@blamejs/blamejs-shop 0.4.42 → 0.4.43

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.4.x
 
+- v0.4.43 (2026-06-13) — **Harden input handling: linear-time pattern matching on caller-influenced strings, complete escaping, and redacted edge-bridge error responses.** A set of input-handling hardening fixes. Several internal pattern matches that run on caller-influenced strings used regular expressions whose shape could be driven into super-linear (polynomial) backtracking by a long run of a single character — a denial-of-service shape. These are rewritten to linear-time equivalents that accept and reject exactly the same inputs: the email-shape guard in the analytics and clickstream PII filters, a whitespace trim in the captcha gate, and the trailing-slash trim on the D1 and R2 bridge URLs. A JSON-escape helper in the catalog draft path now escapes backslashes as well as quotes so a crafted value can't smuggle an escape. And the edge worker's database- and storage-bridge error responses no longer return internal error detail to the caller — the detail is logged at the edge and the client receives only a generic failure code. No migration to apply. **Security:** *Pattern matching on caller-influenced input is now linear-time* — The email-shape detector used by the analytics and clickstream PII guards, the whitespace trim in the captcha gate, and the trailing-slash trim applied to the D1 and R2 bridge URLs were regular expressions whose backtracking could grow polynomially with the input length — a long run of one character could pin a request thread. Each is replaced with a linear-time form (a bounded, unambiguous regex; a native trim; a small character loop) proven to accept and reject the identical set of inputs, so the same values still pass and fail while a crafted long input can no longer cause super-linear work. · *Edge bridge errors no longer leak internal detail* — The Cloudflare Worker's database-bridge and storage-bridge endpoints returned the underlying error message in their 500 responses. They now return only a generic failure code to the caller and log the (redacted) detail at the edge, so an internal error string or stack fragment is never exposed in a response body. · *Complete escaping in the catalog draft lookup* — The catalog draft path builds a JSON-fragment match string from a SKU; its escape step now escapes backslashes before quotes, so the escaping is complete and a value containing a backslash cannot break out of the quoted fragment.
+
 - v0.4.42 (2026-06-13) — **A return refund is now recorded against the order, so it can't be paid out a second time from the order console.** Issuing a provider refund for a return moved the money but never recorded it against the order, so order.refundedTotalMinor didn't count it. The order console's refund caps each refund at the order's remaining un-refunded balance — but with the return refund invisible to that balance, an operator could refund the full order total a second time from the order screen, paying the customer back twice. A return's provider refund now writes to the order's refund ledger, stamped with the provider refund id so the entry collapses with the payment provider's own refund webhook — whether the console or the webhook records it first, the same refund is counted exactly once. The order's move to a fully-refunded state and the gift-card / loyalty reversals remain driven by the refund webhook, as before. No migration to apply. **Fixed:** *A return refund now counts against the order's refunded total* — When the returns console issues a provider refund, the amount is now recorded against the order through the same deduplicating ledger path a partial console refund uses, stamped with the provider refund id. Previously the money moved but the order's refunded total never saw it, so the order console's over-refund cap — which limits a refund to the order's remaining balance — could be cleared again and pay the customer back a second time. Keying the entry on the provider refund id makes it idempotent against the provider's refund webhook: whichever path records first, a refund mirrored by both is counted exactly once. The order's terminal refunded state and the gift-card / loyalty reversals stay driven by the refund webhook.
 
 - v0.4.41 (2026-06-13) — **Subscription billing no longer double-charges on a retried period close or a concurrent immediate plan change.** Two billing paths could invoice the same charge twice. A metered-usage period close is cron-driven and at-least-once, but it enqueued its roll-up invoice with no idempotency key, so a retried tick — a transient error mid-run, an at-least-once redelivery, or an operator re-running the close — wrote a second invoice for the same period and billed the customer twice. And an immediate plan change recorded its proration adjustment after a guard that only blocked a queued (pending) change, so two concurrent immediate executions both transitioned the subscription and both recorded the proration. The period close now stamps a deterministic per-period idempotency key so a replay returns the existing invoice, and the immediate plan change now transitions the subscription with a conditional update so only the one call that actually moves the plan records the proration. No migration to apply. **Fixed:** *A retried metered-usage period close no longer bills the period twice* — Rolling a usage period into an invoice now carries a deterministic idempotency key derived from the subscription, period window, and currency. A period close that runs more than once — a cron retry, an at-least-once redelivery, or a manual re-run — now returns the invoice already recorded for that period instead of enqueuing a duplicate, so the customer is billed for the period exactly once. · *Concurrent immediate plan changes charge proration once* — Executing an immediate plan change now transitions the subscription with a conditional update keyed on the current plan, and records the proration adjustment only when that update actually moves the plan. The prior guard only refused a queued change, so two immediate executions racing the same change — a double-submit or a retry — could both apply the transition and both record the proration. Now only the one call that wins the transition charges it.

package/lib/analytics.js

@@ -182,7 +182,10 @@ function _resolveEventWindow(opts) {
 // side (we'd rather reject a borderline string than ingest a real
 // address) and uses the same dotted-quad / hextet shapes the
 // vendored zod schemas exercise.
-var RAW_EMAIL_RE = /[^\s@]+@[^\s@]+\.[^\s@]+/;
+// Each quantifier is bounded so a long run of non-@ characters can't drive
+// backtracking: one char before the @, then a non-empty local part, then a
+// lazy bridge to the first dot that is followed by another non-@ character.
+var RAW_EMAIL_RE = /[^\s@]@[^\s@][^\s@]*?\.[^\s@]/;
 // IPv4 dotted-quad or IPv6 with at least one colon-delimited
 // hextet. The IPv6 shape catches the common forms ("::1",
 // "2001:db8::1", full eight-group) without trying to be RFC-precise

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.42",
+  "version": "0.4.43",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-imfe0otYErcB8rr2h6KLSGTtStirysptpXETSPY4zLv3bZoIT75Lo1dOvkOav+xL",

package/lib/captcha-gate.js

@@ -236,7 +236,7 @@ function _secretKeyRaw(s) {
   }
   // Normalize trailing whitespace before length-checking so a paste
   // with a stray newline doesn't trip the length gate.
-  var trimmed = s.replace(/^\s+|\s+$/g, "");
+  var trimmed = s.trim();
   if (!trimmed.length) {
     throw new TypeError("captchaGate: secret_key must contain non-whitespace");
   }

package/lib/catalog-drafts.js

@@ -1535,7 +1535,7 @@ function create(opts) {
     // every sku field is stored as `"sku":"<value>"` so the LIKE
     // pattern is unambiguous (no false matches against a product_slug
     // that happens to share the substring).
-    var needle = '"sku":"' + sku.replace(/"/g, '\\"') + '"';
+    var needle = '"sku":"' + sku.replace(/\\/g, "\\\\").replace(/"/g, '\\"') + '"';
     var r = await query(
       "SELECT c.*, d.title AS draft_title, d.status AS draft_status, " +
       "       d.published_at AS draft_published_at, d.rolled_back_at AS draft_rolled_back_at " +

package/lib/clickstream.js

@@ -128,7 +128,10 @@ var DEFAULT_WINDOW_MS   = C.TIME.days(30);
 // guard). A hashed identifier is hex / base64url and never trips
 // these shapes, so the gate is a one-way "operator handed us raw
 // PII" detector.
-var RAW_EMAIL_RE = /[^\s@]+@[^\s@]+\.[^\s@]+/;
+// Each quantifier is bounded so a long run of non-@ characters can't drive
+// backtracking: one char before the @, then a non-empty local part, then a
+// lazy bridge to the first dot that is followed by another non-@ character.
+var RAW_EMAIL_RE = /[^\s@]@[^\s@][^\s@]*?\.[^\s@]/;
 var RAW_IPV4_RE  = /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/;
 var RAW_IPV6_RE  = /(?:[0-9a-fA-F]{1,4}:){2,}[0-9a-fA-F]{0,4}/;
 

package/lib/externaldb-d1.js

@@ -165,7 +165,11 @@ function _httpErr(status, label) {
 // ---- mode: service-binding -----------------------------------------------
 
 function _serviceBindingQuery(opts) {
-  var url = opts.bridgeUrl.replace(/\/+$/, "") + (opts.bridgePath || DEFAULT_BRIDGE_PATH);
+  // Trailing-slash trim as a loop, not `/\/+$/` — the regex shape is
+  // superlinear on long runs of '/' and this value is library input.
+  var base = opts.bridgeUrl;
+  while (base.charCodeAt(base.length - 1) === 47) base = base.slice(0, -1);
+  var url = base + (opts.bridgePath || DEFAULT_BRIDGE_PATH);
   var secret = opts.bridgeSecret;
   var fetchImpl = opts.fetch || globalThis.fetch;
   var timeoutMs = opts.timeoutMs || DEFAULT_TIMEOUT_MS;

package/lib/r2-bridge.js

@@ -97,7 +97,11 @@ function _httpErr(status, label) {
 
 function create(opts) {
   _validateOpts(opts);
-  var url        = opts.bridgeUrl.replace(/\/+$/, "") + (opts.bridgePath || DEFAULT_BRIDGE_PATH);
+  // Trailing-slash trim as a loop, not `/\/+$/` — the regex shape is
+  // superlinear on long runs of '/' and this value is library input.
+  var base = opts.bridgeUrl;
+  while (base.charCodeAt(base.length - 1) === 47) base = base.slice(0, -1);
+  var url        = base + (opts.bridgePath || DEFAULT_BRIDGE_PATH);
   var secret     = opts.bridgeSecret;
   var timeoutMs  = opts.timeoutMs || DEFAULT_TIMEOUT_MS;
   var httpClient = opts.httpClient || b.httpClient;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.42",
+  "version": "0.4.43",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {