@blamejs/blamejs-shop 0.4.56 → 0.4.57
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +2 -0
- package/lib/asset-manifest.json +1 -1
- package/lib/vendor/MANIFEST.json +426 -366
- package/lib/vendor/blamejs/.github/codeql/codeql-config.yml +25 -0
- package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +3 -3
- package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +1 -1
- package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +1 -1
- package/lib/vendor/blamejs/.github/workflows/ci.yml +13 -13
- package/lib/vendor/blamejs/.github/workflows/codeql.yml +8 -7
- package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +2 -2
- package/lib/vendor/blamejs/.github/workflows/release-container.yml +4 -4
- package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
- package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +1 -1
- package/lib/vendor/blamejs/CHANGELOG.md +2 -0
- package/lib/vendor/blamejs/api-snapshot.json +1381 -4
- package/lib/vendor/blamejs/eslint.config.mjs +1 -0
- package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +4 -1
- package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +5 -2
- package/lib/vendor/blamejs/examples/wiki/routes/pages.js +4 -1
- package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +20 -0
- package/lib/vendor/blamejs/index.js +2 -0
- package/lib/vendor/blamejs/lib/a2a-tasks.js +7 -23
- package/lib/vendor/blamejs/lib/acme.js +6 -5
- package/lib/vendor/blamejs/lib/agent-event-bus.js +5 -4
- package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -5
- package/lib/vendor/blamejs/lib/agent-orchestrator.js +2 -5
- package/lib/vendor/blamejs/lib/agent-saga.js +3 -5
- package/lib/vendor/blamejs/lib/agent-tenant.js +2 -5
- package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -15
- package/lib/vendor/blamejs/lib/ai-capability.js +1 -6
- package/lib/vendor/blamejs/lib/ai-dp.js +1 -5
- package/lib/vendor/blamejs/lib/ai-input.js +2 -2
- package/lib/vendor/blamejs/lib/ai-pref.js +3 -8
- package/lib/vendor/blamejs/lib/ai-quota.js +3 -14
- package/lib/vendor/blamejs/lib/api-key.js +37 -28
- package/lib/vendor/blamejs/lib/archive-adapters.js +2 -4
- package/lib/vendor/blamejs/lib/archive-entry-policy.js +32 -0
- package/lib/vendor/blamejs/lib/archive-read.js +5 -17
- package/lib/vendor/blamejs/lib/archive-tar-read.js +5 -16
- package/lib/vendor/blamejs/lib/archive.js +2 -10
- package/lib/vendor/blamejs/lib/arg-parser.js +7 -6
- package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -6
- package/lib/vendor/blamejs/lib/atomic-file.js +108 -31
- package/lib/vendor/blamejs/lib/audit-chain.js +133 -53
- package/lib/vendor/blamejs/lib/audit-daily-review.js +24 -14
- package/lib/vendor/blamejs/lib/audit-emit.js +82 -0
- package/lib/vendor/blamejs/lib/audit-sign.js +257 -0
- package/lib/vendor/blamejs/lib/audit.js +84 -0
- package/lib/vendor/blamejs/lib/auth/access-lock.js +5 -27
- package/lib/vendor/blamejs/lib/auth/dpop.js +23 -35
- package/lib/vendor/blamejs/lib/auth/fido-mds3.js +9 -15
- package/lib/vendor/blamejs/lib/auth/jwt-external.js +26 -8
- package/lib/vendor/blamejs/lib/auth/jwt.js +13 -15
- package/lib/vendor/blamejs/lib/auth/lockout.js +6 -25
- package/lib/vendor/blamejs/lib/auth/oauth.js +67 -45
- package/lib/vendor/blamejs/lib/auth/oid4vci.js +55 -32
- package/lib/vendor/blamejs/lib/auth/oid4vp.js +3 -2
- package/lib/vendor/blamejs/lib/auth/openid-federation.js +6 -6
- package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
- package/lib/vendor/blamejs/lib/auth/password.js +7 -1
- package/lib/vendor/blamejs/lib/auth/saml.js +37 -27
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -14
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -14
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +1 -1
- package/lib/vendor/blamejs/lib/auth/status-list.js +7 -7
- package/lib/vendor/blamejs/lib/auth/step-up.js +6 -12
- package/lib/vendor/blamejs/lib/auth-bot-challenge.js +6 -37
- package/lib/vendor/blamejs/lib/backup/bundle.js +11 -18
- package/lib/vendor/blamejs/lib/backup/index.js +14 -47
- package/lib/vendor/blamejs/lib/bounded-map.js +112 -1
- package/lib/vendor/blamejs/lib/breach-deadline.js +1 -11
- package/lib/vendor/blamejs/lib/cache.js +7 -18
- package/lib/vendor/blamejs/lib/cbor.js +2 -1
- package/lib/vendor/blamejs/lib/cdn-cache-control.js +8 -9
- package/lib/vendor/blamejs/lib/cert.js +3 -10
- package/lib/vendor/blamejs/lib/chain-writer.js +162 -47
- package/lib/vendor/blamejs/lib/cli.js +5 -1
- package/lib/vendor/blamejs/lib/client-hints.js +7 -9
- package/lib/vendor/blamejs/lib/cloud-events.js +40 -31
- package/lib/vendor/blamejs/lib/cluster-storage.js +2 -38
- package/lib/vendor/blamejs/lib/cms-codec.js +2 -1
- package/lib/vendor/blamejs/lib/codepoint-class.js +67 -1
- package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +1 -6
- package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -4
- package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -11
- package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +21 -28
- package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -14
- package/lib/vendor/blamejs/lib/compliance.js +2 -9
- package/lib/vendor/blamejs/lib/config-drift.js +2 -12
- package/lib/vendor/blamejs/lib/content-digest.js +10 -8
- package/lib/vendor/blamejs/lib/cookies.js +5 -11
- package/lib/vendor/blamejs/lib/cose.js +19 -11
- package/lib/vendor/blamejs/lib/cra-report.js +1 -11
- package/lib/vendor/blamejs/lib/crypto-field.js +5 -10
- package/lib/vendor/blamejs/lib/crypto.js +120 -3
- package/lib/vendor/blamejs/lib/csp.js +235 -3
- package/lib/vendor/blamejs/lib/daemon.js +42 -41
- package/lib/vendor/blamejs/lib/data-act.js +19 -9
- package/lib/vendor/blamejs/lib/db-query.js +6 -40
- package/lib/vendor/blamejs/lib/db.js +34 -12
- package/lib/vendor/blamejs/lib/dbsc.js +5 -6
- package/lib/vendor/blamejs/lib/ddl-change-control.js +18 -14
- package/lib/vendor/blamejs/lib/deprecate.js +4 -5
- package/lib/vendor/blamejs/lib/did.js +6 -2
- package/lib/vendor/blamejs/lib/dsr.js +8 -12
- package/lib/vendor/blamejs/lib/external-db-migrate.js +21 -22
- package/lib/vendor/blamejs/lib/external-db.js +14 -26
- package/lib/vendor/blamejs/lib/fda-21cfr11.js +12 -8
- package/lib/vendor/blamejs/lib/fdx.js +22 -18
- package/lib/vendor/blamejs/lib/file-upload.js +80 -66
- package/lib/vendor/blamejs/lib/flag-evaluation-context.js +5 -8
- package/lib/vendor/blamejs/lib/framework-error.js +12 -0
- package/lib/vendor/blamejs/lib/framework-schema.js +19 -0
- package/lib/vendor/blamejs/lib/fsm.js +7 -12
- package/lib/vendor/blamejs/lib/gate-contract.js +869 -38
- package/lib/vendor/blamejs/lib/gdpr-ropa.js +4 -13
- package/lib/vendor/blamejs/lib/graphql-federation.js +1 -1
- package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -1
- package/lib/vendor/blamejs/lib/guard-all.js +1 -0
- package/lib/vendor/blamejs/lib/guard-archive.js +9 -30
- package/lib/vendor/blamejs/lib/guard-auth.js +23 -80
- package/lib/vendor/blamejs/lib/guard-cidr.js +20 -96
- package/lib/vendor/blamejs/lib/guard-csv.js +135 -196
- package/lib/vendor/blamejs/lib/guard-domain.js +23 -106
- package/lib/vendor/blamejs/lib/guard-dsn.js +16 -13
- package/lib/vendor/blamejs/lib/guard-email.js +46 -53
- package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
- package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -1
- package/lib/vendor/blamejs/lib/guard-filename.js +12 -60
- package/lib/vendor/blamejs/lib/guard-graphql.js +28 -75
- package/lib/vendor/blamejs/lib/guard-html-wcag.js +15 -2
- package/lib/vendor/blamejs/lib/guard-html.js +65 -117
- package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -1
- package/lib/vendor/blamejs/lib/guard-image.js +280 -77
- package/lib/vendor/blamejs/lib/guard-imap-command.js +8 -9
- package/lib/vendor/blamejs/lib/guard-json.js +87 -103
- package/lib/vendor/blamejs/lib/guard-jsonpath.js +20 -88
- package/lib/vendor/blamejs/lib/guard-jwt.js +32 -114
- package/lib/vendor/blamejs/lib/guard-list-id.js +2 -7
- package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -7
- package/lib/vendor/blamejs/lib/guard-mail-compose.js +5 -6
- package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -1
- package/lib/vendor/blamejs/lib/guard-mail-query.js +5 -3
- package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -7
- package/lib/vendor/blamejs/lib/guard-managesieve-command.js +5 -4
- package/lib/vendor/blamejs/lib/guard-markdown.js +76 -110
- package/lib/vendor/blamejs/lib/guard-message-id.js +5 -6
- package/lib/vendor/blamejs/lib/guard-mime.js +20 -99
- package/lib/vendor/blamejs/lib/guard-oauth.js +19 -73
- package/lib/vendor/blamejs/lib/guard-pdf.js +65 -72
- package/lib/vendor/blamejs/lib/guard-pop3-command.js +12 -13
- package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -1
- package/lib/vendor/blamejs/lib/guard-regex.js +24 -99
- package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -1
- package/lib/vendor/blamejs/lib/guard-shell.js +22 -87
- package/lib/vendor/blamejs/lib/guard-smtp-command.js +8 -11
- package/lib/vendor/blamejs/lib/guard-sql.js +15 -13
- package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -1
- package/lib/vendor/blamejs/lib/guard-svg.js +95 -140
- package/lib/vendor/blamejs/lib/guard-template.js +23 -80
- package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -1
- package/lib/vendor/blamejs/lib/guard-text.js +592 -0
- package/lib/vendor/blamejs/lib/guard-time.js +27 -95
- package/lib/vendor/blamejs/lib/guard-uuid.js +21 -93
- package/lib/vendor/blamejs/lib/guard-xml.js +76 -106
- package/lib/vendor/blamejs/lib/guard-yaml.js +24 -60
- package/lib/vendor/blamejs/lib/http-client-cache.js +5 -12
- package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -4
- package/lib/vendor/blamejs/lib/http-client.js +8 -21
- package/lib/vendor/blamejs/lib/http-message-signature.js +3 -2
- package/lib/vendor/blamejs/lib/i18n-messageformat.js +5 -7
- package/lib/vendor/blamejs/lib/i18n.js +83 -26
- package/lib/vendor/blamejs/lib/inbox.js +8 -8
- package/lib/vendor/blamejs/lib/incident-report.js +3 -21
- package/lib/vendor/blamejs/lib/ip-utils.js +49 -6
- package/lib/vendor/blamejs/lib/jobs.js +3 -2
- package/lib/vendor/blamejs/lib/keychain.js +6 -18
- package/lib/vendor/blamejs/lib/legal-hold.js +6 -15
- package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +44 -112
- package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +17 -14
- package/lib/vendor/blamejs/lib/log-stream-otlp.js +16 -80
- package/lib/vendor/blamejs/lib/log-stream-webhook.js +20 -92
- package/lib/vendor/blamejs/lib/mail-arc-sign.js +8 -3
- package/lib/vendor/blamejs/lib/mail-arf.js +3 -2
- package/lib/vendor/blamejs/lib/mail-auth.js +40 -66
- package/lib/vendor/blamejs/lib/mail-bimi.js +19 -39
- package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +3 -2
- package/lib/vendor/blamejs/lib/mail-dav.js +8 -35
- package/lib/vendor/blamejs/lib/mail-deploy.js +6 -9
- package/lib/vendor/blamejs/lib/mail-dkim.js +19 -38
- package/lib/vendor/blamejs/lib/mail-greylist.js +15 -26
- package/lib/vendor/blamejs/lib/mail-helo.js +2 -3
- package/lib/vendor/blamejs/lib/mail-journal.js +2 -1
- package/lib/vendor/blamejs/lib/mail-mdn.js +4 -3
- package/lib/vendor/blamejs/lib/mail-rbl.js +5 -8
- package/lib/vendor/blamejs/lib/mail-scan.js +2 -2
- package/lib/vendor/blamejs/lib/mail-send-deliver.js +33 -20
- package/lib/vendor/blamejs/lib/mail-server-imap.js +32 -87
- package/lib/vendor/blamejs/lib/mail-server-jmap.js +35 -51
- package/lib/vendor/blamejs/lib/mail-server-managesieve.js +29 -83
- package/lib/vendor/blamejs/lib/mail-server-mx.js +33 -74
- package/lib/vendor/blamejs/lib/mail-server-net.js +177 -0
- package/lib/vendor/blamejs/lib/mail-server-pop3.js +30 -83
- package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +30 -6
- package/lib/vendor/blamejs/lib/mail-server-submission.js +34 -73
- package/lib/vendor/blamejs/lib/mail-server-tls.js +89 -0
- package/lib/vendor/blamejs/lib/mail-spam-score.js +7 -8
- package/lib/vendor/blamejs/lib/mail-store.js +3 -2
- package/lib/vendor/blamejs/lib/mail.js +6 -11
- package/lib/vendor/blamejs/lib/markup-escape.js +31 -0
- package/lib/vendor/blamejs/lib/markup-tokenizer.js +54 -0
- package/lib/vendor/blamejs/lib/mcp-tool-registry.js +26 -23
- package/lib/vendor/blamejs/lib/mcp.js +1 -1
- package/lib/vendor/blamejs/lib/mdoc.js +11 -12
- package/lib/vendor/blamejs/lib/metrics.js +32 -30
- package/lib/vendor/blamejs/lib/middleware/age-gate.js +3 -23
- package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +11 -22
- package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -7
- package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -1
- package/lib/vendor/blamejs/lib/middleware/body-parser.js +31 -48
- package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +7 -10
- package/lib/vendor/blamejs/lib/middleware/bot-guard.js +2 -10
- package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +13 -2
- package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -26
- package/lib/vendor/blamejs/lib/middleware/deny-response.js +19 -1
- package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +7 -0
- package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +4 -20
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +20 -28
- package/lib/vendor/blamejs/lib/middleware/scim-server.js +3 -2
- package/lib/vendor/blamejs/lib/middleware/security-headers.js +9 -1
- package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -6
- package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -27
- package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -7
- package/lib/vendor/blamejs/lib/migrations.js +4 -13
- package/lib/vendor/blamejs/lib/mime-parse.js +34 -17
- package/lib/vendor/blamejs/lib/module-loader.js +44 -0
- package/lib/vendor/blamejs/lib/money.js +105 -0
- package/lib/vendor/blamejs/lib/mtls-ca.js +116 -36
- package/lib/vendor/blamejs/lib/network-byte-quota.js +4 -18
- package/lib/vendor/blamejs/lib/network-dane.js +8 -6
- package/lib/vendor/blamejs/lib/network-dns-resolver.js +97 -6
- package/lib/vendor/blamejs/lib/network-dnssec.js +16 -16
- package/lib/vendor/blamejs/lib/network-heartbeat.js +3 -2
- package/lib/vendor/blamejs/lib/network-smtp-policy.js +29 -41
- package/lib/vendor/blamejs/lib/network-tls.js +40 -42
- package/lib/vendor/blamejs/lib/nis2-report.js +1 -11
- package/lib/vendor/blamejs/lib/nonce-store.js +81 -3
- package/lib/vendor/blamejs/lib/numeric-bounds.js +22 -8
- package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -6
- package/lib/vendor/blamejs/lib/object-store/azure-blob.js +5 -45
- package/lib/vendor/blamejs/lib/object-store/gcs.js +8 -71
- package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -5
- package/lib/vendor/blamejs/lib/object-store/http-request.js +128 -0
- package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -1
- package/lib/vendor/blamejs/lib/object-store/sigv4.js +9 -77
- package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +9 -25
- package/lib/vendor/blamejs/lib/observability.js +95 -0
- package/lib/vendor/blamejs/lib/openapi-paths-builder.js +7 -3
- package/lib/vendor/blamejs/lib/otel-export.js +7 -10
- package/lib/vendor/blamejs/lib/outbox.js +43 -37
- package/lib/vendor/blamejs/lib/pagination.js +11 -15
- package/lib/vendor/blamejs/lib/parsers/safe-env.js +5 -4
- package/lib/vendor/blamejs/lib/parsers/safe-ini.js +10 -4
- package/lib/vendor/blamejs/lib/parsers/safe-toml.js +11 -9
- package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -2
- package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +7 -6
- package/lib/vendor/blamejs/lib/pick.js +63 -5
- package/lib/vendor/blamejs/lib/pipl-cn.js +69 -59
- package/lib/vendor/blamejs/lib/privacy-pass.js +8 -6
- package/lib/vendor/blamejs/lib/problem-details.js +2 -5
- package/lib/vendor/blamejs/lib/pubsub.js +4 -8
- package/lib/vendor/blamejs/lib/redact.js +2 -1
- package/lib/vendor/blamejs/lib/render.js +4 -2
- package/lib/vendor/blamejs/lib/request-helpers.js +133 -6
- package/lib/vendor/blamejs/lib/restore.js +5 -22
- package/lib/vendor/blamejs/lib/retention.js +3 -5
- package/lib/vendor/blamejs/lib/safe-async.js +457 -0
- package/lib/vendor/blamejs/lib/safe-buffer.js +137 -6
- package/lib/vendor/blamejs/lib/safe-decompress.js +2 -1
- package/lib/vendor/blamejs/lib/safe-dns.js +2 -1
- package/lib/vendor/blamejs/lib/safe-ical.js +12 -26
- package/lib/vendor/blamejs/lib/safe-json.js +7 -8
- package/lib/vendor/blamejs/lib/safe-jsonpath.js +6 -5
- package/lib/vendor/blamejs/lib/safe-mime.js +25 -29
- package/lib/vendor/blamejs/lib/safe-redirect.js +2 -5
- package/lib/vendor/blamejs/lib/safe-schema.js +7 -6
- package/lib/vendor/blamejs/lib/safe-sql.js +126 -0
- package/lib/vendor/blamejs/lib/safe-vcard.js +12 -26
- package/lib/vendor/blamejs/lib/sandbox-worker.js +9 -2
- package/lib/vendor/blamejs/lib/sandbox.js +3 -2
- package/lib/vendor/blamejs/lib/scheduler.js +5 -12
- package/lib/vendor/blamejs/lib/sec-cyber.js +82 -37
- package/lib/vendor/blamejs/lib/seeders.js +4 -11
- package/lib/vendor/blamejs/lib/self-update.js +92 -69
- package/lib/vendor/blamejs/lib/session-device-binding.js +112 -66
- package/lib/vendor/blamejs/lib/session.js +194 -6
- package/lib/vendor/blamejs/lib/sql.js +225 -78
- package/lib/vendor/blamejs/lib/sse.js +6 -10
- package/lib/vendor/blamejs/lib/static.js +136 -98
- package/lib/vendor/blamejs/lib/storage.js +4 -2
- package/lib/vendor/blamejs/lib/structured-fields.js +275 -16
- package/lib/vendor/blamejs/lib/tenant-quota.js +2 -20
- package/lib/vendor/blamejs/lib/tsa.js +11 -15
- package/lib/vendor/blamejs/lib/validate-opts.js +154 -8
- package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +30 -48
- package/lib/vendor/blamejs/lib/vault-aad.js +3 -2
- package/lib/vendor/blamejs/lib/vc.js +2 -7
- package/lib/vendor/blamejs/lib/vex.js +35 -13
- package/lib/vendor/blamejs/lib/web-push-vapid.js +23 -20
- package/lib/vendor/blamejs/lib/webhook-dispatcher.js +706 -0
- package/lib/vendor/blamejs/lib/webhook.js +43 -18
- package/lib/vendor/blamejs/lib/websocket-channels.js +9 -7
- package/lib/vendor/blamejs/lib/websocket.js +7 -3
- package/lib/vendor/blamejs/lib/worm.js +2 -3
- package/lib/vendor/blamejs/lib/ws-client.js +8 -10
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.15.13.json +81 -0
- package/lib/vendor/blamejs/scripts/check-changelog-extract.js +1 -1
- package/lib/vendor/blamejs/test/00-primitives.js +136 -7
- package/lib/vendor/blamejs/test/10-state.js +9 -3
- package/lib/vendor/blamejs/test/30-chain.js +40 -0
- package/lib/vendor/blamejs/test/helpers/check.js +18 -0
- package/lib/vendor/blamejs/test/helpers/db.js +4 -0
- package/lib/vendor/blamejs/test/helpers/index.js +1 -0
- package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -1
- package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -1
- package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +8 -1
- package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +1 -1
- package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -1
- package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +269 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +149 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +51 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +88 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +55 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -2
- package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +129 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +107 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +2788 -3214
- package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +78 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +63 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +50 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +76 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +9 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +290 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +84 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +78 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +23 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +93 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +60 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +184 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +54 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +10 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +45 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +101 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +18 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +76 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +365 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +35 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +36 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +20 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +83 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +10 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +39 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +36 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +39 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +106 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +98 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +77 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +48 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +100 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +88 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +278 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +37 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +14 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +19 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +2 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +18 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +73 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +100 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +80 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +235 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +374 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +75 -8
- package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +3 -3
- package/package.json +1 -1
|
@@ -33,11 +33,15 @@
|
|
|
33
33
|
* (e.g. JPEG marker followed by an embedded ZIP central directory) —
|
|
34
34
|
* refused at every profile.
|
|
35
35
|
*
|
|
36
|
-
* EXIF / XMP metadata strip:
|
|
37
|
-
*
|
|
38
|
-
*
|
|
39
|
-
*
|
|
40
|
-
*
|
|
36
|
+
* EXIF / XMP / IPTC metadata strip: `sanitize` removes the metadata
|
|
37
|
+
* segments in-framework by walking the container framing (JPEG APPn/COM
|
|
38
|
+
* markers, PNG ancillary text chunks, GIF comment/application extensions,
|
|
39
|
+
* WebP EXIF/XMP RIFF chunks) — the privacy-leak and metadata-stego surface,
|
|
40
|
+
* stripped without a vendored decoder. Pixel transcoding / dimension
|
|
41
|
+
* downscale still belong to the operator's decoder (sharp's
|
|
42
|
+
* `withMetadata: false`, libvips `metadata-strip`); formats whose metadata
|
|
43
|
+
* lives in an offset-based structure (TIFF / HEIC / AVIF) are refused rather
|
|
44
|
+
* than passed through.
|
|
41
45
|
*
|
|
42
46
|
* SVG routing: bytes that match the SVG magic are refused under every
|
|
43
47
|
* profile — operators must route SVG explicitly to `b.guardSvg`
|
|
@@ -60,9 +64,9 @@
|
|
|
60
64
|
*/
|
|
61
65
|
|
|
62
66
|
var lazyRequire = require("./lazy-require");
|
|
67
|
+
var safeBuffer = require("./safe-buffer");
|
|
63
68
|
var gateContract = require("./gate-contract");
|
|
64
69
|
var C = require("./constants");
|
|
65
|
-
var numericBounds = require("./numeric-bounds");
|
|
66
70
|
var { GuardImageError } = require("./framework-error");
|
|
67
71
|
|
|
68
72
|
var observability = lazyRequire(function () { return require("./observability"); });
|
|
@@ -143,34 +147,9 @@ var PROFILES = Object.freeze({
|
|
|
143
147
|
},
|
|
144
148
|
});
|
|
145
149
|
|
|
146
|
-
var DEFAULTS =
|
|
147
|
-
mode: "enforce",
|
|
148
|
-
}));
|
|
149
|
-
|
|
150
|
-
var COMPLIANCE_POSTURES = Object.freeze({
|
|
151
|
-
"hipaa": Object.assign({}, PROFILES["strict"], {
|
|
152
|
-
forensicSnippetBytes: C.BYTES.bytes(256),
|
|
153
|
-
}),
|
|
154
|
-
"pci-dss": Object.assign({}, PROFILES["strict"], {
|
|
155
|
-
forensicSnippetBytes: C.BYTES.bytes(256),
|
|
156
|
-
}),
|
|
157
|
-
"gdpr": Object.assign({}, PROFILES["balanced"], {
|
|
158
|
-
forensicSnippetBytes: C.BYTES.bytes(128),
|
|
159
|
-
}),
|
|
160
|
-
"soc2": Object.assign({}, PROFILES["strict"], {
|
|
161
|
-
forensicSnippetBytes: C.BYTES.bytes(512),
|
|
162
|
-
}),
|
|
163
|
-
});
|
|
150
|
+
var DEFAULTS = gateContract.strictDefaults(PROFILES);
|
|
164
151
|
|
|
165
|
-
|
|
166
|
-
return gateContract.resolveProfileAndPosture(opts, {
|
|
167
|
-
profiles: PROFILES,
|
|
168
|
-
compliancePostures: COMPLIANCE_POSTURES,
|
|
169
|
-
defaults: DEFAULTS,
|
|
170
|
-
errorClass: GuardImageError,
|
|
171
|
-
errCodePrefix: "image",
|
|
172
|
-
});
|
|
173
|
-
}
|
|
152
|
+
var COMPLIANCE_POSTURES = gateContract.compliancePostures(PROFILES, { base: 256 });
|
|
174
153
|
|
|
175
154
|
function _bytesAt(buf, offset, sig) {
|
|
176
155
|
if (buf.length < offset + sig.length) return false;
|
|
@@ -202,7 +181,7 @@ function _detectIssues(metadata, opts) {
|
|
|
202
181
|
}
|
|
203
182
|
|
|
204
183
|
var bytes = metadata.bytes;
|
|
205
|
-
if (bytes && typeof bytes.length === "number" && bytes
|
|
184
|
+
if (bytes && typeof bytes.length === "number" && safeBuffer.byteLengthOf(bytes) > opts.maxBytes) {
|
|
206
185
|
return [{ kind: "image-cap", severity: "high",
|
|
207
186
|
ruleId: "image.image-cap",
|
|
208
187
|
snippet: "image bytes exceed maxBytes " + opts.maxBytes }];
|
|
@@ -351,13 +330,11 @@ function _detectIssues(metadata, opts) {
|
|
|
351
330
|
* big.issues.some(function (i) { return i.kind === "width-cap"; });
|
|
352
331
|
* // → true
|
|
353
332
|
*/
|
|
354
|
-
|
|
355
|
-
|
|
356
|
-
|
|
357
|
-
|
|
358
|
-
|
|
359
|
-
return gateContract.aggregateIssues(_detectIssues(input, opts));
|
|
360
|
-
}
|
|
333
|
+
// validate is assembled by gateContract.defineGuard from `detect`
|
|
334
|
+
// (_detectIssues) below — `validate(input, opts) = aggregateIssues(detect(
|
|
335
|
+
// input, resolveOpts(opts)))`, with the maxBytes / maxWidth / maxHeight /
|
|
336
|
+
// maxFrames caps declared via `intOpts`. The @primitive block above
|
|
337
|
+
// documents the resulting public ABI.
|
|
361
338
|
|
|
362
339
|
/**
|
|
363
340
|
* @primitive b.guardImage.sanitize
|
|
@@ -366,19 +343,35 @@ function validate(input, opts) {
|
|
|
366
343
|
* @status stable
|
|
367
344
|
* @related b.guardImage.validate, b.guardImage.gate
|
|
368
345
|
*
|
|
369
|
-
*
|
|
370
|
-
*
|
|
371
|
-
*
|
|
372
|
-
*
|
|
373
|
-
*
|
|
374
|
-
*
|
|
375
|
-
*
|
|
346
|
+
* Strip the container's metadata segments from `input.bytes` — EXIF/GPS,
|
|
347
|
+
* XMP/IPTC, and comment payloads (the privacy-leak and metadata-stego
|
|
348
|
+
* surface) — and return the bag with the cleaned bytes. Stripping walks the
|
|
349
|
+
* linear container framing (JPEG APPn/COM markers, PNG ancillary text chunks,
|
|
350
|
+
* GIF comment/application extensions, WebP EXIF/XMP RIFF chunks); pixel
|
|
351
|
+
* transcoding and dimension downscale still need a vendored decoder and stay
|
|
352
|
+
* the operator's job.
|
|
353
|
+
*
|
|
354
|
+
* `sanitize` first runs the validate chain and re-throws `GuardImageError`
|
|
355
|
+
* when any issue is `critical` or `high` (a polyglot or MIME-mismatch is
|
|
356
|
+
* refused, never stripped). A format whose metadata lives in an offset-based
|
|
357
|
+
* structure that cannot be rewritten without a decoder (TIFF / HEIC / AVIF) is
|
|
358
|
+
* refused with `image.sanitize-unsupported-format`; a structurally malformed
|
|
359
|
+
* container is refused with `image.sanitize-malformed` rather than returned
|
|
360
|
+
* half-stripped. BMP / ICO carry no metadata container and pass through.
|
|
376
361
|
*
|
|
377
362
|
* @opts
|
|
378
363
|
* profile: "strict"|"balanced"|"permissive",
|
|
379
364
|
* compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
|
|
380
365
|
*
|
|
381
366
|
* @example
|
|
367
|
+
* // EXIF-laden JPEG → the APP1 (EXIF/XMP) segment is removed.
|
|
368
|
+
* var clean = b.guardImage.sanitize({
|
|
369
|
+
* bytes: jpegWithExif,
|
|
370
|
+
* declaredMime: "image/jpeg",
|
|
371
|
+
* }, { profile: "strict" });
|
|
372
|
+
* clean.bytes.length < jpegWithExif.length; // → true
|
|
373
|
+
*
|
|
374
|
+
* // A MIME-mismatch is refused, not stripped.
|
|
382
375
|
* try {
|
|
383
376
|
* b.guardImage.sanitize({
|
|
384
377
|
* bytes: Buffer.from([0xFF, 0xD8, 0xFF]),
|
|
@@ -388,14 +381,221 @@ function validate(input, opts) {
|
|
|
388
381
|
* e.code; // → "image.mime-mismatch"
|
|
389
382
|
* }
|
|
390
383
|
*/
|
|
391
|
-
|
|
392
|
-
|
|
393
|
-
|
|
394
|
-
|
|
384
|
+
// ---- Container-framing metadata strip (sanitize) ----
|
|
385
|
+
//
|
|
386
|
+
// Linear TLV byte-surgery over the well-defined container framing — the same
|
|
387
|
+
// signature-walk shape as inspectMagic, NOT a pixel decoder (Hard rule: no
|
|
388
|
+
// vendored raster library). Removes the metadata segments that carry EXIF/GPS,
|
|
389
|
+
// XMP/IPTC PII, and metadata-embedded stego/polyglot payloads operators need
|
|
390
|
+
// stripped before serving an otherwise-clean image. Pixel transcoding and
|
|
391
|
+
// dimension downscale still need a decoder and stay the operator's job.
|
|
392
|
+
//
|
|
393
|
+
// A structurally malformed container is REFUSED (throw), never returned
|
|
394
|
+
// half-stripped — sanitize must not hand back bytes it could not fully clean.
|
|
395
|
+
|
|
396
|
+
function _stripMalformed(detail) {
|
|
397
|
+
return _err("image.sanitize-malformed",
|
|
398
|
+
"cannot strip image metadata — malformed container framing: " + detail);
|
|
399
|
+
}
|
|
400
|
+
|
|
401
|
+
// JPEG: FFD8 SOI, then marker segments until SOS (FFDA) begins entropy data.
|
|
402
|
+
// Drop EXIF/XMP (APP1=E1), IPTC/Photoshop (APP13=ED), comments (COM=FE), and
|
|
403
|
+
// the vendor APPn range (E3..EC, EF). Keep JFIF (APP0=E0), ICC color
|
|
404
|
+
// (APP2=E2), Adobe (APP14=EE), and every coding segment (SOFn/DHT/DQT/DRI/SOS).
|
|
405
|
+
function _stripJpegMetadata(buf) {
|
|
406
|
+
if (buf.length < 2 || buf[0] !== 0xFF || buf[1] !== 0xD8) {
|
|
407
|
+
throw _stripMalformed("missing SOI");
|
|
395
408
|
}
|
|
396
|
-
var
|
|
397
|
-
|
|
398
|
-
|
|
409
|
+
var parts = [buf.slice(0, 2)];
|
|
410
|
+
var i = 2;
|
|
411
|
+
while (i < buf.length) {
|
|
412
|
+
if (buf[i] !== 0xFF) throw _stripMalformed("expected marker at " + i);
|
|
413
|
+
// Collapse any 0xFF fill bytes preceding the marker code.
|
|
414
|
+
var mi = i + 1;
|
|
415
|
+
while (mi < buf.length && buf[mi] === 0xFF) mi += 1;
|
|
416
|
+
if (mi >= buf.length) throw _stripMalformed("truncated marker");
|
|
417
|
+
var marker = buf[mi];
|
|
418
|
+
// Standalone markers (no length payload): TEM(01), RSTn(D0..D7).
|
|
419
|
+
if (marker === 0x01 || (marker >= 0xD0 && marker <= 0xD7)) {
|
|
420
|
+
parts.push(buf.slice(i, mi + 1)); i = mi + 1; continue;
|
|
421
|
+
}
|
|
422
|
+
if (marker === 0xD9) { parts.push(buf.slice(i, mi + 1)); i = mi + 1; break; } // EOI
|
|
423
|
+
if (marker === 0xDA) { parts.push(buf.slice(i)); i = buf.length; break; } // SOS + entropy → verbatim
|
|
424
|
+
if (mi + 3 > buf.length) throw _stripMalformed("truncated segment length");
|
|
425
|
+
var segLen = (buf[mi + 1] << 8) | buf[mi + 2];
|
|
426
|
+
if (segLen < 2) throw _stripMalformed("bad segment length");
|
|
427
|
+
var segEnd = mi + 1 + segLen;
|
|
428
|
+
if (segEnd > buf.length) throw _stripMalformed("segment overruns buffer");
|
|
429
|
+
var drop = marker === 0xE1 || marker === 0xED || marker === 0xFE ||
|
|
430
|
+
(marker >= 0xE3 && marker <= 0xEC) || marker === 0xEF;
|
|
431
|
+
if (!drop) parts.push(buf.slice(i, segEnd));
|
|
432
|
+
i = segEnd;
|
|
433
|
+
}
|
|
434
|
+
return Buffer.concat(parts);
|
|
435
|
+
}
|
|
436
|
+
|
|
437
|
+
// PNG: 8-byte signature, then length(4 BE)+type(4)+data+crc(4) chunks. Drop the
|
|
438
|
+
// text/metadata/time ancillary chunks; keep critical chunks (IHDR/PLTE/IDAT/
|
|
439
|
+
// IEND) and rendering ancillary (gAMA/cHRM/sRGB/iCCP/pHYs/tRNS/bKGD/sBIT/...).
|
|
440
|
+
// Dropping a chunk never disturbs another's per-chunk CRC.
|
|
441
|
+
var _PNG_DROP = Object.freeze({ tEXt: 1, zTXt: 1, iTXt: 1, eXIf: 1, tIME: 1, dSIG: 1 });
|
|
442
|
+
function _stripPngMetadata(buf) {
|
|
443
|
+
if (buf.length < 8) throw _stripMalformed("truncated signature");
|
|
444
|
+
var parts = [buf.slice(0, 8)];
|
|
445
|
+
var i = 8;
|
|
446
|
+
while (i + 8 <= buf.length) {
|
|
447
|
+
var len = buf.readUInt32BE(i);
|
|
448
|
+
if (len > 0x7FFFFFFF) throw _stripMalformed("chunk length exceeds PNG max");
|
|
449
|
+
var type = buf.toString("latin1", i + 4, i + 8);
|
|
450
|
+
var end = i + 12 + len; // 4 len + 4 type + len + 4 crc
|
|
451
|
+
if (end > buf.length) throw _stripMalformed("chunk overruns buffer");
|
|
452
|
+
if (!_PNG_DROP[type]) parts.push(buf.slice(i, end));
|
|
453
|
+
i = end;
|
|
454
|
+
if (type === "IEND") break;
|
|
455
|
+
}
|
|
456
|
+
return Buffer.concat(parts);
|
|
457
|
+
}
|
|
458
|
+
|
|
459
|
+
// GIF: header(6)+logical-screen-descriptor(7)+optional global color table, then
|
|
460
|
+
// blocks. Drop comment (0x21 0xFE) + plain-text (0x21 0x01) + non-loop
|
|
461
|
+
// application (0x21 0xFF, e.g. XMP) extensions; keep graphic-control extensions
|
|
462
|
+
// (0x21 0xF9), the NETSCAPE/ANIMEXTS loop extension (animation control), image
|
|
463
|
+
// descriptors (0x2C), and the trailer (0x3B).
|
|
464
|
+
function _gifSkipSubBlocks(buf, i) {
|
|
465
|
+
while (i < buf.length) {
|
|
466
|
+
var size = buf[i];
|
|
467
|
+
i += 1;
|
|
468
|
+
if (size === 0) return i; // block terminator
|
|
469
|
+
i += size;
|
|
470
|
+
}
|
|
471
|
+
throw _stripMalformed("unterminated sub-block stream");
|
|
472
|
+
}
|
|
473
|
+
function _stripGifMetadata(buf) {
|
|
474
|
+
if (buf.length < 13) throw _stripMalformed("truncated header");
|
|
475
|
+
var i = 13;
|
|
476
|
+
var packed = buf[10];
|
|
477
|
+
if (packed & 0x80) i += 3 * (1 << ((packed & 0x07) + 1)); // global color table
|
|
478
|
+
if (i > buf.length) throw _stripMalformed("global color table overruns buffer");
|
|
479
|
+
var parts = [buf.slice(0, i)];
|
|
480
|
+
while (i < buf.length) {
|
|
481
|
+
var b = buf[i];
|
|
482
|
+
if (b === 0x3B) { parts.push(buf.slice(i, i + 1)); i += 1; break; } // trailer
|
|
483
|
+
if (b === 0x2C) { // image descriptor
|
|
484
|
+
var start = i;
|
|
485
|
+
if (i + 10 > buf.length) throw _stripMalformed("truncated image descriptor");
|
|
486
|
+
var lc = buf[i + 9];
|
|
487
|
+
i += 10;
|
|
488
|
+
if (lc & 0x80) i += 3 * (1 << ((lc & 0x07) + 1)); // local color table
|
|
489
|
+
if (i + 1 > buf.length) throw _stripMalformed("truncated LZW code size");
|
|
490
|
+
i += 1; // LZW minimum code size
|
|
491
|
+
i = _gifSkipSubBlocks(buf, i);
|
|
492
|
+
parts.push(buf.slice(start, i));
|
|
493
|
+
continue;
|
|
494
|
+
}
|
|
495
|
+
if (b === 0x21) { // extension introducer
|
|
496
|
+
if (i + 2 > buf.length) throw _stripMalformed("truncated extension");
|
|
497
|
+
var label = buf[i + 1];
|
|
498
|
+
var start2 = i;
|
|
499
|
+
var j = i + 2;
|
|
500
|
+
if (label === 0xF9) { // graphic control — keep
|
|
501
|
+
var k = _gifSkipSubBlocks(buf, j);
|
|
502
|
+
parts.push(buf.slice(start2, k));
|
|
503
|
+
i = k;
|
|
504
|
+
continue;
|
|
505
|
+
}
|
|
506
|
+
if (label === 0xFF) { // application extension
|
|
507
|
+
if (j >= buf.length) throw _stripMalformed("truncated app extension");
|
|
508
|
+
var blockSize = buf[j];
|
|
509
|
+
var idEnd = j + 1 + blockSize;
|
|
510
|
+
if (idEnd > buf.length) throw _stripMalformed("app-id overruns buffer");
|
|
511
|
+
var appId = buf.toString("latin1", j + 1, idEnd);
|
|
512
|
+
var k2 = _gifSkipSubBlocks(buf, idEnd);
|
|
513
|
+
if (appId.indexOf("NETSCAPE2.0") === 0 || appId.indexOf("ANIMEXTS1.0") === 0) {
|
|
514
|
+
parts.push(buf.slice(start2, k2)); // keep loop control
|
|
515
|
+
}
|
|
516
|
+
i = k2;
|
|
517
|
+
continue;
|
|
518
|
+
}
|
|
519
|
+
// comment (0xFE) / plain-text (0x01) / other → drop.
|
|
520
|
+
var k3 = j;
|
|
521
|
+
if (label === 0x01) { // plain text has a 12-byte header block
|
|
522
|
+
if (k3 >= buf.length) throw _stripMalformed("truncated plain-text header");
|
|
523
|
+
k3 += 1 + buf[k3];
|
|
524
|
+
if (k3 > buf.length) throw _stripMalformed("plain-text header overruns buffer");
|
|
525
|
+
}
|
|
526
|
+
k3 = _gifSkipSubBlocks(buf, k3);
|
|
527
|
+
i = k3;
|
|
528
|
+
continue;
|
|
529
|
+
}
|
|
530
|
+
throw _stripMalformed("unknown block 0x" + b.toString(16) + " at " + i);
|
|
531
|
+
}
|
|
532
|
+
return Buffer.concat(parts);
|
|
533
|
+
}
|
|
534
|
+
|
|
535
|
+
// WebP: RIFF container — "RIFF"+size(4 LE)+"WEBP"+chunks (FourCC+size(4 LE)+
|
|
536
|
+
// data, padded to even). Drop EXIF + XMP chunks, clear the VP8X EXIF/XMP flag
|
|
537
|
+
// bits so a strict decoder does not expect the dropped chunks, and rewrite the
|
|
538
|
+
// RIFF size. Keep VP8/VP8L/VP8X/ANIM/ANMF/ALPH/ICCP.
|
|
539
|
+
function _stripWebpMetadata(buf) {
|
|
540
|
+
if (buf.length < 12 ||
|
|
541
|
+
buf.toString("latin1", 0, 4) !== "RIFF" ||
|
|
542
|
+
buf.toString("latin1", 8, 12) !== "WEBP") {
|
|
543
|
+
throw _stripMalformed("not a RIFF/WEBP container");
|
|
544
|
+
}
|
|
545
|
+
var body = [];
|
|
546
|
+
var i = 12;
|
|
547
|
+
while (i + 8 <= buf.length) {
|
|
548
|
+
var fourcc = buf.toString("latin1", i, i + 4);
|
|
549
|
+
var size = buf.readUInt32LE(i + 4);
|
|
550
|
+
var dataEnd = i + 8 + size;
|
|
551
|
+
if (dataEnd > buf.length) throw _stripMalformed("chunk overruns buffer");
|
|
552
|
+
var padded = dataEnd + (size & 1); // even-pad
|
|
553
|
+
if (padded > buf.length) padded = buf.length; // tolerate a missing final pad byte
|
|
554
|
+
if (fourcc === "EXIF" || fourcc === "XMP ") { i = padded; continue; } // drop metadata chunk
|
|
555
|
+
var chunk = buf.slice(i, padded);
|
|
556
|
+
if (fourcc === "VP8X" && size >= 1) {
|
|
557
|
+
chunk = Buffer.from(chunk); // own copy before mutating flags
|
|
558
|
+
chunk[8] = chunk[8] & ~0x08 & ~0x04; // clear EXIF + XMP presence bits
|
|
559
|
+
}
|
|
560
|
+
body.push(chunk);
|
|
561
|
+
i = padded;
|
|
562
|
+
}
|
|
563
|
+
var bodyBuf = Buffer.concat(body);
|
|
564
|
+
var out = Buffer.concat([buf.slice(0, 12), bodyBuf]);
|
|
565
|
+
out.writeUInt32LE(4 + bodyBuf.length, 4); // RIFF size = "WEBP" + chunks
|
|
566
|
+
return out;
|
|
567
|
+
}
|
|
568
|
+
|
|
569
|
+
function _stripImageMetadata(bytes) {
|
|
570
|
+
var mimes = _detectMagicMimes(bytes);
|
|
571
|
+
if (mimes.indexOf("image/jpeg") !== -1) return _stripJpegMetadata(bytes);
|
|
572
|
+
if (mimes.indexOf("image/png") !== -1) return _stripPngMetadata(bytes);
|
|
573
|
+
if (mimes.indexOf("image/gif") !== -1) return _stripGifMetadata(bytes);
|
|
574
|
+
if (mimes.indexOf("image/webp") !== -1) return _stripWebpMetadata(bytes);
|
|
575
|
+
// BMP / ICO carry no text/EXIF metadata container — nothing to strip.
|
|
576
|
+
if (mimes.indexOf("image/bmp") !== -1 || mimes.indexOf("image/x-icon") !== -1) return bytes;
|
|
577
|
+
// TIFF / HEIC / AVIF keep metadata in IFD / ISO-BMFF box structures that need
|
|
578
|
+
// offset-aware rewriting (a format parser — forbidden). Refuse rather than
|
|
579
|
+
// hand back un-stripped bytes claiming they were sanitized.
|
|
580
|
+
throw _err("image.sanitize-unsupported-format",
|
|
581
|
+
"in-framework metadata strip covers jpeg/png/gif/webp (linear container " +
|
|
582
|
+
"framing); this format needs a vendored decoder — refuse and run an " +
|
|
583
|
+
"external sanitizer");
|
|
584
|
+
}
|
|
585
|
+
|
|
586
|
+
// _sanitizeTransform — defineGuard's generated sanitize runs resolve → detect →
|
|
587
|
+
// throw-on-refusal first, so a polyglot / mime-mismatch (critical/high) is
|
|
588
|
+
// refused before this point. For an otherwise-clean image the metadata bag's
|
|
589
|
+
// bytes are stripped of their EXIF/XMP/IPTC/comment segments; pixel transcoding
|
|
590
|
+
// still needs a decoder and stays the operator's job. Non-Buffer bytes pass
|
|
591
|
+
// through (validate already refused bad input upstream).
|
|
592
|
+
function _sanitizeTransform(metadata) {
|
|
593
|
+
if (!metadata || typeof metadata !== "object" || !Buffer.isBuffer(metadata.bytes)) {
|
|
594
|
+
return metadata;
|
|
595
|
+
}
|
|
596
|
+
var cleaned = _stripImageMetadata(metadata.bytes);
|
|
597
|
+
if (cleaned === metadata.bytes) return metadata;
|
|
598
|
+
return Object.assign({}, metadata, { bytes: cleaned });
|
|
399
599
|
}
|
|
400
600
|
|
|
401
601
|
/**
|
|
@@ -410,9 +610,10 @@ function sanitize(input, opts) {
|
|
|
410
610
|
* { "image/png": gate, "image/jpeg": gate } })` or `b.staticServe`.
|
|
411
611
|
* Operators pass `ctx.metadata` (the decoder's reported shape) plus
|
|
412
612
|
* the original `bytes`. Action chain: `serve` (no issues) →
|
|
413
|
-
* `audit-only` (warn-only) → `refuse` (any critical / high).
|
|
414
|
-
*
|
|
415
|
-
*
|
|
613
|
+
* `audit-only` (warn-only) → `refuse` (any critical / high). The gate
|
|
614
|
+
* does not auto-strip; an operator who wants metadata removed before
|
|
615
|
+
* serving calls `b.guardImage.sanitize(bag)` explicitly (it walks the
|
|
616
|
+
* container framing — EXIF/XMP/IPTC out of JPEG/PNG/GIF/WebP).
|
|
416
617
|
*
|
|
417
618
|
* @opts
|
|
418
619
|
* profile: "strict"|"balanced"|"permissive",
|
|
@@ -434,25 +635,21 @@ function sanitize(input, opts) {
|
|
|
434
635
|
* verdict.issues[0].kind; // → "mime-mismatch"
|
|
435
636
|
*/
|
|
436
637
|
function gate(opts) {
|
|
437
|
-
opts =
|
|
638
|
+
opts = gateContract.resolveProfileAndPosture(opts, {
|
|
639
|
+
profiles: PROFILES,
|
|
640
|
+
compliancePostures: COMPLIANCE_POSTURES,
|
|
641
|
+
defaults: DEFAULTS,
|
|
642
|
+
errorClass: GuardImageError,
|
|
643
|
+
errCodePrefix: "image",
|
|
644
|
+
});
|
|
438
645
|
return gateContract.buildGuardGate(
|
|
439
646
|
opts.name || "guardImage:" + (opts.profile || "default"),
|
|
440
647
|
opts,
|
|
441
648
|
async function (ctx) {
|
|
442
649
|
var meta = ctx && (ctx.metadata || ctx.imageMetadata);
|
|
443
650
|
if (!meta) return { ok: true, action: "serve" };
|
|
444
|
-
var rv = validate(meta, opts);
|
|
445
|
-
|
|
446
|
-
var hasCritical = rv.issues.some(function (i) {
|
|
447
|
-
return i.severity === "critical";
|
|
448
|
-
});
|
|
449
|
-
var hasHigh = rv.issues.some(function (i) {
|
|
450
|
-
return i.severity === "high";
|
|
451
|
-
});
|
|
452
|
-
if (!hasCritical && !hasHigh) {
|
|
453
|
-
return { ok: true, action: "audit-only", issues: rv.issues };
|
|
454
|
-
}
|
|
455
|
-
return { ok: false, action: "refuse", issues: rv.issues };
|
|
651
|
+
var rv = module.exports.validate(meta, opts);
|
|
652
|
+
return gateContract.severityDisposition(rv.issues);
|
|
456
653
|
});
|
|
457
654
|
}
|
|
458
655
|
|
|
@@ -506,10 +703,12 @@ var INTEGRATION_FIXTURES = Object.freeze({
|
|
|
506
703
|
// Assembled from the gate-contract guard factory: error class, registry
|
|
507
704
|
// exports (NAME / KIND / INTEGRATION_FIXTURES), buildProfile /
|
|
508
705
|
// compliancePosture / loadRulePack wiring, plus the per-guard inspection
|
|
509
|
-
// surface
|
|
510
|
-
//
|
|
511
|
-
// `
|
|
512
|
-
//
|
|
706
|
+
// surface. validate + sanitize are generated from `detect` (_detectIssues)
|
|
707
|
+
// and `sanitizeTransform` (_sanitizeTransform) with the positive-finite-int
|
|
708
|
+
// caps declared via `intOpts`. The image extra (inspectMagic) passes through
|
|
709
|
+
// verbatim. KIND="metadata" is a custom kind, so the bespoke `gate`
|
|
710
|
+
// (operator-feeds-metadata ctx.metadata reader) is REQUIRED and carries the
|
|
711
|
+
// magic-byte / polyglot / dimension chain unchanged.
|
|
513
712
|
module.exports = gateContract.defineGuard({
|
|
514
713
|
name: "image",
|
|
515
714
|
kind: "metadata",
|
|
@@ -518,8 +717,12 @@ module.exports = gateContract.defineGuard({
|
|
|
518
717
|
defaults: DEFAULTS,
|
|
519
718
|
postures: COMPLIANCE_POSTURES,
|
|
520
719
|
integrationFixtures: INTEGRATION_FIXTURES,
|
|
521
|
-
|
|
522
|
-
|
|
720
|
+
// detect/sanitizeTransform read a structured `{ bytes, declaredMime, ... }`
|
|
721
|
+
// metadata report, not text. The generated validate's default "raw" input
|
|
722
|
+
// contract hands the bag straight to detect (which owns its own bad-input).
|
|
723
|
+
detect: _detectIssues,
|
|
724
|
+
sanitizeTransform: _sanitizeTransform,
|
|
725
|
+
intOpts: ["maxBytes", "maxWidth", "maxHeight", "maxFrames"],
|
|
523
726
|
gate: gate,
|
|
524
727
|
extra: {
|
|
525
728
|
inspectMagic: inspectMagic,
|
|
@@ -83,6 +83,8 @@
|
|
|
83
83
|
|
|
84
84
|
var { defineClass } = require("./framework-error");
|
|
85
85
|
var gateContract = require("./gate-contract");
|
|
86
|
+
var codepointClass = require("./codepoint-class");
|
|
87
|
+
var safeBuffer = require("./safe-buffer");
|
|
86
88
|
|
|
87
89
|
var GuardImapCommandError = defineClass("GuardImapCommandError", { alwaysPermanent: true });
|
|
88
90
|
|
|
@@ -210,21 +212,18 @@ function validate(line, opts) {
|
|
|
210
212
|
throw new GuardImapCommandError("guard-imap-command/empty-line",
|
|
211
213
|
"guardImapCommand.validate: empty command line");
|
|
212
214
|
}
|
|
213
|
-
if (line
|
|
215
|
+
if (safeBuffer.byteLengthOf(line) > caps.maxLineBytes) {
|
|
214
216
|
throw new GuardImapCommandError("guard-imap-command/line-too-long",
|
|
215
|
-
"guardImapCommand.validate: line " + line
|
|
217
|
+
"guardImapCommand.validate: line " + safeBuffer.byteLengthOf(line) + " bytes exceeds cap " + caps.maxLineBytes);
|
|
216
218
|
}
|
|
217
219
|
// Byte-safety: refuse bare CR / bare LF / NUL / C0 / DEL. The
|
|
218
220
|
// wire-protocol reader has already stripped the terminating CRLF
|
|
219
221
|
// before calling validate(); any remaining CR or LF is a smuggling
|
|
220
222
|
// shape.
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
225
|
-
throw new GuardImapCommandError("guard-imap-command/bad-byte",
|
|
226
|
-
"guardImapCommand.validate: control byte 0x" + c.toString(16) + " at offset " + i); // hex format literal in error message
|
|
227
|
-
}
|
|
223
|
+
var ctrlAt = codepointClass.firstControlCharOffset(line, { allowLf: caps.allowBareLf }); // bare LF permitted only when caps allow
|
|
224
|
+
if (ctrlAt !== -1) {
|
|
225
|
+
throw new GuardImapCommandError("guard-imap-command/bad-byte",
|
|
226
|
+
"guardImapCommand.validate: control byte 0x" + line.charCodeAt(ctrlAt).toString(16) + " at offset " + ctrlAt); // hex format literal in error message
|
|
228
227
|
}
|
|
229
228
|
|
|
230
229
|
// RFC 9051 §2.2.1 — `tag SP command [SP args] CRLF`
|