@blamejs/blamejs-shop 0.4.55 → 0.4.57
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/admin.js +385 -2
- package/lib/asset-manifest.json +1 -1
- package/lib/vendor/MANIFEST.json +426 -366
- package/lib/vendor/blamejs/.github/codeql/codeql-config.yml +25 -0
- package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +3 -3
- package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +1 -1
- package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +1 -1
- package/lib/vendor/blamejs/.github/workflows/ci.yml +13 -13
- package/lib/vendor/blamejs/.github/workflows/codeql.yml +8 -7
- package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +2 -2
- package/lib/vendor/blamejs/.github/workflows/release-container.yml +4 -4
- package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
- package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +1 -1
- package/lib/vendor/blamejs/CHANGELOG.md +2 -0
- package/lib/vendor/blamejs/api-snapshot.json +1381 -4
- package/lib/vendor/blamejs/eslint.config.mjs +1 -0
- package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +4 -1
- package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +5 -2
- package/lib/vendor/blamejs/examples/wiki/routes/pages.js +4 -1
- package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +20 -0
- package/lib/vendor/blamejs/index.js +2 -0
- package/lib/vendor/blamejs/lib/a2a-tasks.js +7 -23
- package/lib/vendor/blamejs/lib/acme.js +6 -5
- package/lib/vendor/blamejs/lib/agent-event-bus.js +5 -4
- package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -5
- package/lib/vendor/blamejs/lib/agent-orchestrator.js +2 -5
- package/lib/vendor/blamejs/lib/agent-saga.js +3 -5
- package/lib/vendor/blamejs/lib/agent-tenant.js +2 -5
- package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -15
- package/lib/vendor/blamejs/lib/ai-capability.js +1 -6
- package/lib/vendor/blamejs/lib/ai-dp.js +1 -5
- package/lib/vendor/blamejs/lib/ai-input.js +2 -2
- package/lib/vendor/blamejs/lib/ai-pref.js +3 -8
- package/lib/vendor/blamejs/lib/ai-quota.js +3 -14
- package/lib/vendor/blamejs/lib/api-key.js +37 -28
- package/lib/vendor/blamejs/lib/archive-adapters.js +2 -4
- package/lib/vendor/blamejs/lib/archive-entry-policy.js +32 -0
- package/lib/vendor/blamejs/lib/archive-read.js +5 -17
- package/lib/vendor/blamejs/lib/archive-tar-read.js +5 -16
- package/lib/vendor/blamejs/lib/archive.js +2 -10
- package/lib/vendor/blamejs/lib/arg-parser.js +7 -6
- package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -6
- package/lib/vendor/blamejs/lib/atomic-file.js +108 -31
- package/lib/vendor/blamejs/lib/audit-chain.js +133 -53
- package/lib/vendor/blamejs/lib/audit-daily-review.js +24 -14
- package/lib/vendor/blamejs/lib/audit-emit.js +82 -0
- package/lib/vendor/blamejs/lib/audit-sign.js +257 -0
- package/lib/vendor/blamejs/lib/audit.js +84 -0
- package/lib/vendor/blamejs/lib/auth/access-lock.js +5 -27
- package/lib/vendor/blamejs/lib/auth/dpop.js +23 -35
- package/lib/vendor/blamejs/lib/auth/fido-mds3.js +9 -15
- package/lib/vendor/blamejs/lib/auth/jwt-external.js +26 -8
- package/lib/vendor/blamejs/lib/auth/jwt.js +13 -15
- package/lib/vendor/blamejs/lib/auth/lockout.js +6 -25
- package/lib/vendor/blamejs/lib/auth/oauth.js +67 -45
- package/lib/vendor/blamejs/lib/auth/oid4vci.js +55 -32
- package/lib/vendor/blamejs/lib/auth/oid4vp.js +3 -2
- package/lib/vendor/blamejs/lib/auth/openid-federation.js +6 -6
- package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
- package/lib/vendor/blamejs/lib/auth/password.js +7 -1
- package/lib/vendor/blamejs/lib/auth/saml.js +37 -27
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -14
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -14
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +1 -1
- package/lib/vendor/blamejs/lib/auth/status-list.js +7 -7
- package/lib/vendor/blamejs/lib/auth/step-up.js +6 -12
- package/lib/vendor/blamejs/lib/auth-bot-challenge.js +6 -37
- package/lib/vendor/blamejs/lib/backup/bundle.js +11 -18
- package/lib/vendor/blamejs/lib/backup/index.js +14 -47
- package/lib/vendor/blamejs/lib/bounded-map.js +112 -1
- package/lib/vendor/blamejs/lib/breach-deadline.js +1 -11
- package/lib/vendor/blamejs/lib/cache.js +7 -18
- package/lib/vendor/blamejs/lib/cbor.js +2 -1
- package/lib/vendor/blamejs/lib/cdn-cache-control.js +8 -9
- package/lib/vendor/blamejs/lib/cert.js +3 -10
- package/lib/vendor/blamejs/lib/chain-writer.js +162 -47
- package/lib/vendor/blamejs/lib/cli.js +5 -1
- package/lib/vendor/blamejs/lib/client-hints.js +7 -9
- package/lib/vendor/blamejs/lib/cloud-events.js +40 -31
- package/lib/vendor/blamejs/lib/cluster-storage.js +2 -38
- package/lib/vendor/blamejs/lib/cms-codec.js +2 -1
- package/lib/vendor/blamejs/lib/codepoint-class.js +67 -1
- package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +1 -6
- package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -4
- package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -11
- package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +21 -28
- package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -14
- package/lib/vendor/blamejs/lib/compliance.js +2 -9
- package/lib/vendor/blamejs/lib/config-drift.js +2 -12
- package/lib/vendor/blamejs/lib/content-digest.js +10 -8
- package/lib/vendor/blamejs/lib/cookies.js +5 -11
- package/lib/vendor/blamejs/lib/cose.js +19 -11
- package/lib/vendor/blamejs/lib/cra-report.js +1 -11
- package/lib/vendor/blamejs/lib/crypto-field.js +5 -10
- package/lib/vendor/blamejs/lib/crypto.js +120 -3
- package/lib/vendor/blamejs/lib/csp.js +235 -3
- package/lib/vendor/blamejs/lib/daemon.js +42 -41
- package/lib/vendor/blamejs/lib/data-act.js +19 -9
- package/lib/vendor/blamejs/lib/db-query.js +6 -40
- package/lib/vendor/blamejs/lib/db.js +34 -12
- package/lib/vendor/blamejs/lib/dbsc.js +5 -6
- package/lib/vendor/blamejs/lib/ddl-change-control.js +18 -14
- package/lib/vendor/blamejs/lib/deprecate.js +4 -5
- package/lib/vendor/blamejs/lib/did.js +6 -2
- package/lib/vendor/blamejs/lib/dsr.js +8 -12
- package/lib/vendor/blamejs/lib/external-db-migrate.js +21 -22
- package/lib/vendor/blamejs/lib/external-db.js +14 -26
- package/lib/vendor/blamejs/lib/fda-21cfr11.js +12 -8
- package/lib/vendor/blamejs/lib/fdx.js +22 -18
- package/lib/vendor/blamejs/lib/file-upload.js +80 -66
- package/lib/vendor/blamejs/lib/flag-evaluation-context.js +5 -8
- package/lib/vendor/blamejs/lib/framework-error.js +12 -0
- package/lib/vendor/blamejs/lib/framework-schema.js +19 -0
- package/lib/vendor/blamejs/lib/fsm.js +7 -12
- package/lib/vendor/blamejs/lib/gate-contract.js +869 -38
- package/lib/vendor/blamejs/lib/gdpr-ropa.js +4 -13
- package/lib/vendor/blamejs/lib/graphql-federation.js +1 -1
- package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -1
- package/lib/vendor/blamejs/lib/guard-all.js +1 -0
- package/lib/vendor/blamejs/lib/guard-archive.js +9 -30
- package/lib/vendor/blamejs/lib/guard-auth.js +23 -80
- package/lib/vendor/blamejs/lib/guard-cidr.js +20 -96
- package/lib/vendor/blamejs/lib/guard-csv.js +135 -196
- package/lib/vendor/blamejs/lib/guard-domain.js +23 -106
- package/lib/vendor/blamejs/lib/guard-dsn.js +16 -13
- package/lib/vendor/blamejs/lib/guard-email.js +46 -53
- package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
- package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -1
- package/lib/vendor/blamejs/lib/guard-filename.js +12 -60
- package/lib/vendor/blamejs/lib/guard-graphql.js +28 -75
- package/lib/vendor/blamejs/lib/guard-html-wcag.js +15 -2
- package/lib/vendor/blamejs/lib/guard-html.js +65 -117
- package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -1
- package/lib/vendor/blamejs/lib/guard-image.js +280 -77
- package/lib/vendor/blamejs/lib/guard-imap-command.js +8 -9
- package/lib/vendor/blamejs/lib/guard-json.js +87 -103
- package/lib/vendor/blamejs/lib/guard-jsonpath.js +20 -88
- package/lib/vendor/blamejs/lib/guard-jwt.js +32 -114
- package/lib/vendor/blamejs/lib/guard-list-id.js +2 -7
- package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -7
- package/lib/vendor/blamejs/lib/guard-mail-compose.js +5 -6
- package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -1
- package/lib/vendor/blamejs/lib/guard-mail-query.js +5 -3
- package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -7
- package/lib/vendor/blamejs/lib/guard-managesieve-command.js +5 -4
- package/lib/vendor/blamejs/lib/guard-markdown.js +76 -110
- package/lib/vendor/blamejs/lib/guard-message-id.js +5 -6
- package/lib/vendor/blamejs/lib/guard-mime.js +20 -99
- package/lib/vendor/blamejs/lib/guard-oauth.js +19 -73
- package/lib/vendor/blamejs/lib/guard-pdf.js +65 -72
- package/lib/vendor/blamejs/lib/guard-pop3-command.js +12 -13
- package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -1
- package/lib/vendor/blamejs/lib/guard-regex.js +24 -99
- package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -1
- package/lib/vendor/blamejs/lib/guard-shell.js +22 -87
- package/lib/vendor/blamejs/lib/guard-smtp-command.js +8 -11
- package/lib/vendor/blamejs/lib/guard-sql.js +15 -13
- package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -1
- package/lib/vendor/blamejs/lib/guard-svg.js +95 -140
- package/lib/vendor/blamejs/lib/guard-template.js +23 -80
- package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -1
- package/lib/vendor/blamejs/lib/guard-text.js +592 -0
- package/lib/vendor/blamejs/lib/guard-time.js +27 -95
- package/lib/vendor/blamejs/lib/guard-uuid.js +21 -93
- package/lib/vendor/blamejs/lib/guard-xml.js +76 -106
- package/lib/vendor/blamejs/lib/guard-yaml.js +24 -60
- package/lib/vendor/blamejs/lib/http-client-cache.js +5 -12
- package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -4
- package/lib/vendor/blamejs/lib/http-client.js +8 -21
- package/lib/vendor/blamejs/lib/http-message-signature.js +3 -2
- package/lib/vendor/blamejs/lib/i18n-messageformat.js +5 -7
- package/lib/vendor/blamejs/lib/i18n.js +83 -26
- package/lib/vendor/blamejs/lib/inbox.js +8 -8
- package/lib/vendor/blamejs/lib/incident-report.js +3 -21
- package/lib/vendor/blamejs/lib/ip-utils.js +49 -6
- package/lib/vendor/blamejs/lib/jobs.js +3 -2
- package/lib/vendor/blamejs/lib/keychain.js +6 -18
- package/lib/vendor/blamejs/lib/legal-hold.js +6 -15
- package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +44 -112
- package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +17 -14
- package/lib/vendor/blamejs/lib/log-stream-otlp.js +16 -80
- package/lib/vendor/blamejs/lib/log-stream-webhook.js +20 -92
- package/lib/vendor/blamejs/lib/mail-arc-sign.js +8 -3
- package/lib/vendor/blamejs/lib/mail-arf.js +3 -2
- package/lib/vendor/blamejs/lib/mail-auth.js +40 -66
- package/lib/vendor/blamejs/lib/mail-bimi.js +19 -39
- package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +3 -2
- package/lib/vendor/blamejs/lib/mail-dav.js +8 -35
- package/lib/vendor/blamejs/lib/mail-deploy.js +6 -9
- package/lib/vendor/blamejs/lib/mail-dkim.js +19 -38
- package/lib/vendor/blamejs/lib/mail-greylist.js +15 -26
- package/lib/vendor/blamejs/lib/mail-helo.js +2 -3
- package/lib/vendor/blamejs/lib/mail-journal.js +2 -1
- package/lib/vendor/blamejs/lib/mail-mdn.js +4 -3
- package/lib/vendor/blamejs/lib/mail-rbl.js +5 -8
- package/lib/vendor/blamejs/lib/mail-scan.js +2 -2
- package/lib/vendor/blamejs/lib/mail-send-deliver.js +33 -20
- package/lib/vendor/blamejs/lib/mail-server-imap.js +32 -87
- package/lib/vendor/blamejs/lib/mail-server-jmap.js +35 -51
- package/lib/vendor/blamejs/lib/mail-server-managesieve.js +29 -83
- package/lib/vendor/blamejs/lib/mail-server-mx.js +33 -74
- package/lib/vendor/blamejs/lib/mail-server-net.js +177 -0
- package/lib/vendor/blamejs/lib/mail-server-pop3.js +30 -83
- package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +30 -6
- package/lib/vendor/blamejs/lib/mail-server-submission.js +34 -73
- package/lib/vendor/blamejs/lib/mail-server-tls.js +89 -0
- package/lib/vendor/blamejs/lib/mail-spam-score.js +7 -8
- package/lib/vendor/blamejs/lib/mail-store.js +3 -2
- package/lib/vendor/blamejs/lib/mail.js +6 -11
- package/lib/vendor/blamejs/lib/markup-escape.js +31 -0
- package/lib/vendor/blamejs/lib/markup-tokenizer.js +54 -0
- package/lib/vendor/blamejs/lib/mcp-tool-registry.js +26 -23
- package/lib/vendor/blamejs/lib/mcp.js +1 -1
- package/lib/vendor/blamejs/lib/mdoc.js +11 -12
- package/lib/vendor/blamejs/lib/metrics.js +32 -30
- package/lib/vendor/blamejs/lib/middleware/age-gate.js +3 -23
- package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +11 -22
- package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -7
- package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -1
- package/lib/vendor/blamejs/lib/middleware/body-parser.js +31 -48
- package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +7 -10
- package/lib/vendor/blamejs/lib/middleware/bot-guard.js +2 -10
- package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +13 -2
- package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -26
- package/lib/vendor/blamejs/lib/middleware/deny-response.js +19 -1
- package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +7 -0
- package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +4 -20
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +20 -28
- package/lib/vendor/blamejs/lib/middleware/scim-server.js +3 -2
- package/lib/vendor/blamejs/lib/middleware/security-headers.js +9 -1
- package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -6
- package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -27
- package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -7
- package/lib/vendor/blamejs/lib/migrations.js +4 -13
- package/lib/vendor/blamejs/lib/mime-parse.js +34 -17
- package/lib/vendor/blamejs/lib/module-loader.js +44 -0
- package/lib/vendor/blamejs/lib/money.js +105 -0
- package/lib/vendor/blamejs/lib/mtls-ca.js +116 -36
- package/lib/vendor/blamejs/lib/network-byte-quota.js +4 -18
- package/lib/vendor/blamejs/lib/network-dane.js +8 -6
- package/lib/vendor/blamejs/lib/network-dns-resolver.js +97 -6
- package/lib/vendor/blamejs/lib/network-dnssec.js +16 -16
- package/lib/vendor/blamejs/lib/network-heartbeat.js +3 -2
- package/lib/vendor/blamejs/lib/network-smtp-policy.js +29 -41
- package/lib/vendor/blamejs/lib/network-tls.js +40 -42
- package/lib/vendor/blamejs/lib/nis2-report.js +1 -11
- package/lib/vendor/blamejs/lib/nonce-store.js +81 -3
- package/lib/vendor/blamejs/lib/numeric-bounds.js +22 -8
- package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -6
- package/lib/vendor/blamejs/lib/object-store/azure-blob.js +5 -45
- package/lib/vendor/blamejs/lib/object-store/gcs.js +8 -71
- package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -5
- package/lib/vendor/blamejs/lib/object-store/http-request.js +128 -0
- package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -1
- package/lib/vendor/blamejs/lib/object-store/sigv4.js +9 -77
- package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +9 -25
- package/lib/vendor/blamejs/lib/observability.js +95 -0
- package/lib/vendor/blamejs/lib/openapi-paths-builder.js +7 -3
- package/lib/vendor/blamejs/lib/otel-export.js +7 -10
- package/lib/vendor/blamejs/lib/outbox.js +43 -37
- package/lib/vendor/blamejs/lib/pagination.js +11 -15
- package/lib/vendor/blamejs/lib/parsers/safe-env.js +5 -4
- package/lib/vendor/blamejs/lib/parsers/safe-ini.js +10 -4
- package/lib/vendor/blamejs/lib/parsers/safe-toml.js +11 -9
- package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -2
- package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +7 -6
- package/lib/vendor/blamejs/lib/pick.js +63 -5
- package/lib/vendor/blamejs/lib/pipl-cn.js +69 -59
- package/lib/vendor/blamejs/lib/privacy-pass.js +8 -6
- package/lib/vendor/blamejs/lib/problem-details.js +2 -5
- package/lib/vendor/blamejs/lib/pubsub.js +4 -8
- package/lib/vendor/blamejs/lib/redact.js +2 -1
- package/lib/vendor/blamejs/lib/render.js +4 -2
- package/lib/vendor/blamejs/lib/request-helpers.js +133 -6
- package/lib/vendor/blamejs/lib/restore.js +5 -22
- package/lib/vendor/blamejs/lib/retention.js +3 -5
- package/lib/vendor/blamejs/lib/safe-async.js +457 -0
- package/lib/vendor/blamejs/lib/safe-buffer.js +137 -6
- package/lib/vendor/blamejs/lib/safe-decompress.js +2 -1
- package/lib/vendor/blamejs/lib/safe-dns.js +2 -1
- package/lib/vendor/blamejs/lib/safe-ical.js +12 -26
- package/lib/vendor/blamejs/lib/safe-json.js +7 -8
- package/lib/vendor/blamejs/lib/safe-jsonpath.js +6 -5
- package/lib/vendor/blamejs/lib/safe-mime.js +25 -29
- package/lib/vendor/blamejs/lib/safe-redirect.js +2 -5
- package/lib/vendor/blamejs/lib/safe-schema.js +7 -6
- package/lib/vendor/blamejs/lib/safe-sql.js +126 -0
- package/lib/vendor/blamejs/lib/safe-vcard.js +12 -26
- package/lib/vendor/blamejs/lib/sandbox-worker.js +9 -2
- package/lib/vendor/blamejs/lib/sandbox.js +3 -2
- package/lib/vendor/blamejs/lib/scheduler.js +5 -12
- package/lib/vendor/blamejs/lib/sec-cyber.js +82 -37
- package/lib/vendor/blamejs/lib/seeders.js +4 -11
- package/lib/vendor/blamejs/lib/self-update.js +92 -69
- package/lib/vendor/blamejs/lib/session-device-binding.js +112 -66
- package/lib/vendor/blamejs/lib/session.js +194 -6
- package/lib/vendor/blamejs/lib/sql.js +225 -78
- package/lib/vendor/blamejs/lib/sse.js +6 -10
- package/lib/vendor/blamejs/lib/static.js +136 -98
- package/lib/vendor/blamejs/lib/storage.js +4 -2
- package/lib/vendor/blamejs/lib/structured-fields.js +275 -16
- package/lib/vendor/blamejs/lib/tenant-quota.js +2 -20
- package/lib/vendor/blamejs/lib/tsa.js +11 -15
- package/lib/vendor/blamejs/lib/validate-opts.js +154 -8
- package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +30 -48
- package/lib/vendor/blamejs/lib/vault-aad.js +3 -2
- package/lib/vendor/blamejs/lib/vc.js +2 -7
- package/lib/vendor/blamejs/lib/vex.js +35 -13
- package/lib/vendor/blamejs/lib/web-push-vapid.js +23 -20
- package/lib/vendor/blamejs/lib/webhook-dispatcher.js +706 -0
- package/lib/vendor/blamejs/lib/webhook.js +43 -18
- package/lib/vendor/blamejs/lib/websocket-channels.js +9 -7
- package/lib/vendor/blamejs/lib/websocket.js +7 -3
- package/lib/vendor/blamejs/lib/worm.js +2 -3
- package/lib/vendor/blamejs/lib/ws-client.js +8 -10
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.15.13.json +81 -0
- package/lib/vendor/blamejs/scripts/check-changelog-extract.js +1 -1
- package/lib/vendor/blamejs/test/00-primitives.js +136 -7
- package/lib/vendor/blamejs/test/10-state.js +9 -3
- package/lib/vendor/blamejs/test/30-chain.js +40 -0
- package/lib/vendor/blamejs/test/helpers/check.js +18 -0
- package/lib/vendor/blamejs/test/helpers/db.js +4 -0
- package/lib/vendor/blamejs/test/helpers/index.js +1 -0
- package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -1
- package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -1
- package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +8 -1
- package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +1 -1
- package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -1
- package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +269 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +149 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +51 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +88 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +55 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -2
- package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +129 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +107 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +2788 -3214
- package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +78 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +63 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +50 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +76 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +9 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +290 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +84 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +78 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +23 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +93 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +60 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +184 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +54 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +10 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +45 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +101 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +18 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +76 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +365 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +35 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +36 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +20 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +83 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +10 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +39 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +36 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +39 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +106 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +98 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +77 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +48 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +100 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +88 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +278 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +37 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +14 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +19 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +2 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +18 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +73 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +100 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +80 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +235 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +374 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +75 -8
- package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +3 -3
- package/lib/winback-campaigns.js +202 -42
- package/package.json +1 -1
|
@@ -107,10 +107,11 @@
|
|
|
107
107
|
*/
|
|
108
108
|
|
|
109
109
|
var codepointClass = require("./codepoint-class");
|
|
110
|
+
var markupTokenizer = require("./markup-tokenizer");
|
|
111
|
+
var markupEscape = require("./markup-escape").markupEscape;
|
|
110
112
|
var lazyRequire = require("./lazy-require");
|
|
111
113
|
var gateContract = require("./gate-contract");
|
|
112
114
|
var C = require("./constants");
|
|
113
|
-
var numericBounds = require("./numeric-bounds");
|
|
114
115
|
var safeUrl = require("./safe-url");
|
|
115
116
|
var { GuardSvgError } = require("./framework-error");
|
|
116
117
|
|
|
@@ -197,12 +198,10 @@ var URL_ATTRS = Object.freeze([
|
|
|
197
198
|
"background", "poster", "icon",
|
|
198
199
|
]);
|
|
199
200
|
|
|
200
|
-
var SAFE_SCHEMES =
|
|
201
|
+
var SAFE_SCHEMES = gateContract.SAFE_URL_SCHEMES;
|
|
201
202
|
|
|
202
|
-
|
|
203
|
-
|
|
204
|
-
"file", "mhtml", "jar", "intent", "view-source", "feed", "data",
|
|
205
|
-
]);
|
|
203
|
+
// Markup-attribute scheme denylist — the shared XSS / dangerous-resource set.
|
|
204
|
+
var DANGEROUS_SCHEMES = gateContract.DANGEROUS_URL_SCHEMES;
|
|
206
205
|
|
|
207
206
|
var CSS_DANGEROUS_PATTERNS = Object.freeze([
|
|
208
207
|
/expression\s*\(/i,
|
|
@@ -305,68 +304,14 @@ var PROFILES = Object.freeze({
|
|
|
305
304
|
},
|
|
306
305
|
});
|
|
307
306
|
|
|
308
|
-
var DEFAULTS =
|
|
309
|
-
mode: "enforce",
|
|
307
|
+
var DEFAULTS = gateContract.strictDefaults(PROFILES, {
|
|
310
308
|
maxRuntimeMs: C.TIME.seconds(30),
|
|
311
|
-
}));
|
|
312
|
-
|
|
313
|
-
var COMPLIANCE_POSTURES = Object.freeze({
|
|
314
|
-
"hipaa": {
|
|
315
|
-
allowedTags: STRICT_ALLOWED_TAGS,
|
|
316
|
-
bidiPolicy: "reject",
|
|
317
|
-
controlPolicy: "reject",
|
|
318
|
-
nullBytePolicy: "reject",
|
|
319
|
-
cssPolicy: "reject",
|
|
320
|
-
doctypePolicy: "reject",
|
|
321
|
-
allowExternalRefs: false,
|
|
322
|
-
allowAnimation: false,
|
|
323
|
-
forensicSnippetBytes: C.BYTES.bytes(256),
|
|
324
|
-
},
|
|
325
|
-
"pci-dss": {
|
|
326
|
-
allowedTags: STRICT_ALLOWED_TAGS,
|
|
327
|
-
bidiPolicy: "reject",
|
|
328
|
-
controlPolicy: "reject",
|
|
329
|
-
nullBytePolicy: "reject",
|
|
330
|
-
cssPolicy: "reject",
|
|
331
|
-
doctypePolicy: "reject",
|
|
332
|
-
allowExternalRefs: false,
|
|
333
|
-
allowAnimation: false,
|
|
334
|
-
urlSchemes: SAFE_SCHEMES,
|
|
335
|
-
forensicSnippetBytes: C.BYTES.bytes(256),
|
|
336
|
-
},
|
|
337
|
-
"gdpr": {
|
|
338
|
-
allowedTags: BALANCED_ALLOWED_TAGS,
|
|
339
|
-
bidiPolicy: "strip",
|
|
340
|
-
controlPolicy: "strip",
|
|
341
|
-
cssPolicy: "strip",
|
|
342
|
-
doctypePolicy: "reject",
|
|
343
|
-
allowAnimation: false,
|
|
344
|
-
forensicSnippetBytes: C.BYTES.bytes(128),
|
|
345
|
-
},
|
|
346
|
-
"soc2": {
|
|
347
|
-
allowedTags: STRICT_ALLOWED_TAGS,
|
|
348
|
-
bidiPolicy: "reject",
|
|
349
|
-
controlPolicy: "reject",
|
|
350
|
-
nullBytePolicy: "reject",
|
|
351
|
-
cssPolicy: "reject",
|
|
352
|
-
doctypePolicy: "reject",
|
|
353
|
-
allowExternalRefs: false,
|
|
354
|
-
allowAnimation: false,
|
|
355
|
-
forensicSnippetBytes: C.BYTES.bytes(512),
|
|
356
|
-
},
|
|
357
309
|
});
|
|
358
310
|
|
|
311
|
+
var COMPLIANCE_POSTURES = gateContract.compliancePostures(PROFILES, { base: 256 });
|
|
312
|
+
|
|
359
313
|
// ---- Internal helpers ----
|
|
360
314
|
|
|
361
|
-
function _resolveOpts(opts) {
|
|
362
|
-
return gateContract.resolveProfileAndPosture(opts, {
|
|
363
|
-
profiles: PROFILES,
|
|
364
|
-
compliancePostures: COMPLIANCE_POSTURES,
|
|
365
|
-
defaults: DEFAULTS,
|
|
366
|
-
errorClass: GuardSvgError,
|
|
367
|
-
errCodePrefix: "svg",
|
|
368
|
-
});
|
|
369
|
-
}
|
|
370
315
|
|
|
371
316
|
// HTML5 named-entity ASCII subset — same shape as guard-html.
|
|
372
317
|
// Browsers honor these inside URL contexts; without decoding them,
|
|
@@ -436,9 +381,10 @@ function _isSvgz(input) {
|
|
|
436
381
|
|
|
437
382
|
function _tokenize(input, maxBytes) {
|
|
438
383
|
var s = String(input || "");
|
|
439
|
-
|
|
384
|
+
var nb = Buffer.byteLength(s, "utf8");
|
|
385
|
+
if (nb > maxBytes) {
|
|
440
386
|
throw _err("svg.too-large",
|
|
441
|
-
"input " +
|
|
387
|
+
"input " + nb + " bytes exceeds maxBytes " + maxBytes);
|
|
442
388
|
}
|
|
443
389
|
var tokens = [];
|
|
444
390
|
var len = s.length;
|
|
@@ -508,28 +454,16 @@ function _tokenize(input, maxBytes) {
|
|
|
508
454
|
pos = endE; continue;
|
|
509
455
|
}
|
|
510
456
|
|
|
511
|
-
var pp = lt + 1;
|
|
512
|
-
var inQuote = "";
|
|
513
|
-
while (pp < len) {
|
|
514
|
-
var ch = s.charAt(pp);
|
|
515
|
-
if (inQuote) { if (ch === inQuote) inQuote = ""; }
|
|
516
|
-
else {
|
|
517
|
-
if (ch === '"' || ch === "'") inQuote = ch;
|
|
518
|
-
else if (ch === ">") break;
|
|
519
|
-
}
|
|
520
|
-
pp += 1;
|
|
521
|
-
}
|
|
457
|
+
var pp = markupTokenizer.scanToTagEnd(s, lt + 1, len);
|
|
522
458
|
var endT = pp < len ? pp + 1 : len;
|
|
523
459
|
var raw = s.slice(lt, endT);
|
|
524
460
|
var inner = raw.slice(1, raw.charAt(raw.length - 1) === ">" ? raw.length - 1 : raw.length);
|
|
525
461
|
var selfClosing = inner.endsWith("/");
|
|
526
462
|
if (selfClosing) inner = inner.slice(0, inner.length - 1);
|
|
527
463
|
|
|
528
|
-
var
|
|
529
|
-
var tagName =
|
|
530
|
-
var
|
|
531
|
-
|
|
532
|
-
var attrs = _parseAttrs(attrSrc);
|
|
464
|
+
var svgParts = markupTokenizer.splitTagNameAttrs(inner, /^([A-Za-z][A-Za-z0-9:_-]*)/);
|
|
465
|
+
var tagName = svgParts.tagName;
|
|
466
|
+
var attrs = _parseAttrs(svgParts.attrSrc);
|
|
533
467
|
tokens.push({
|
|
534
468
|
type: "tag", name: tagName, attrs: attrs,
|
|
535
469
|
raw: raw, start: lt, end: endT, selfClosing: selfClosing,
|
|
@@ -576,6 +510,10 @@ function _parseAttrs(src) {
|
|
|
576
510
|
// ---- Detection pass ----
|
|
577
511
|
|
|
578
512
|
function _detectIssues(input, opts) {
|
|
513
|
+
if (typeof input !== "string" && !Buffer.isBuffer(input)) {
|
|
514
|
+
return [{ kind: "bad-input", severity: "high",
|
|
515
|
+
snippet: "input is not string or Buffer" }];
|
|
516
|
+
}
|
|
579
517
|
if (_isSvgz(input)) {
|
|
580
518
|
return [{
|
|
581
519
|
kind: "svgz-compressed", severity: "critical", ruleId: "svg.svgz",
|
|
@@ -585,7 +523,7 @@ function _detectIssues(input, opts) {
|
|
|
585
523
|
}
|
|
586
524
|
|
|
587
525
|
var s = typeof input === "string" ? input : Buffer.from(input).toString("utf8");
|
|
588
|
-
var issues = codepointClass.detectCharThreats(s, opts, "svg");
|
|
526
|
+
var issues = codepointClass.detectCharThreats(s, opts, "svg", "warn");
|
|
589
527
|
|
|
590
528
|
var tokens;
|
|
591
529
|
try { tokens = _tokenize(s, opts.maxBytes); }
|
|
@@ -708,7 +646,7 @@ function _detectIssues(input, opts) {
|
|
|
708
646
|
for (var ai = 0; ai < attrs.length; ai += 1) {
|
|
709
647
|
var a = attrs[ai];
|
|
710
648
|
var an = a.name.toLowerCase();
|
|
711
|
-
if (a.value && a.value
|
|
649
|
+
if (a.value && Buffer.byteLength(a.value, "utf8") > opts.maxAttrValueBytes) {
|
|
712
650
|
issues.push({
|
|
713
651
|
kind: "attr-value-too-large", severity: "high",
|
|
714
652
|
ruleId: "svg.attr-size",
|
|
@@ -806,9 +744,10 @@ function _sanitize(input, opts) {
|
|
|
806
744
|
throw _err("svg.svgz", "compressed SVGZ payload — operator must ungzip before sanitize");
|
|
807
745
|
}
|
|
808
746
|
var s = typeof input === "string" ? input : Buffer.from(input).toString("utf8");
|
|
809
|
-
|
|
747
|
+
var nb = Buffer.byteLength(s, "utf8");
|
|
748
|
+
if (nb > opts.maxBytes) {
|
|
810
749
|
throw _err("svg.too-large",
|
|
811
|
-
"input " +
|
|
750
|
+
"input " + nb + " bytes exceeds maxBytes " + opts.maxBytes);
|
|
812
751
|
}
|
|
813
752
|
codepointClass.assertNoCharThreats(s, opts, _err, "svg");
|
|
814
753
|
|
|
@@ -873,7 +812,7 @@ function _sanitize(input, opts) {
|
|
|
873
812
|
var a = attrs[ai];
|
|
874
813
|
var an = a.name.toLowerCase();
|
|
875
814
|
if (EVENT_HANDLER_RE.test(an)) continue; // allow:regex-no-length-cap — `an` is a tokenized attribute name, bounded
|
|
876
|
-
if (a.value && a.value
|
|
815
|
+
if (a.value && Buffer.byteLength(a.value, "utf8") > opts.maxAttrValueBytes) continue;
|
|
877
816
|
if (URL_ATTRS.indexOf(an) !== -1) {
|
|
878
817
|
var scheme = _extractScheme(a.value);
|
|
879
818
|
var fragment = _isFragmentRef(a.value);
|
|
@@ -893,9 +832,7 @@ function _sanitize(input, opts) {
|
|
|
893
832
|
!fragment && !opts.allowExternalRefs) continue;
|
|
894
833
|
}
|
|
895
834
|
if (an === "style" && _isCssDangerous(a.value)) continue;
|
|
896
|
-
attrParts.push(an + "=\"" + a.value
|
|
897
|
-
.replace(/&/g, "&").replace(/</g, "<")
|
|
898
|
-
.replace(/>/g, ">").replace(/"/g, """) + "\"");
|
|
835
|
+
attrParts.push(an + "=\"" + markupEscape(a.value) + "\"");
|
|
899
836
|
}
|
|
900
837
|
var open = "<" + tok.name + (attrParts.length ? " " + attrParts.join(" ") : "") +
|
|
901
838
|
(tok.selfClosing ? "/>" : ">");
|
|
@@ -951,16 +888,12 @@ function _sanitize(input, opts) {
|
|
|
951
888
|
* clean.ok; // → true
|
|
952
889
|
* clean.issues.length; // → 0
|
|
953
890
|
*/
|
|
954
|
-
|
|
955
|
-
|
|
956
|
-
|
|
957
|
-
|
|
958
|
-
|
|
959
|
-
|
|
960
|
-
var bad = gateContract.badInputResultIfNotStringOrBuffer(input);
|
|
961
|
-
if (bad) return bad;
|
|
962
|
-
return gateContract.aggregateIssues(_detectIssues(input, opts));
|
|
963
|
-
}
|
|
891
|
+
// validate is assembled by gateContract.defineGuard from `detect`
|
|
892
|
+
// (_detectIssues) below — `validate(input, opts) = aggregateIssues(detect(
|
|
893
|
+
// input, resolveOpts(opts)))`, with the maxBytes/maxElementCount/maxUseDepth
|
|
894
|
+
// caps declared via `intOpts`. Non-string/non-Buffer input returns a single
|
|
895
|
+
// `svg.bad-input` issue from _detectIssues (never throws). The @primitive
|
|
896
|
+
// block above documents the resulting public ABI.
|
|
964
897
|
|
|
965
898
|
/**
|
|
966
899
|
* @primitive b.guardSvg.sanitize
|
|
@@ -1003,7 +936,7 @@ function validate(input, opts) {
|
|
|
1003
936
|
* /onload/.test(clean); // → false
|
|
1004
937
|
*/
|
|
1005
938
|
function sanitize(input, opts) {
|
|
1006
|
-
opts =
|
|
939
|
+
opts = _guard.resolveOpts(opts);
|
|
1007
940
|
if (typeof input !== "string" && !Buffer.isBuffer(input)) {
|
|
1008
941
|
throw _err("svg.bad-input", "sanitize requires string or Buffer input");
|
|
1009
942
|
}
|
|
@@ -1055,42 +988,57 @@ function sanitize(input, opts) {
|
|
|
1055
988
|
* });
|
|
1056
989
|
* refuse.action; // → "refuse"
|
|
1057
990
|
*/
|
|
1058
|
-
|
|
1059
|
-
|
|
1060
|
-
|
|
1061
|
-
|
|
1062
|
-
|
|
1063
|
-
|
|
1064
|
-
|
|
1065
|
-
|
|
1066
|
-
|
|
1067
|
-
|
|
1068
|
-
|
|
1069
|
-
|
|
1070
|
-
|
|
1071
|
-
|
|
1072
|
-
|
|
1073
|
-
|
|
1074
|
-
|
|
1075
|
-
|
|
1076
|
-
|
|
991
|
+
// Disposition of each svg finding = what the operator's policy for that class
|
|
992
|
+
// selected. CSS injection / DOCTYPE / CDATA / processing-instruction and the
|
|
993
|
+
// bidi / null / control char threats follow their policies (sanitize under
|
|
994
|
+
// `strip`, refuse under `reject`, audit under `audit`). The always-dangerous
|
|
995
|
+
// classes (dangerous / animation tag, event handler, animation target,
|
|
996
|
+
// dangerous URL scheme, external ref, entity declaration) refuse; a gzipped
|
|
997
|
+
// SVGZ payload refuses (it must never reach the text sanitizer); a
|
|
998
|
+
// non-allowlisted but benign tag / scheme sanitizes; structural caps and a
|
|
999
|
+
// tokenizer failure refuse. Exhaustive over every kind _detectIssues emits.
|
|
1000
|
+
function _gateDispositionFor(issue, opts) {
|
|
1001
|
+
var shared = gateContract.charThreatDisposition(issue, opts);
|
|
1002
|
+
if (shared) return shared;
|
|
1003
|
+
switch (issue.kind) {
|
|
1004
|
+
case "css-injection": return gateContract.policyDisposition(opts.cssPolicy);
|
|
1005
|
+
case "doctype": return gateContract.policyDisposition(opts.doctypePolicy);
|
|
1006
|
+
case "cdata": return gateContract.policyDisposition(opts.cdataPolicy);
|
|
1007
|
+
case "processing-instruction": return gateContract.policyDisposition(opts.processingInstrPolicy);
|
|
1008
|
+
case "non-allowlisted-tag":
|
|
1009
|
+
case "non-allowlisted-url-scheme": return "sanitize";
|
|
1010
|
+
case "svgz-compressed":
|
|
1011
|
+
case "entity-declaration":
|
|
1012
|
+
case "dangerous-tag":
|
|
1013
|
+
case "event-handler":
|
|
1014
|
+
case "animation-target":
|
|
1015
|
+
case "dangerous-url-scheme":
|
|
1016
|
+
case "external-ref": return "refuse";
|
|
1017
|
+
case "tokenize-failed":
|
|
1018
|
+
case "element-count-cap":
|
|
1019
|
+
case "attr-count-cap":
|
|
1020
|
+
case "use-depth-cap":
|
|
1021
|
+
case "attr-value-too-large":
|
|
1022
|
+
case "bad-input": return "refuse";
|
|
1023
|
+
default: return null;
|
|
1024
|
+
}
|
|
1025
|
+
}
|
|
1077
1026
|
|
|
1078
|
-
|
|
1079
|
-
|
|
1080
|
-
|
|
1081
|
-
|
|
1082
|
-
|
|
1083
|
-
|
|
1084
|
-
|
|
1085
|
-
|
|
1086
|
-
|
|
1087
|
-
|
|
1088
|
-
|
|
1089
|
-
|
|
1090
|
-
|
|
1091
|
-
|
|
1092
|
-
|
|
1093
|
-
});
|
|
1027
|
+
function gate(opts) {
|
|
1028
|
+
opts = _guard.resolveOpts(opts);
|
|
1029
|
+
return gateContract.buildContentGate({
|
|
1030
|
+
name: opts.name || "guardSvg:" + (opts.profile || "default"),
|
|
1031
|
+
opts: opts,
|
|
1032
|
+
validate: module.exports.validate,
|
|
1033
|
+
dispositionFor: _gateDispositionFor,
|
|
1034
|
+
// SVG reads the RAW bytes (SVGZ gzip detection needs the byte signature).
|
|
1035
|
+
// A gzipped SVGZ must not be fed to the text sanitizer → it is refuse-
|
|
1036
|
+
// disposition, and sanitizeBlockingKinds is a second backstop that skips
|
|
1037
|
+
// the sanitize attempt for it.
|
|
1038
|
+
ctxField: "bytes",
|
|
1039
|
+
sanitizeBlockingKinds: ["svgz-compressed"],
|
|
1040
|
+
produceSanitized: function (bytes, o) { return sanitize(bytes, o); },
|
|
1041
|
+
});
|
|
1094
1042
|
}
|
|
1095
1043
|
|
|
1096
1044
|
// buildProfile / compliancePosture / loadRulePack are assembled by
|
|
@@ -1114,10 +1062,15 @@ var INTEGRATION_FIXTURES = Object.freeze({
|
|
|
1114
1062
|
// Assembled from the gate-contract guard factory: error class, registry
|
|
1115
1063
|
// exports (NAME / KIND / MIME_TYPES / EXTENSIONS / INTEGRATION_FIXTURES),
|
|
1116
1064
|
// buildProfile / compliancePosture / loadRulePack wiring, plus the
|
|
1117
|
-
// per-guard inspection surface
|
|
1118
|
-
//
|
|
1119
|
-
//
|
|
1120
|
-
|
|
1065
|
+
// per-guard inspection surface and the SVG tag / scheme tables passed
|
|
1066
|
+
// through verbatim. `validate` is generated from `detect` (_detectIssues)
|
|
1067
|
+
// with the int caps declared via `intOpts`. The bespoke `sanitize` and
|
|
1068
|
+
// `gate` carry SVG's tag/attr strip-reserialize chain — which drops
|
|
1069
|
+
// dangerous tags rather than throwing on them — and the SVGZ refuse
|
|
1070
|
+
// unchanged; neither reduces to the dynamic
|
|
1071
|
+
// detect→throwOnRefusalSeverity→transform path (same-severity findings
|
|
1072
|
+
// split throw-vs-strip), so both stay bespoke.
|
|
1073
|
+
var _guard = module.exports = gateContract.defineGuard({
|
|
1121
1074
|
name: "svg",
|
|
1122
1075
|
kind: "content",
|
|
1123
1076
|
errorClass: GuardSvgError,
|
|
@@ -1127,10 +1080,12 @@ module.exports = gateContract.defineGuard({
|
|
|
1127
1080
|
mimeTypes: ["image/svg+xml"],
|
|
1128
1081
|
extensions: [".svg", ".svgz"],
|
|
1129
1082
|
integrationFixtures: INTEGRATION_FIXTURES,
|
|
1130
|
-
|
|
1083
|
+
detect: _detectIssues,
|
|
1084
|
+
intOpts: ["maxBytes", "maxElementCount", "maxUseDepth"],
|
|
1131
1085
|
sanitize: sanitize,
|
|
1132
1086
|
gate: gate,
|
|
1133
1087
|
extra: {
|
|
1088
|
+
_gateDispositionForTest: _gateDispositionFor,
|
|
1134
1089
|
DANGEROUS_TAGS: DANGEROUS_TAGS,
|
|
1135
1090
|
ANIMATION_TAGS: ANIMATION_TAGS,
|
|
1136
1091
|
ANIMATION_SAFE_TARGETS: ANIMATION_SAFE_TARGETS,
|
|
@@ -50,11 +50,9 @@
|
|
|
50
50
|
* Server-Side Template Injection (SSTI) content-safety guard — refuses user-supplied strings that contain template-engine syntax BEFORE they're rendered.
|
|
51
51
|
*/
|
|
52
52
|
|
|
53
|
-
var codepointClass = require("./codepoint-class");
|
|
54
53
|
var lazyRequire = require("./lazy-require");
|
|
55
54
|
var gateContract = require("./gate-contract");
|
|
56
55
|
var C = require("./constants");
|
|
57
|
-
var numericBounds = require("./numeric-bounds");
|
|
58
56
|
var { GuardTemplateError } = require("./framework-error");
|
|
59
57
|
|
|
60
58
|
var observability = lazyRequire(function () { return require("./observability"); });
|
|
@@ -74,10 +72,7 @@ var VELOCITY_DIR_RE = /#(?:set|if|else|elseif|end|foreach|parse|include|stop)\b/
|
|
|
74
72
|
|
|
75
73
|
var PROFILES = Object.freeze({
|
|
76
74
|
"strict": {
|
|
77
|
-
|
|
78
|
-
controlPolicy: "reject",
|
|
79
|
-
nullBytePolicy: "reject",
|
|
80
|
-
zeroWidthPolicy: "reject",
|
|
75
|
+
...gateContract.CHAR_THREATS_REJECT_ALL,
|
|
81
76
|
jinjaPolicy: "reject",
|
|
82
77
|
erbPolicy: "reject",
|
|
83
78
|
pugPolicy: "reject",
|
|
@@ -87,10 +82,7 @@ var PROFILES = Object.freeze({
|
|
|
87
82
|
maxRuntimeMs: C.TIME.seconds(2),
|
|
88
83
|
},
|
|
89
84
|
"balanced": {
|
|
90
|
-
|
|
91
|
-
controlPolicy: "reject",
|
|
92
|
-
nullBytePolicy: "reject",
|
|
93
|
-
zeroWidthPolicy: "reject",
|
|
85
|
+
...gateContract.CHAR_THREATS_REJECT_ALL,
|
|
94
86
|
jinjaPolicy: "reject", // SSTI class — refused at every profile
|
|
95
87
|
erbPolicy: "reject",
|
|
96
88
|
pugPolicy: "reject",
|
|
@@ -100,10 +92,7 @@ var PROFILES = Object.freeze({
|
|
|
100
92
|
maxRuntimeMs: C.TIME.seconds(2),
|
|
101
93
|
},
|
|
102
94
|
"permissive": {
|
|
103
|
-
|
|
104
|
-
controlPolicy: "reject", // controls refused at every profile
|
|
105
|
-
nullBytePolicy: "reject", // null refused at every profile
|
|
106
|
-
zeroWidthPolicy: "reject", // zero-width refused at every profile
|
|
95
|
+
...gateContract.CHAR_THREATS_REJECT_ALL,
|
|
107
96
|
jinjaPolicy: "reject", // SSTI class refused at every profile
|
|
108
97
|
erbPolicy: "reject", // SSTI class refused at every profile
|
|
109
98
|
pugPolicy: "reject", // SSTI class refused at every profile
|
|
@@ -114,51 +103,14 @@ var PROFILES = Object.freeze({
|
|
|
114
103
|
},
|
|
115
104
|
});
|
|
116
105
|
|
|
117
|
-
var DEFAULTS =
|
|
118
|
-
mode: "enforce",
|
|
119
|
-
}));
|
|
106
|
+
var DEFAULTS = gateContract.strictDefaults(PROFILES);
|
|
120
107
|
|
|
121
|
-
var COMPLIANCE_POSTURES =
|
|
122
|
-
"hipaa": Object.assign({}, PROFILES["strict"], {
|
|
123
|
-
forensicSnippetBytes: C.BYTES.bytes(512),
|
|
124
|
-
}),
|
|
125
|
-
"pci-dss": Object.assign({}, PROFILES["strict"], {
|
|
126
|
-
forensicSnippetBytes: C.BYTES.bytes(512),
|
|
127
|
-
}),
|
|
128
|
-
"gdpr": Object.assign({}, PROFILES["balanced"], {
|
|
129
|
-
forensicSnippetBytes: C.BYTES.bytes(256),
|
|
130
|
-
}),
|
|
131
|
-
"soc2": Object.assign({}, PROFILES["strict"], {
|
|
132
|
-
forensicSnippetBytes: C.BYTES.bytes(1024),
|
|
133
|
-
}),
|
|
134
|
-
});
|
|
135
|
-
|
|
136
|
-
function _resolveOpts(opts) {
|
|
137
|
-
return gateContract.resolveProfileAndPosture(opts, {
|
|
138
|
-
profiles: PROFILES,
|
|
139
|
-
compliancePostures: COMPLIANCE_POSTURES,
|
|
140
|
-
defaults: DEFAULTS,
|
|
141
|
-
errorClass: GuardTemplateError,
|
|
142
|
-
errCodePrefix: "template",
|
|
143
|
-
});
|
|
144
|
-
}
|
|
108
|
+
var COMPLIANCE_POSTURES = gateContract.compliancePostures(PROFILES, { base: 512 });
|
|
145
109
|
|
|
146
110
|
function _detectIssues(input, opts) {
|
|
147
|
-
var
|
|
148
|
-
if (
|
|
149
|
-
|
|
150
|
-
ruleId: "template.bad-input",
|
|
151
|
-
snippet: "template input is not a string" }];
|
|
152
|
-
}
|
|
153
|
-
if (input.length === 0) return [];
|
|
154
|
-
if (Buffer.byteLength(input, "utf8") > opts.maxBytes) {
|
|
155
|
-
return [{ kind: "input-cap", severity: "high",
|
|
156
|
-
ruleId: "template.input-cap",
|
|
157
|
-
snippet: "template input exceeds maxBytes " + opts.maxBytes }];
|
|
158
|
-
}
|
|
159
|
-
|
|
160
|
-
var charThreats = codepointClass.detectCharThreats(input, opts, "template");
|
|
161
|
-
for (var ci = 0; ci < charThreats.length; ci += 1) issues.push(charThreats[ci]);
|
|
111
|
+
var pre = gateContract.detectStringInput(input, opts, { name: "template", noun: "template input", emptyMode: "ok", cap: { bytes: opts.maxBytes, kind: "input-cap", snippet: "template input exceeds maxBytes " + opts.maxBytes } });
|
|
112
|
+
if (pre.done) return pre.issues;
|
|
113
|
+
var issues = pre.issues;
|
|
162
114
|
|
|
163
115
|
if (opts.jinjaPolicy !== "allow") {
|
|
164
116
|
if (JINJA_EXPR_RE.test(input)) { // allow:regex-no-length-cap — input bounded by maxBytes
|
|
@@ -258,13 +210,10 @@ function _detectIssues(input, opts) {
|
|
|
258
210
|
* hostile.ok; // → false
|
|
259
211
|
* hostile.issues.some(function (i) { return i.kind === "jinja-expression"; }); // → true
|
|
260
212
|
*/
|
|
261
|
-
|
|
262
|
-
|
|
263
|
-
|
|
264
|
-
|
|
265
|
-
"guardTemplate.validate", GuardTemplateError, "template.bad-opt");
|
|
266
|
-
return gateContract.aggregateIssues(_detectIssues(input, opts));
|
|
267
|
-
}
|
|
213
|
+
// validate is assembled by gateContract.defineGuard from `detect`
|
|
214
|
+
// (_detectIssues) below — `validate(input, opts) = aggregateIssues(detect(
|
|
215
|
+
// input, resolveOpts(opts)))`, with the maxBytes cap declared via `intOpts`.
|
|
216
|
+
// The @primitive block above documents the resulting public ABI.
|
|
268
217
|
|
|
269
218
|
/**
|
|
270
219
|
* @primitive b.guardTemplate.sanitize
|
|
@@ -305,13 +254,12 @@ function validate(input, opts) {
|
|
|
305
254
|
* e.code; // → "template.jinja-expression"
|
|
306
255
|
* }
|
|
307
256
|
*/
|
|
308
|
-
|
|
309
|
-
|
|
310
|
-
|
|
311
|
-
|
|
312
|
-
|
|
313
|
-
|
|
314
|
-
gateContract.throwOnRefusalSeverity(issues, { errorClass: GuardTemplateError, codePrefix: "template" });
|
|
257
|
+
// _sanitizeTransform — the guard-specific normalize applied by defineGuard's
|
|
258
|
+
// generated sanitize AFTER resolve → detect → throw-on-refusal. Input is an
|
|
259
|
+
// already-validated string at this point (a non-string refuses upstream).
|
|
260
|
+
// Template input cannot be repaired safely, so the transform is pass-through:
|
|
261
|
+
// clean input is returned verbatim once no high/critical issue fired.
|
|
262
|
+
function _sanitizeTransform(input) {
|
|
315
263
|
return input;
|
|
316
264
|
}
|
|
317
265
|
|
|
@@ -323,14 +271,8 @@ function sanitize(input, opts) {
|
|
|
323
271
|
// @abiTemplate (defineGuard) blocks in gate-contract.js, instantiated per
|
|
324
272
|
// guard by the page generator.
|
|
325
273
|
|
|
326
|
-
|
|
327
|
-
|
|
328
|
-
benignBytes: Buffer.from("Hello world", "utf8"),
|
|
329
|
-
hostileBytes: Buffer.from("Hello {{7*7}}", "utf8"),
|
|
330
|
-
benignIdentifier: "Hello world",
|
|
331
|
-
// Hostile: Jinja-shape SSTI probe.
|
|
332
|
-
hostileIdentifier: "Hello {{7*7}}",
|
|
333
|
-
});
|
|
274
|
+
// Hostile: Jinja-shape SSTI probe.
|
|
275
|
+
var INTEGRATION_FIXTURES = gateContract.identifierFixtures("Hello world", "Hello {{7*7}}");
|
|
334
276
|
|
|
335
277
|
// Assembled from the gate-contract guard factory: error class, registry
|
|
336
278
|
// exports (NAME / KIND / INTEGRATION_FIXTURES), the default gate, buildProfile
|
|
@@ -347,7 +289,8 @@ module.exports = gateContract.defineGuard({
|
|
|
347
289
|
defaults: DEFAULTS,
|
|
348
290
|
postures: COMPLIANCE_POSTURES,
|
|
349
291
|
integrationFixtures: INTEGRATION_FIXTURES,
|
|
350
|
-
|
|
351
|
-
|
|
292
|
+
detect: _detectIssues,
|
|
293
|
+
sanitizeTransform: _sanitizeTransform,
|
|
294
|
+
intOpts: ["maxBytes"],
|
|
352
295
|
ctxFields: ["identifier", "text"],
|
|
353
296
|
});
|
|
@@ -24,6 +24,7 @@
|
|
|
24
24
|
|
|
25
25
|
var { defineClass } = require("./framework-error");
|
|
26
26
|
var gateContract = require("./gate-contract");
|
|
27
|
+
var codepointClass = require("./codepoint-class");
|
|
27
28
|
|
|
28
29
|
var GuardTenantIdError = defineClass("GuardTenantIdError", { alwaysPermanent: true });
|
|
29
30
|
|
|
@@ -93,7 +94,7 @@ function validate(tenantId, opts) {
|
|
|
93
94
|
throw new GuardTenantIdError("tenant-id/non-ascii",
|
|
94
95
|
"guardTenantId.validate: non-ASCII codepoint at offset " + i);
|
|
95
96
|
}
|
|
96
|
-
if (c
|
|
97
|
+
if (codepointClass.isForbiddenControlChar(c, { forbidTab: true }) || c === 0x2F || c === 0x5C) { // C0/DEL/slash/backslash
|
|
97
98
|
throw new GuardTenantIdError("tenant-id/bad-char",
|
|
98
99
|
"guardTenantId.validate: forbidden char 0x" + c.toString(16) + " at offset " + i);
|
|
99
100
|
}
|