+      continue;
+    }
+    parts.push(groups[k].toString(HEX_RADIX));
+  }
+  var out = parts.join(":");
+  // A run starting at group 0 needs a leading empty part ("::1", "::").
+  if (bestStart === 0) out = ":" + out;
+  return out;
+}
+
+/**
+ * @primitive b.ssrfGuard.canonicalizeHost
+ * @signature b.ssrfGuard.canonicalizeHost(host)
+ * @since     0.15.6
+ * @status    stable
+ * @related   b.ssrfGuard.classify, b.safeUrl.canonicalize
+ *
+ * Canonicalize a bare host string to its single comparable form for
+ * host allowlists, dedup keys, and SSRF pre-checks. A `net.isIP`-valid
+ * IP literal collapses to one canonical string: a dotted-quad IPv4
+ * stays dotted-quad; IPv6 in any zero-compression / mixed-case /
+ * IPv4-mapped spelling (`[0:0:0:0:0:ffff:7f00:1]`, `::FFFF:7F00:1`)
+ * becomes the RFC 5952 lower-hex compressed form. The IP bytes are
+ * parsed by the SAME routines `classify` matches on, so the canonical
+ * string and the SSRF verdict can never disagree about which address a
+ * host is.
+ *
+ * The numeric-base IPv4 decode (octal `0177.0.0.1`, hex `0x7f000001`,
+ * single-integer `2130706433`, shorthand `127.1`) is the WHATWG URL
+ * parser's job — `b.safeUrl.canonicalize` runs that FIRST and hands this
+ * primitive the already-decoded dotted-quad. This is the IP-byte + case
+ * layer, not the base decoder.
+ *
+ * A DNS name (not an IP literal) is lowercased and any trailing dot is
+ * stripped — `Example.COM.` → `example.com`. IDN A-label / U-label
+ * normalization is NOT done here (the WHATWG URL parser owns that via
+ * `b.safeUrl.canonicalize`).
+ * `[...]`-bracketed IPv6 input is accepted (brackets stripped); the
+ * returned IPv6 string is UNbracketed (the URL layer re-adds brackets).
+ *
+ * @example
+ *   var b = require("blamejs");
+ *   b.ssrfGuard.canonicalizeHost("[0:0:0:0:0:0:0:1]");    // → "::1"
+ *   b.ssrfGuard.canonicalizeHost("::FFFF:7F00:1");        // → "::ffff:7f00:1"
+ *   b.ssrfGuard.canonicalizeHost("Example.COM.");         // → "example.com"
+ */
+function canonicalizeHost(host) {
+  if (typeof host !== "string" || host.length === 0) return host;
+  var bare = host.replace(/^\[|\]$/g, "");
+  var family = net.isIP(bare);
+  if (family === 4) {
+    var v4 = _ipv4ToBytes(bare);
+    if (v4) return v4[0] + "." + v4[1] + "." + v4[2] + "." + v4[3];
+    return bare.toLowerCase();
+  }
+  if (family === 6) {
+    var v6bytes = _ipv6ToBytes(bare);
+    // An IPv4-mapped IPv6 address (::ffff:a.b.c.d, the ::ffff:0:0/96 block) IS
+    // the IPv4 address a.b.c.d for routing / access control — classify() already
+    // re-classifies it by the embedded v4, and a dual-stack peer arriving on
+    // ::ffff:1.2.3.4 reaches the same host as 1.2.3.4. Fold it to the dotted
+    // IPv4 form so a dual-stack peer and an operator's IPv4 allowlist entry
+    // canonicalize equal. ONLY the IPv4-mapped block (::ffff:0:0/96) folds,
+    // because classify(::ffff:x) === classify(x) — its classify branch returns
+    // the embedded-v4 verdict with no reserved fallback, so folding can't change
+    // an SSRF verdict. NAT64 (64:ff9b::/96) and 6to4 (2002::/16) are NOT folded:
+    // classify treats a NAT64 literal as `classify(v4) || "reserved"`, so a
+    // public NAT64 address classifies as "reserved" while its embedded v4 is
+    // null — folding would flip a blocked verdict to an allowed public IPv4.
+    // classify still reaches the embedded v4 for the deny side; the canonical
+    // form keeps NAT64 / 6to4 as IPv6 so canonicalize-then-classify agrees with
+    // classify alone.
+    if (_ipv6PrefixMatch(IPV6_V4_MAPPED_PREFIX, C.BYTES.bytes(96), v6bytes)) {
+      return v6bytes[12] + "." + v6bytes[13] + "." + v6bytes[14] + "." + v6bytes[15];
+    }
+    return _ipv6BytesToString(v6bytes);
+  }
+  // Not an IP literal — DNS name. Lowercase + strip ALL trailing dots: a
+  // hostname's trailing-dot count is not significant for identity (the root
+  // label is empty), so host / host. / host.. must collapse to one form or a
+  // trailing-dot count bypasses a host allow/deny comparison.
+  var name = bare.toLowerCase().replace(/\.+$/, "");
+  return name;
+}
+
 function _cidrIpv4Match(cidr, ip) {
   var slash = cidr.indexOf("/");
   if (slash === -1) return false;
@@ -309,7 +449,10 @@ function classify(ip) {
   var family = net.isIP(ip);
   if (family === 0) return null;
 
-  if (CLOUD_METADATA_IPS.indexOf(ip) !== -1) return "cloud-metadata";
+  // Cloud-metadata IPs are matched on their canonical byte form so every
+  // textual spelling (compressed `::`, fully-expanded zero-runs, mixed
+  // case) is caught — a string-equality test matched one spelling only.
+  if (_isCloudMetadataAddr(ip, family)) return "cloud-metadata";
 
   if (family === 4) {
     var ipInt = _ipv4ToInt(ip);
@@ -349,6 +492,24 @@ function classify(ip) {
   return null;
 }
 
+// Canonical-bytes membership test for the cloud-metadata IP set. An IP
+// matches iff its parsed bytes equal one of CLOUD_METADATA_BYTES, regardless
+// of textual representation. This is the unconditional metadata gate — it
+// must NOT be string-based, because IPv6 has many spellings of the same
+// address (the DoH resolver in network-dns.js, for instance, emits the
+// fully-expanded `fd00:ec2:0:0:0:0:0:254` rather than the compressed form).
+function _isCloudMetadataAddr(ip, family) {
+  var fam = typeof family === "number" ? family : net.isIP(ip);
+  if (fam === 0) return false;
+  var bytes = fam === 4 ? _ipv4ToBytes(ip) : _ipv6ToBytes(ip);
+  if (!bytes) return false;
+  for (var i = 0; i < CLOUD_METADATA_BYTES.length; i++) {
+    var ref = CLOUD_METADATA_BYTES[i];
+    if (ref && ref.length === bytes.length && _bufEqual(bytes, ref)) return true;
+  }
+  return false;
+}
+
 function _bufEqual(a, b) {
   // Compares Buffer-like byte arrays for equality. The buffers here
   // are IP addresses, not secrets, so the comparison doesn't need
@@ -766,8 +927,11 @@ function checkUrlTextual(url, opts) {
   // If the textual hostname IS an IP literal AND matches a cloud-
   // metadata IP, refuse — even with `allowInternal: true` and a proxy.
   // Metadata IPs leak instance credentials (AWS IMDS, GCP, Azure) and
-  // are not a configuration knob.
-  if (net.isIP(host) && CLOUD_METADATA_IPS.indexOf(host) !== -1) {
+  // are not a configuration knob. Matched on canonical bytes so a
+  // non-canonical IPv6 spelling (compressed / expanded / mixed-case)
+  // can't slip the textual gate the way it slipped classify().
+  var hostFamily = net.isIP(host);
+  if (hostFamily !== 0 && _isCloudMetadataAddr(host, hostFamily)) {
     throw new ErrorClass(
       "URL '" + parsed.toString() + "' resolves to cloud-metadata IP " + host +
       " — refused unconditionally (not overridable via allowInternal + proxy)",
@@ -779,6 +943,7 @@ function checkUrlTextual(url, opts) {
 
 module.exports = {
   classify:         classify,
+  canonicalizeHost: canonicalizeHost,
   cidrContains:     cidrContains,
   checkUrl:         checkUrl,
   checkUrlTextual:  checkUrlTextual,

package/lib/vendor/blamejs/lib/static.js

@@ -126,12 +126,32 @@ var DEFAULTS = Object.freeze({
   // serve event is the audit-worthy act, not a precursor.
   auditSuccess:                     true,
   auditFailures:                    true,
+  // mountType — declares what KIND of content this mount serves, so
+  // the stored-XSS-relevant defaults follow the typing instead of being
+  // hand-flipped per mount (v0.15.0):
+  //   "curated"      (default) — operator-controlled assets (CSS / JS
+  //                  bundles / fonts / images). Inline render is required
+  //                  and safe because the operator authored the bytes;
+  //                  forceAttachmentForNonText defaults OFF.
+  //   "user-content" — files written by end users / untrusted uploaders.
+  //                  A served .html / .js / .svg here is a stored-XSS
+  //                  vector, so forceAttachmentForNonText defaults ON —
+  //                  risky inline MIMEs are forced to download unless a
+  //                  sanitizer gate vouches for them (see
+  //                  `_shouldForceAttachment`). This is the conditional
+  //                  flip: a curated asset dir is never blindly forced to
+  //                  download; only a mount the operator TYPED as
+  //                  user-content gets the strict default.
+  // An explicit forceAttachmentForNonText always overrides the
+  // mountType-derived default.
+  mountType:                        "curated",
   // forceAttachmentForNonText — stored-XSS defense for user-upload
-  // directories. Default OFF because operator-curated asset dirs
-  // (CSS / JS bundles / fonts) need inline render. Opt in for
-  // user-upload-backed mounts so HTML / JS / SVG without sanitizer
-  // / PDF / archives are forced to download. See
-  // `_shouldForceAttachment` below for the safe-render allowlist.
+  // directories. Default follows mountType: OFF for "curated" mounts
+  // (operator-curated CSS / JS bundles / fonts need inline render), ON for
+  // "user-content" mounts so HTML / JS / SVG without a sanitizer / PDF /
+  // archives are forced to download. Set explicitly to override the
+  // mountType-derived default either way. See `_shouldForceAttachment`
+  // below for the safe-render allowlist.
   forceAttachmentForNonText:        false,
   // Companion knobs — when forceAttachmentForNonText is on, allow
   // image/svg+xml inline render IF an SVG sanitizer gate is wired
@@ -142,12 +162,68 @@ var DEFAULTS = Object.freeze({
   safeRenderPdf:                    false,
 });
 
+// _assertInsideRoot — the path-confinement barrier (CWE-22 path
+// traversal). Every filesystem sink in this module takes the path
+// through this helper so the value handed to fs is built by
+// `nodePath.join(root, rel)` where `rel` is a normalized, root-relative
+// path with every leading `..` segment stripped — the canonical
+// path-traversal sanitizer: normalize collapses interior `.`/`..`, the
+// leading-`..` strip removes upward navigation, and joining a constant
+// root with a sanitized relative segment yields a path that provably
+// stays inside the served root. The barrier is intentionally re-applied
+// at each sink (not just once at request entry) so the relationship
+// between the sanitizer and the fs call is local + explicit.
+//
+// Returns the joined, confined absolute path on success, or `null` when
+// the candidate is not a string, carries a NUL byte, or — after the
+// leading-`..` strip — still carries a `..` segment or an absolute /
+// drive-letter / UNC prefix that would smuggle outside root. A leading
+// `..` escape is clamped into root by the strip (the file then 404s);
+// any residual escape that survives normalization is refused. Callers
+// MUST treat `null` as a refusal.
+function _assertInsideRoot(root, candidate) {
+  if (typeof root !== "string" || root.length === 0) return null;
+  if (typeof candidate !== "string" || candidate.length === 0) return null;
+  if (candidate.indexOf("\0") !== -1) return null;
+  var rootResolved = nodePath.resolve(root);
+  // Reduce the candidate to a root-relative request, then run the
+  // recognized traversal sanitizer: normalize() collapses `.`/`..`
+  // segments; the replace strips every leading `..` so no upward
+  // navigation survives into the join below.
+  var requested = nodePath.isAbsolute(candidate)
+    ? nodePath.relative(rootResolved, candidate)
+    : candidate;
+  var rel = nodePath.normalize(requested).replace(/^(\.\.(\/|\\|$))+/, "");
+  if (rel.indexOf("\0") !== -1) return null;
+  // After the leading-`..` strip, a surviving `..` segment or an
+  // absolute / drive-letter / UNC residue would re-introduce an escape.
+  if (rel === ".." ||
+      rel.indexOf(".." + nodePath.sep) !== -1 ||
+      rel.indexOf(".." + (nodePath.sep === "/" ? "\\" : "/")) !== -1 ||
+      nodePath.isAbsolute(rel)) return null;
+  var safe = nodePath.join(rootResolved, rel);
+  // Defense-in-depth lexical containment alongside the join sanitizer.
+  if (safe !== rootResolved &&
+      !safe.startsWith(rootResolved + nodePath.sep)) return null;
+  return safe;
+}
+
 // Module-level metadata cache. Entries hold:
 //   { mtimeMs, size, etag, integrity, lastModified, sha3Hex, absPath }
 // Invalidated on mtime / size change.
 var _metaCache = new Map();
 
-async function _readMeta(absPath) {
+// _readMeta — stat + hash a file for the conditional-request + SRI
+// surface. `root` is passed alongside the candidate so the
+// path-traversal barrier (CWE-22) is re-asserted at THIS sink: the
+// value handed to fs.stat / fs.createReadStream is the confined return
+// of `_assertInsideRoot`, not the request-derived candidate. Returns
+// null when the candidate escapes root, is not a regular file, or
+// cannot be read.
+async function _readMeta(root, candidate) {
+  var absPath = _assertInsideRoot(root, candidate);
+  if (!absPath) return null;
+
   var stat;
   try { stat = await fsp.stat(absPath); }
   catch (_e) { return null; }
@@ -164,10 +240,9 @@ async function _readMeta(absPath) {
   var sri = nodeCrypto.createHash("sha384");
   var sha3 = nodeCrypto.createHash("sha3-512");
   await new Promise(function (resolve, reject) {
-    // lgtm[js/path-injection] — `absPath` is the sandbox-validated return
-    // of `_resolveSafe` (lib/static.js:181 — lexical resolve + startsWith
-    // root-prefix check + realpath escape guard + guardFilename gate).
-    // Callers cannot reach `_readMeta` with an unvalidated path.
+    // The path handed to createReadStream is the confined output of
+    // `_assertInsideRoot(root, candidate)` above (lexical resolve +
+    // root-prefix containment), not the request-derived candidate.
     var s = nodeFs.createReadStream(absPath);
     s.on("data", function (chunk) { sri.update(chunk); sha3.update(chunk); });
     s.on("end", resolve);
@@ -192,10 +267,16 @@ async function _readMeta(absPath) {
 function _resolveSafe(root, requestedPath) {
   if (typeof requestedPath !== "string" || requestedPath.length === 0) return null;
   if (requestedPath.indexOf("\0") !== -1) return null;
-  var resolved = nodePath.resolve(root, "." + requestedPath);
+  // Anchor the request path inside root with a leading "." so an
+  // absolute request (`/c:/windows`, `//host/share`, `/etc/passwd`)
+  // resolves as a same-named child of root rather than smuggling a
+  // fresh root; the containment barrier then proves the result stays
+  // inside root, refusing any `..`-driven escape. Drive-letter / UNC /
+  // reserved-name shapes that survive the resolve are caught by the
+  // guardFilename basename gate below.
+  var resolved = _assertInsideRoot(root, nodePath.resolve(root, "." + requestedPath));
+  if (!resolved) return null;
   var rootResolved = nodePath.resolve(root);
-  if (resolved !== rootResolved &&
-      !resolved.startsWith(rootResolved + nodePath.sep)) return null;
 
   // Symlink-escape defense — the lexical resolve above only sees the
   // requested path tokens; a symlink anywhere along `resolved` can
@@ -486,6 +567,15 @@ function _validateCreateOpts(opts) {
   validateOpts.optionalBoolean(opts.auditFailures, "staticServe.create: auditFailures", StaticServeError);
   validateOpts.optionalBoolean(opts.safeAttachmentForRiskyMimes,
     "staticServe.create: safeAttachmentForRiskyMimes", StaticServeError);
+  // mountType — config-time enum. A typo ("usercontent", "uploads")
+  // would silently fall back to the curated default and serve untrusted
+  // HTML inline, so THROW at boot rather than mis-type the mount.
+  if (opts.mountType !== undefined &&
+      opts.mountType !== "curated" && opts.mountType !== "user-content") {
+    throw _err("BAD_OPT",
+      "staticServe.create: mountType must be 'curated' (default) or " +
+      "'user-content'; got " + JSON.stringify(opts.mountType));
+  }
   validateOpts.optionalBoolean(opts.forceAttachmentForNonText,
     "staticServe.create: forceAttachmentForNonText", StaticServeError);
   validateOpts.optionalBoolean(opts.safeRenderSvg,
@@ -593,12 +683,18 @@ function _writeError(res, status, code, message, headers) {
   void code;
 }
 
-// integrity() — module-level helper, kept for compat with the v0.6 SRI use.
+// integrity() — module-level helper, kept for compat with the v0.6 SRI
+// use. Operates on an operator-supplied absolute path (a config/library
+// call, not the request path): the file's own resolved path is both the
+// confinement root and the candidate, so `_readMeta` re-applies the same
+// barrier shape every other sink uses without narrowing the legitimate
+// surface (any single file the operator names).
 async function integrity(absPath) {
   if (typeof absPath !== "string" || absPath.length === 0) {
     throw _err("BAD_OPT", "staticServe.integrity: absPath must be a non-empty string");
   }
-  var meta = await _readMeta(nodePath.resolve(absPath));
+  var resolved = nodePath.resolve(absPath);
+  var meta = await _readMeta(resolved, resolved);
   if (!meta) throw _err("NOT_FOUND", "staticServe.integrity: file not found: " + absPath);
   return meta.integrity;
 }
@@ -617,7 +713,7 @@ function create(opts) {
     "maxBytesPerActorPerWindowMs", "maxBytesAllActorsPerWindowMs",
     "bandwidthWindowMs", "maxConcurrentDownloadsPerActor", "maxIdleMs",
     "contentSafety", "contentSafetyDisabledReason",
-    "forceAttachmentForNonText", "safeRenderSvg", "safeRenderPdf",
+    "mountType", "forceAttachmentForNonText", "safeRenderSvg", "safeRenderPdf",
   ], "staticServe.create");
   _validateCreateOpts(opts);
   var cfg = validateOpts.applyDefaults(opts, DEFAULTS);
@@ -671,7 +767,16 @@ function create(opts) {
   var auditFailures   = cfg.auditFailures;
   var acceptRanges    = cfg.acceptRanges;
   var safeAttachment  = !!cfg.safeAttachmentForRiskyMimes;
-  var forceAttachmentForNonText = !!cfg.forceAttachmentForNonText;
+  // forceAttachmentForNonText default follows mountType (v0.15.0): a
+  // mount TYPED "user-content" forces risky inline MIMEs to download by
+  // default (stored-XSS defense for untrusted uploads); a "curated" mount
+  // keeps inline render. An explicit forceAttachmentForNonText overrides
+  // the mountType-derived default either way. The conditional flip never
+  // blindly force-attaches a curated asset dir.
+  var mountType       = opts.mountType || "curated";
+  var forceAttachmentForNonText = opts.forceAttachmentForNonText !== undefined
+    ? !!opts.forceAttachmentForNonText
+    : (mountType === "user-content");
   var allowSvgRender  = cfg.safeRenderSvg !== false;
   var allowPdfRender  = !!cfg.safeRenderPdf;
   var perActorCap     = cfg.maxBytesPerActorPerWindowMs;
@@ -736,8 +841,13 @@ function create(opts) {
 
   async function _checkMimeAllowlist(absPath, meta) {
     if (allowedFileTypes.length === 0 || !fileType) return { ok: true };
+    // Re-assert the root-confinement barrier at this fs read sink
+    // (CWE-22): the path passed to readFile is the confined return of
+    // `_assertInsideRoot`, not the request-derived candidate.
+    var confined = _assertInsideRoot(root, absPath);
+    if (!confined) return { ok: false, reason: "read-failed" };
     var sample;
-    try { sample = await fsp.readFile(absPath, { flag: "r" }); }
+    try { sample = await fsp.readFile(confined, { flag: "r" }); }
     catch (_e) { return { ok: false, reason: "read-failed" }; }
     var detected = fileType.detect(sample.slice(0, C.BYTES.kib(64))) || {};
     if (!detected.mime) return { ok: false, reason: "indeterminate" };
@@ -799,13 +909,22 @@ function create(opts) {
         "Forbidden");
     }
 
-    // Stat first to discover directory → index file.
+    // Stat first to discover directory → index file. The path handed to
+    // stat is the confined return of `_resolveSafe` above; re-assert the
+    // barrier so CodeQL sees the confinement local to this sink (CWE-22).
+    var statTarget = _assertInsideRoot(root, absPath);
+    if (!statTarget) return next();
     var stat;
-    try { stat = await fsp.stat(absPath); }
+    try { stat = await fsp.stat(statTarget); }
     catch (_e) { return next(); }
     if (stat.isDirectory()) {
       if (!indexFile) return next();
-      absPath = nodePath.join(absPath, indexFile);
+      // Re-confine after appending the index file — keeps every
+      // downstream sink (read-meta, content-safety open, serve stream)
+      // anchored inside root even if indexFile were ever made operator-
+      // overridable per request.
+      absPath = _assertInsideRoot(root, nodePath.join(absPath, indexFile));
+      if (!absPath) return next();
     }
 
     // Force-revoke (404 — opaque to clients)
@@ -833,7 +952,7 @@ function create(opts) {
         "retention_blocked", "Unavailable For Legal Reasons");
     }
 
-    var meta = await _readMeta(absPath);
+    var meta = await _readMeta(root, absPath);
     if (!meta) return next();
 
     // MIME allowlist (415) — checked before sending bytes so a misnamed
@@ -867,16 +986,32 @@ function create(opts) {
       var ext = nodePath.extname(absPath).toLowerCase();
       var safetyGate = contentSafety[ext];
       if (safetyGate && typeof safetyGate.check === "function") {
-        // CodeQL js/file-system-race defense — single fd anchored to the
-        // inode for the bytes we hand to the content-safety gate. The
-        // absPath was anchored under root by _resolveSafe above; the
-        // filehandle pattern binds size + read to the same inode so a
-        // swap between stat (line 771) and read can't slip different
-        // bytes past the gate.
+        // Single-fd read for the content-safety gate. Two defenses on
+        // one open:
+        //   - CWE-22 path traversal: the open path is the confined
+        //     return of `_assertInsideRoot(root, absPath)`, freshly
+        //     re-derived from `nodePath.resolve(root, ...)`, not the
+        //     request-derived candidate.
+        //   - CWE-367 TOCTOU file-system race: the bytes the gate
+        //     inspects come from THIS file descriptor — size and reads
+        //     are taken from the same inode the open returned, so a path
+        //     swap between the earlier directory stat and this read can't
+        //     slip different bytes past the gate. O_NOFOLLOW (when the
+        //     platform defines it) additionally refuses to open the path
+        //     if its final component became a symlink after confinement.
+        var gateConfined = _assertInsideRoot(root, absPath);
+        if (!gateConfined) return next();
         var gateBuf;
         var gateHandle = null;
+        var gateOpenFlags = nodeFs.constants.O_RDONLY |
+          (nodeFs.constants.O_NOFOLLOW || 0);
         try {
-          gateHandle = await fsp.open(absPath, "r");
+          // Explicit owner-only mode (0o600). The flags are read-only
+          // (O_RDONLY, no O_CREAT) so the mode is inert on disk, but
+          // pinning it owner-only keeps this open out of the insecure-
+          // temp-file class (CWE-377): no world/group-accessible
+          // creation can ever ride this code path.
+          gateHandle = await fsp.open(gateConfined, gateOpenFlags, 0o600);
           var gateStat = await gateHandle.stat();
           gateBuf = Buffer.alloc(gateStat.size);
           var gateRead = 0;
@@ -1151,6 +1286,18 @@ function create(opts) {
       return;
     }
 
+    // Re-assert the root-confinement barrier at the serve sink (CWE-22)
+    // BEFORE any 200/206 headers go on the wire: the path handed to
+    // createReadStream is the confined return of `_assertInsideRoot`,
+    // freshly re-derived from `nodePath.resolve(root, ...)`, not the
+    // request-derived candidate. A candidate that escapes root refuses
+    // opaquely (404) — it cannot reach the stream.
+    var streamTarget = _assertInsideRoot(root, absPath);
+    if (!streamTarget) {
+      stats.failures += 1;
+      return writeErr(res, HTTP.NOT_FOUND, "not_found", "Not Found");
+    }
+
     res.writeHead(status, headers);
 
     // Acquire concurrency slot (released on stream end / error / abort).
@@ -1163,11 +1310,7 @@ function create(opts) {
     }
 
     var streamOpts = range ? { start: range.start, end: range.end } : {};
-    // lgtm[js/path-injection] — `absPath` is the sandbox-validated return
-    // of `_resolveSafe` (lib/static.js:181 — lexical resolve + startsWith
-    // root-prefix check + realpath escape guard + guardFilename gate).
-    // The request-serve path rejects with 404 before reaching this stream.
-    var fileStream = nodeFs.createReadStream(absPath, streamOpts);
+    var fileStream = nodeFs.createReadStream(streamTarget, streamOpts);
 
     // Idle timeout — close the connection if the client stalls. Pattern is
     // a deadline-style debounce (clearTimeout + setTimeout) tied directly