@blamejs/blamejs-shop 0.4.56 → 0.4.58
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/affiliates.js +35 -4
- package/lib/api-keys.js +17 -2
- package/lib/asset-manifest.json +1 -1
- package/lib/backorder.js +21 -4
- package/lib/click-and-collect.js +11 -2
- package/lib/credit-limits.js +132 -84
- package/lib/vendor/MANIFEST.json +426 -366
- package/lib/vendor/blamejs/.github/codeql/codeql-config.yml +25 -0
- package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +3 -3
- package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +1 -1
- package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +1 -1
- package/lib/vendor/blamejs/.github/workflows/ci.yml +13 -13
- package/lib/vendor/blamejs/.github/workflows/codeql.yml +8 -7
- package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +2 -2
- package/lib/vendor/blamejs/.github/workflows/release-container.yml +4 -4
- package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
- package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +1 -1
- package/lib/vendor/blamejs/CHANGELOG.md +2 -0
- package/lib/vendor/blamejs/api-snapshot.json +1381 -4
- package/lib/vendor/blamejs/eslint.config.mjs +1 -0
- package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +4 -1
- package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +5 -2
- package/lib/vendor/blamejs/examples/wiki/routes/pages.js +4 -1
- package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +20 -0
- package/lib/vendor/blamejs/index.js +2 -0
- package/lib/vendor/blamejs/lib/a2a-tasks.js +7 -23
- package/lib/vendor/blamejs/lib/acme.js +6 -5
- package/lib/vendor/blamejs/lib/agent-event-bus.js +5 -4
- package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -5
- package/lib/vendor/blamejs/lib/agent-orchestrator.js +2 -5
- package/lib/vendor/blamejs/lib/agent-saga.js +3 -5
- package/lib/vendor/blamejs/lib/agent-tenant.js +2 -5
- package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -15
- package/lib/vendor/blamejs/lib/ai-capability.js +1 -6
- package/lib/vendor/blamejs/lib/ai-dp.js +1 -5
- package/lib/vendor/blamejs/lib/ai-input.js +2 -2
- package/lib/vendor/blamejs/lib/ai-pref.js +3 -8
- package/lib/vendor/blamejs/lib/ai-quota.js +3 -14
- package/lib/vendor/blamejs/lib/api-key.js +37 -28
- package/lib/vendor/blamejs/lib/archive-adapters.js +2 -4
- package/lib/vendor/blamejs/lib/archive-entry-policy.js +32 -0
- package/lib/vendor/blamejs/lib/archive-read.js +5 -17
- package/lib/vendor/blamejs/lib/archive-tar-read.js +5 -16
- package/lib/vendor/blamejs/lib/archive.js +2 -10
- package/lib/vendor/blamejs/lib/arg-parser.js +7 -6
- package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -6
- package/lib/vendor/blamejs/lib/atomic-file.js +108 -31
- package/lib/vendor/blamejs/lib/audit-chain.js +133 -53
- package/lib/vendor/blamejs/lib/audit-daily-review.js +24 -14
- package/lib/vendor/blamejs/lib/audit-emit.js +82 -0
- package/lib/vendor/blamejs/lib/audit-sign.js +257 -0
- package/lib/vendor/blamejs/lib/audit.js +84 -0
- package/lib/vendor/blamejs/lib/auth/access-lock.js +5 -27
- package/lib/vendor/blamejs/lib/auth/dpop.js +23 -35
- package/lib/vendor/blamejs/lib/auth/fido-mds3.js +9 -15
- package/lib/vendor/blamejs/lib/auth/jwt-external.js +26 -8
- package/lib/vendor/blamejs/lib/auth/jwt.js +13 -15
- package/lib/vendor/blamejs/lib/auth/lockout.js +6 -25
- package/lib/vendor/blamejs/lib/auth/oauth.js +67 -45
- package/lib/vendor/blamejs/lib/auth/oid4vci.js +55 -32
- package/lib/vendor/blamejs/lib/auth/oid4vp.js +3 -2
- package/lib/vendor/blamejs/lib/auth/openid-federation.js +6 -6
- package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
- package/lib/vendor/blamejs/lib/auth/password.js +7 -1
- package/lib/vendor/blamejs/lib/auth/saml.js +37 -27
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -14
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -14
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +1 -1
- package/lib/vendor/blamejs/lib/auth/status-list.js +7 -7
- package/lib/vendor/blamejs/lib/auth/step-up.js +6 -12
- package/lib/vendor/blamejs/lib/auth-bot-challenge.js +6 -37
- package/lib/vendor/blamejs/lib/backup/bundle.js +11 -18
- package/lib/vendor/blamejs/lib/backup/index.js +14 -47
- package/lib/vendor/blamejs/lib/bounded-map.js +112 -1
- package/lib/vendor/blamejs/lib/breach-deadline.js +1 -11
- package/lib/vendor/blamejs/lib/cache.js +7 -18
- package/lib/vendor/blamejs/lib/cbor.js +2 -1
- package/lib/vendor/blamejs/lib/cdn-cache-control.js +8 -9
- package/lib/vendor/blamejs/lib/cert.js +3 -10
- package/lib/vendor/blamejs/lib/chain-writer.js +162 -47
- package/lib/vendor/blamejs/lib/cli.js +5 -1
- package/lib/vendor/blamejs/lib/client-hints.js +7 -9
- package/lib/vendor/blamejs/lib/cloud-events.js +40 -31
- package/lib/vendor/blamejs/lib/cluster-storage.js +2 -38
- package/lib/vendor/blamejs/lib/cms-codec.js +2 -1
- package/lib/vendor/blamejs/lib/codepoint-class.js +67 -1
- package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +1 -6
- package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -4
- package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -11
- package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +21 -28
- package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -14
- package/lib/vendor/blamejs/lib/compliance.js +2 -9
- package/lib/vendor/blamejs/lib/config-drift.js +2 -12
- package/lib/vendor/blamejs/lib/content-digest.js +10 -8
- package/lib/vendor/blamejs/lib/cookies.js +5 -11
- package/lib/vendor/blamejs/lib/cose.js +19 -11
- package/lib/vendor/blamejs/lib/cra-report.js +1 -11
- package/lib/vendor/blamejs/lib/crypto-field.js +5 -10
- package/lib/vendor/blamejs/lib/crypto.js +120 -3
- package/lib/vendor/blamejs/lib/csp.js +235 -3
- package/lib/vendor/blamejs/lib/daemon.js +42 -41
- package/lib/vendor/blamejs/lib/data-act.js +19 -9
- package/lib/vendor/blamejs/lib/db-query.js +6 -40
- package/lib/vendor/blamejs/lib/db.js +34 -12
- package/lib/vendor/blamejs/lib/dbsc.js +5 -6
- package/lib/vendor/blamejs/lib/ddl-change-control.js +18 -14
- package/lib/vendor/blamejs/lib/deprecate.js +4 -5
- package/lib/vendor/blamejs/lib/did.js +6 -2
- package/lib/vendor/blamejs/lib/dsr.js +8 -12
- package/lib/vendor/blamejs/lib/external-db-migrate.js +21 -22
- package/lib/vendor/blamejs/lib/external-db.js +14 -26
- package/lib/vendor/blamejs/lib/fda-21cfr11.js +12 -8
- package/lib/vendor/blamejs/lib/fdx.js +22 -18
- package/lib/vendor/blamejs/lib/file-upload.js +80 -66
- package/lib/vendor/blamejs/lib/flag-evaluation-context.js +5 -8
- package/lib/vendor/blamejs/lib/framework-error.js +12 -0
- package/lib/vendor/blamejs/lib/framework-schema.js +19 -0
- package/lib/vendor/blamejs/lib/fsm.js +7 -12
- package/lib/vendor/blamejs/lib/gate-contract.js +869 -38
- package/lib/vendor/blamejs/lib/gdpr-ropa.js +4 -13
- package/lib/vendor/blamejs/lib/graphql-federation.js +1 -1
- package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -1
- package/lib/vendor/blamejs/lib/guard-all.js +1 -0
- package/lib/vendor/blamejs/lib/guard-archive.js +9 -30
- package/lib/vendor/blamejs/lib/guard-auth.js +23 -80
- package/lib/vendor/blamejs/lib/guard-cidr.js +20 -96
- package/lib/vendor/blamejs/lib/guard-csv.js +135 -196
- package/lib/vendor/blamejs/lib/guard-domain.js +23 -106
- package/lib/vendor/blamejs/lib/guard-dsn.js +16 -13
- package/lib/vendor/blamejs/lib/guard-email.js +46 -53
- package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
- package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -1
- package/lib/vendor/blamejs/lib/guard-filename.js +12 -60
- package/lib/vendor/blamejs/lib/guard-graphql.js +28 -75
- package/lib/vendor/blamejs/lib/guard-html-wcag.js +15 -2
- package/lib/vendor/blamejs/lib/guard-html.js +65 -117
- package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -1
- package/lib/vendor/blamejs/lib/guard-image.js +280 -77
- package/lib/vendor/blamejs/lib/guard-imap-command.js +8 -9
- package/lib/vendor/blamejs/lib/guard-json.js +87 -103
- package/lib/vendor/blamejs/lib/guard-jsonpath.js +20 -88
- package/lib/vendor/blamejs/lib/guard-jwt.js +32 -114
- package/lib/vendor/blamejs/lib/guard-list-id.js +2 -7
- package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -7
- package/lib/vendor/blamejs/lib/guard-mail-compose.js +5 -6
- package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -1
- package/lib/vendor/blamejs/lib/guard-mail-query.js +5 -3
- package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -7
- package/lib/vendor/blamejs/lib/guard-managesieve-command.js +5 -4
- package/lib/vendor/blamejs/lib/guard-markdown.js +76 -110
- package/lib/vendor/blamejs/lib/guard-message-id.js +5 -6
- package/lib/vendor/blamejs/lib/guard-mime.js +20 -99
- package/lib/vendor/blamejs/lib/guard-oauth.js +19 -73
- package/lib/vendor/blamejs/lib/guard-pdf.js +65 -72
- package/lib/vendor/blamejs/lib/guard-pop3-command.js +12 -13
- package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -1
- package/lib/vendor/blamejs/lib/guard-regex.js +24 -99
- package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -1
- package/lib/vendor/blamejs/lib/guard-shell.js +22 -87
- package/lib/vendor/blamejs/lib/guard-smtp-command.js +8 -11
- package/lib/vendor/blamejs/lib/guard-sql.js +15 -13
- package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -1
- package/lib/vendor/blamejs/lib/guard-svg.js +95 -140
- package/lib/vendor/blamejs/lib/guard-template.js +23 -80
- package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -1
- package/lib/vendor/blamejs/lib/guard-text.js +592 -0
- package/lib/vendor/blamejs/lib/guard-time.js +27 -95
- package/lib/vendor/blamejs/lib/guard-uuid.js +21 -93
- package/lib/vendor/blamejs/lib/guard-xml.js +76 -106
- package/lib/vendor/blamejs/lib/guard-yaml.js +24 -60
- package/lib/vendor/blamejs/lib/http-client-cache.js +5 -12
- package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -4
- package/lib/vendor/blamejs/lib/http-client.js +8 -21
- package/lib/vendor/blamejs/lib/http-message-signature.js +3 -2
- package/lib/vendor/blamejs/lib/i18n-messageformat.js +5 -7
- package/lib/vendor/blamejs/lib/i18n.js +83 -26
- package/lib/vendor/blamejs/lib/inbox.js +8 -8
- package/lib/vendor/blamejs/lib/incident-report.js +3 -21
- package/lib/vendor/blamejs/lib/ip-utils.js +49 -6
- package/lib/vendor/blamejs/lib/jobs.js +3 -2
- package/lib/vendor/blamejs/lib/keychain.js +6 -18
- package/lib/vendor/blamejs/lib/legal-hold.js +6 -15
- package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +44 -112
- package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +17 -14
- package/lib/vendor/blamejs/lib/log-stream-otlp.js +16 -80
- package/lib/vendor/blamejs/lib/log-stream-webhook.js +20 -92
- package/lib/vendor/blamejs/lib/mail-arc-sign.js +8 -3
- package/lib/vendor/blamejs/lib/mail-arf.js +3 -2
- package/lib/vendor/blamejs/lib/mail-auth.js +40 -66
- package/lib/vendor/blamejs/lib/mail-bimi.js +19 -39
- package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +3 -2
- package/lib/vendor/blamejs/lib/mail-dav.js +8 -35
- package/lib/vendor/blamejs/lib/mail-deploy.js +6 -9
- package/lib/vendor/blamejs/lib/mail-dkim.js +19 -38
- package/lib/vendor/blamejs/lib/mail-greylist.js +15 -26
- package/lib/vendor/blamejs/lib/mail-helo.js +2 -3
- package/lib/vendor/blamejs/lib/mail-journal.js +2 -1
- package/lib/vendor/blamejs/lib/mail-mdn.js +4 -3
- package/lib/vendor/blamejs/lib/mail-rbl.js +5 -8
- package/lib/vendor/blamejs/lib/mail-scan.js +2 -2
- package/lib/vendor/blamejs/lib/mail-send-deliver.js +33 -20
- package/lib/vendor/blamejs/lib/mail-server-imap.js +32 -87
- package/lib/vendor/blamejs/lib/mail-server-jmap.js +35 -51
- package/lib/vendor/blamejs/lib/mail-server-managesieve.js +29 -83
- package/lib/vendor/blamejs/lib/mail-server-mx.js +33 -74
- package/lib/vendor/blamejs/lib/mail-server-net.js +177 -0
- package/lib/vendor/blamejs/lib/mail-server-pop3.js +30 -83
- package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +30 -6
- package/lib/vendor/blamejs/lib/mail-server-submission.js +34 -73
- package/lib/vendor/blamejs/lib/mail-server-tls.js +89 -0
- package/lib/vendor/blamejs/lib/mail-spam-score.js +7 -8
- package/lib/vendor/blamejs/lib/mail-store.js +3 -2
- package/lib/vendor/blamejs/lib/mail.js +6 -11
- package/lib/vendor/blamejs/lib/markup-escape.js +31 -0
- package/lib/vendor/blamejs/lib/markup-tokenizer.js +54 -0
- package/lib/vendor/blamejs/lib/mcp-tool-registry.js +26 -23
- package/lib/vendor/blamejs/lib/mcp.js +1 -1
- package/lib/vendor/blamejs/lib/mdoc.js +11 -12
- package/lib/vendor/blamejs/lib/metrics.js +32 -30
- package/lib/vendor/blamejs/lib/middleware/age-gate.js +3 -23
- package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +11 -22
- package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -7
- package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -1
- package/lib/vendor/blamejs/lib/middleware/body-parser.js +31 -48
- package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +7 -10
- package/lib/vendor/blamejs/lib/middleware/bot-guard.js +2 -10
- package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +13 -2
- package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -26
- package/lib/vendor/blamejs/lib/middleware/deny-response.js +19 -1
- package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +7 -0
- package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +4 -20
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +20 -28
- package/lib/vendor/blamejs/lib/middleware/scim-server.js +3 -2
- package/lib/vendor/blamejs/lib/middleware/security-headers.js +9 -1
- package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -6
- package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -27
- package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -7
- package/lib/vendor/blamejs/lib/migrations.js +4 -13
- package/lib/vendor/blamejs/lib/mime-parse.js +34 -17
- package/lib/vendor/blamejs/lib/module-loader.js +44 -0
- package/lib/vendor/blamejs/lib/money.js +105 -0
- package/lib/vendor/blamejs/lib/mtls-ca.js +116 -36
- package/lib/vendor/blamejs/lib/network-byte-quota.js +4 -18
- package/lib/vendor/blamejs/lib/network-dane.js +8 -6
- package/lib/vendor/blamejs/lib/network-dns-resolver.js +97 -6
- package/lib/vendor/blamejs/lib/network-dnssec.js +16 -16
- package/lib/vendor/blamejs/lib/network-heartbeat.js +3 -2
- package/lib/vendor/blamejs/lib/network-smtp-policy.js +29 -41
- package/lib/vendor/blamejs/lib/network-tls.js +40 -42
- package/lib/vendor/blamejs/lib/nis2-report.js +1 -11
- package/lib/vendor/blamejs/lib/nonce-store.js +81 -3
- package/lib/vendor/blamejs/lib/numeric-bounds.js +22 -8
- package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -6
- package/lib/vendor/blamejs/lib/object-store/azure-blob.js +5 -45
- package/lib/vendor/blamejs/lib/object-store/gcs.js +8 -71
- package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -5
- package/lib/vendor/blamejs/lib/object-store/http-request.js +128 -0
- package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -1
- package/lib/vendor/blamejs/lib/object-store/sigv4.js +9 -77
- package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +9 -25
- package/lib/vendor/blamejs/lib/observability.js +95 -0
- package/lib/vendor/blamejs/lib/openapi-paths-builder.js +7 -3
- package/lib/vendor/blamejs/lib/otel-export.js +7 -10
- package/lib/vendor/blamejs/lib/outbox.js +43 -37
- package/lib/vendor/blamejs/lib/pagination.js +11 -15
- package/lib/vendor/blamejs/lib/parsers/safe-env.js +5 -4
- package/lib/vendor/blamejs/lib/parsers/safe-ini.js +10 -4
- package/lib/vendor/blamejs/lib/parsers/safe-toml.js +11 -9
- package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -2
- package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +7 -6
- package/lib/vendor/blamejs/lib/pick.js +63 -5
- package/lib/vendor/blamejs/lib/pipl-cn.js +69 -59
- package/lib/vendor/blamejs/lib/privacy-pass.js +8 -6
- package/lib/vendor/blamejs/lib/problem-details.js +2 -5
- package/lib/vendor/blamejs/lib/pubsub.js +4 -8
- package/lib/vendor/blamejs/lib/redact.js +2 -1
- package/lib/vendor/blamejs/lib/render.js +4 -2
- package/lib/vendor/blamejs/lib/request-helpers.js +133 -6
- package/lib/vendor/blamejs/lib/restore.js +5 -22
- package/lib/vendor/blamejs/lib/retention.js +3 -5
- package/lib/vendor/blamejs/lib/safe-async.js +457 -0
- package/lib/vendor/blamejs/lib/safe-buffer.js +137 -6
- package/lib/vendor/blamejs/lib/safe-decompress.js +2 -1
- package/lib/vendor/blamejs/lib/safe-dns.js +2 -1
- package/lib/vendor/blamejs/lib/safe-ical.js +12 -26
- package/lib/vendor/blamejs/lib/safe-json.js +7 -8
- package/lib/vendor/blamejs/lib/safe-jsonpath.js +6 -5
- package/lib/vendor/blamejs/lib/safe-mime.js +25 -29
- package/lib/vendor/blamejs/lib/safe-redirect.js +2 -5
- package/lib/vendor/blamejs/lib/safe-schema.js +7 -6
- package/lib/vendor/blamejs/lib/safe-sql.js +126 -0
- package/lib/vendor/blamejs/lib/safe-vcard.js +12 -26
- package/lib/vendor/blamejs/lib/sandbox-worker.js +9 -2
- package/lib/vendor/blamejs/lib/sandbox.js +3 -2
- package/lib/vendor/blamejs/lib/scheduler.js +5 -12
- package/lib/vendor/blamejs/lib/sec-cyber.js +82 -37
- package/lib/vendor/blamejs/lib/seeders.js +4 -11
- package/lib/vendor/blamejs/lib/self-update.js +92 -69
- package/lib/vendor/blamejs/lib/session-device-binding.js +112 -66
- package/lib/vendor/blamejs/lib/session.js +194 -6
- package/lib/vendor/blamejs/lib/sql.js +225 -78
- package/lib/vendor/blamejs/lib/sse.js +6 -10
- package/lib/vendor/blamejs/lib/static.js +136 -98
- package/lib/vendor/blamejs/lib/storage.js +4 -2
- package/lib/vendor/blamejs/lib/structured-fields.js +275 -16
- package/lib/vendor/blamejs/lib/tenant-quota.js +2 -20
- package/lib/vendor/blamejs/lib/tsa.js +11 -15
- package/lib/vendor/blamejs/lib/validate-opts.js +154 -8
- package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +30 -48
- package/lib/vendor/blamejs/lib/vault-aad.js +3 -2
- package/lib/vendor/blamejs/lib/vc.js +2 -7
- package/lib/vendor/blamejs/lib/vex.js +35 -13
- package/lib/vendor/blamejs/lib/web-push-vapid.js +23 -20
- package/lib/vendor/blamejs/lib/webhook-dispatcher.js +706 -0
- package/lib/vendor/blamejs/lib/webhook.js +43 -18
- package/lib/vendor/blamejs/lib/websocket-channels.js +9 -7
- package/lib/vendor/blamejs/lib/websocket.js +7 -3
- package/lib/vendor/blamejs/lib/worm.js +2 -3
- package/lib/vendor/blamejs/lib/ws-client.js +8 -10
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.15.13.json +81 -0
- package/lib/vendor/blamejs/scripts/check-changelog-extract.js +1 -1
- package/lib/vendor/blamejs/test/00-primitives.js +136 -7
- package/lib/vendor/blamejs/test/10-state.js +9 -3
- package/lib/vendor/blamejs/test/30-chain.js +40 -0
- package/lib/vendor/blamejs/test/helpers/check.js +18 -0
- package/lib/vendor/blamejs/test/helpers/db.js +4 -0
- package/lib/vendor/blamejs/test/helpers/index.js +1 -0
- package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -1
- package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -1
- package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +8 -1
- package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +1 -1
- package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -1
- package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +269 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +149 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +51 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +88 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +55 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -2
- package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +129 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +107 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +2788 -3214
- package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +78 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +63 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +50 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +76 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +9 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +290 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +84 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +78 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +23 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +93 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +60 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +184 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +54 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +10 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +45 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +101 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +18 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +76 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +365 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +35 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +36 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +20 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +83 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +10 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +39 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +36 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +39 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +106 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +98 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +77 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +48 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +100 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +88 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +278 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +37 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +14 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +19 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +2 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +18 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +73 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +100 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +80 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +235 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +374 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +75 -8
- package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +3 -3
- package/package.json +1 -1
|
@@ -72,13 +72,12 @@
|
|
|
72
72
|
* JWT identifier-safety guard — validates user-supplied JWT compact-serialization strings against the canonical CVE-class refuse list BEFORE hand-off to a signature verifier.
|
|
73
73
|
*/
|
|
74
74
|
|
|
75
|
-
var codepointClass = require("./codepoint-class");
|
|
76
75
|
var lazyRequire = require("./lazy-require");
|
|
77
76
|
var gateContract = require("./gate-contract");
|
|
78
77
|
var C = require("./constants");
|
|
79
|
-
var numericBounds = require("./numeric-bounds");
|
|
80
78
|
var safeJson = require("./safe-json");
|
|
81
79
|
var { GuardJwtError } = require("./framework-error");
|
|
80
|
+
var codepointClass = require("./codepoint-class");
|
|
82
81
|
|
|
83
82
|
var observability = lazyRequire(function () { return require("./observability"); });
|
|
84
83
|
void observability;
|
|
@@ -118,10 +117,7 @@ function _b64urlDecodeJson(seg) {
|
|
|
118
117
|
|
|
119
118
|
var PROFILES = Object.freeze({
|
|
120
119
|
"strict": {
|
|
121
|
-
|
|
122
|
-
controlPolicy: "reject",
|
|
123
|
-
nullBytePolicy: "reject",
|
|
124
|
-
zeroWidthPolicy: "reject",
|
|
120
|
+
...gateContract.CHAR_THREATS_REJECT_ALL,
|
|
125
121
|
algNonePolicy: "reject",
|
|
126
122
|
algAllowlistPolicy: "reject",
|
|
127
123
|
kidTraversalPolicy: "reject",
|
|
@@ -142,10 +138,7 @@ var PROFILES = Object.freeze({
|
|
|
142
138
|
maxRuntimeMs: C.TIME.seconds(2),
|
|
143
139
|
},
|
|
144
140
|
"balanced": {
|
|
145
|
-
|
|
146
|
-
controlPolicy: "reject",
|
|
147
|
-
nullBytePolicy: "reject",
|
|
148
|
-
zeroWidthPolicy: "reject",
|
|
141
|
+
...gateContract.CHAR_THREATS_REJECT_ALL,
|
|
149
142
|
algNonePolicy: "reject", // alg=none refused at every profile
|
|
150
143
|
algAllowlistPolicy: "audit",
|
|
151
144
|
kidTraversalPolicy: "reject", // kid traversal refused at every profile
|
|
@@ -166,10 +159,7 @@ var PROFILES = Object.freeze({
|
|
|
166
159
|
maxRuntimeMs: C.TIME.seconds(2),
|
|
167
160
|
},
|
|
168
161
|
"permissive": {
|
|
169
|
-
|
|
170
|
-
controlPolicy: "reject", // controls refused at every profile
|
|
171
|
-
nullBytePolicy: "reject", // null refused at every profile
|
|
172
|
-
zeroWidthPolicy: "reject", // zero-width refused at every profile
|
|
162
|
+
...gateContract.CHAR_THREATS_REJECT_ALL,
|
|
173
163
|
algNonePolicy: "reject", // alg=none refused at every profile
|
|
174
164
|
algAllowlistPolicy: "allow",
|
|
175
165
|
kidTraversalPolicy: "reject", // kid traversal refused at every profile
|
|
@@ -191,55 +181,10 @@ var PROFILES = Object.freeze({
|
|
|
191
181
|
},
|
|
192
182
|
});
|
|
193
183
|
|
|
194
|
-
var DEFAULTS = Object.freeze(Object.assign({}, PROFILES["strict"], {
|
|
195
|
-
mode: "enforce",
|
|
196
|
-
}));
|
|
197
|
-
|
|
198
|
-
var COMPLIANCE_POSTURES = Object.freeze({
|
|
199
|
-
"hipaa": Object.assign({}, PROFILES["strict"], {
|
|
200
|
-
forensicSnippetBytes: C.BYTES.bytes(256),
|
|
201
|
-
}),
|
|
202
|
-
"pci-dss": Object.assign({}, PROFILES["strict"], {
|
|
203
|
-
forensicSnippetBytes: C.BYTES.bytes(256),
|
|
204
|
-
}),
|
|
205
|
-
"gdpr": Object.assign({}, PROFILES["balanced"], {
|
|
206
|
-
forensicSnippetBytes: C.BYTES.bytes(128),
|
|
207
|
-
}),
|
|
208
|
-
"soc2": Object.assign({}, PROFILES["strict"], {
|
|
209
|
-
forensicSnippetBytes: C.BYTES.bytes(512),
|
|
210
|
-
}),
|
|
211
|
-
});
|
|
212
|
-
|
|
213
|
-
function _resolveOpts(opts) {
|
|
214
|
-
return gateContract.resolveProfileAndPosture(opts, {
|
|
215
|
-
profiles: PROFILES,
|
|
216
|
-
compliancePostures: COMPLIANCE_POSTURES,
|
|
217
|
-
defaults: DEFAULTS,
|
|
218
|
-
errorClass: GuardJwtError,
|
|
219
|
-
errCodePrefix: "jwt",
|
|
220
|
-
});
|
|
221
|
-
}
|
|
222
|
-
|
|
223
184
|
function _detectIssues(input, opts) {
|
|
224
|
-
var
|
|
225
|
-
if (
|
|
226
|
-
|
|
227
|
-
ruleId: "jwt.bad-input",
|
|
228
|
-
snippet: "jwt is not a string" }];
|
|
229
|
-
}
|
|
230
|
-
if (input.length === 0) {
|
|
231
|
-
return [{ kind: "empty", severity: "high",
|
|
232
|
-
ruleId: "jwt.empty",
|
|
233
|
-
snippet: "jwt is empty" }];
|
|
234
|
-
}
|
|
235
|
-
if (Buffer.byteLength(input, "utf8") > opts.maxBytes) {
|
|
236
|
-
return [{ kind: "jwt-cap", severity: "high",
|
|
237
|
-
ruleId: "jwt.jwt-cap",
|
|
238
|
-
snippet: "jwt input exceeds maxBytes " + opts.maxBytes }];
|
|
239
|
-
}
|
|
240
|
-
|
|
241
|
-
var charThreats = codepointClass.detectCharThreats(input, opts, "jwt");
|
|
242
|
-
for (var ci = 0; ci < charThreats.length; ci += 1) issues.push(charThreats[ci]);
|
|
185
|
+
var pre = gateContract.detectStringInput(input, opts, { name: "jwt", cap: { bytes: opts.maxBytes } });
|
|
186
|
+
if (pre.done) return pre.issues;
|
|
187
|
+
var issues = pre.issues;
|
|
243
188
|
|
|
244
189
|
if (!JWT_SHAPE_RE.test(input)) { // allow:regex-no-length-cap — input bounded by maxBytes
|
|
245
190
|
issues.push({
|
|
@@ -490,22 +435,11 @@ function _detectIssues(input, opts) {
|
|
|
490
435
|
* var ok = b.guardJwt.validate(benign, { profile: "strict" });
|
|
491
436
|
* ok.ok; // → true
|
|
492
437
|
*/
|
|
493
|
-
|
|
494
|
-
|
|
495
|
-
|
|
496
|
-
|
|
497
|
-
|
|
498
|
-
"guardJwt.validate", GuardJwtError, "jwt.bad-opt");
|
|
499
|
-
if (typeof input !== "string") {
|
|
500
|
-
return {
|
|
501
|
-
ok: false,
|
|
502
|
-
issues: [{ kind: "bad-input", severity: "high",
|
|
503
|
-
ruleId: "jwt.bad-input",
|
|
504
|
-
snippet: "jwt is not a string" }],
|
|
505
|
-
};
|
|
506
|
-
}
|
|
507
|
-
return gateContract.aggregateIssues(_detectIssues(input, opts));
|
|
508
|
-
}
|
|
438
|
+
// validate is assembled by gateContract.defineGuard from `detect`
|
|
439
|
+
// (_detectIssues) below — `validate(input, opts) = aggregateIssues(detect(
|
|
440
|
+
// input, resolveOpts(opts)))`, with the segment/total byte caps and slack
|
|
441
|
+
// windows declared via `intOpts`. The @primitive block above documents the
|
|
442
|
+
// resulting public ABI.
|
|
509
443
|
|
|
510
444
|
/**
|
|
511
445
|
* @primitive b.guardJwt.sanitize
|
|
@@ -537,15 +471,11 @@ function validate(input, opts) {
|
|
|
537
471
|
* e.code; // → "jwt.alg-none"
|
|
538
472
|
* }
|
|
539
473
|
*/
|
|
540
|
-
|
|
541
|
-
|
|
542
|
-
|
|
543
|
-
|
|
544
|
-
|
|
545
|
-
// JWT shape can't be repaired — sanitize either passes through
|
|
546
|
-
// valid input or throws.
|
|
547
|
-
var issues = _detectIssues(input, opts);
|
|
548
|
-
gateContract.throwOnRefusalSeverity(issues, { errorClass: GuardJwtError, codePrefix: "jwt" });
|
|
474
|
+
// _sanitizeTransform — the guard-specific normalize applied by defineGuard's
|
|
475
|
+
// generated sanitize AFTER resolve → detect → throw-on-refusal. JWT compact
|
|
476
|
+
// serialization can't be repaired (every byte feeds the signature), so the
|
|
477
|
+
// transform is identity: a validated token passes through unchanged.
|
|
478
|
+
function _sanitizeTransform(input) {
|
|
549
479
|
return input;
|
|
550
480
|
}
|
|
551
481
|
|
|
@@ -590,36 +520,23 @@ function kidSafe(kid) {
|
|
|
590
520
|
throw _err("jwt.kid-traversal",
|
|
591
521
|
"kid `" + kid + "` contains path-traversal indicators");
|
|
592
522
|
}
|
|
593
|
-
|
|
594
|
-
|
|
595
|
-
|
|
596
|
-
|
|
597
|
-
"kid contains control byte at index " + i);
|
|
598
|
-
}
|
|
523
|
+
var _kidCtl = codepointClass.firstControlCharOffset(kid, { forbidTab: true }); // control-byte boundary check
|
|
524
|
+
if (_kidCtl !== -1) {
|
|
525
|
+
throw _err("jwt.kid-control",
|
|
526
|
+
"kid contains control byte at index " + _kidCtl);
|
|
599
527
|
}
|
|
600
528
|
return kid;
|
|
601
529
|
}
|
|
602
530
|
|
|
603
531
|
// ---- guard-* family registry exports ----
|
|
604
|
-
|
|
605
|
-
|
|
606
|
-
|
|
607
|
-
|
|
608
|
-
"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9." +
|
|
609
|
-
"eyJpc3MiOiJleGFtcGxlIiwiZXhwIjo5OTk5OTk5OTk5LCJpYXQiOjE3MDAwMDAwMDB9." +
|
|
610
|
-
"sig", "utf8"),
|
|
611
|
-
benignIdentifier:
|
|
612
|
-
"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9." +
|
|
532
|
+
// Benign: minimal v4 token with alg=ES256, valid JSON header / payload.
|
|
533
|
+
// Hostile: alg=none — universal refuse class.
|
|
534
|
+
var INTEGRATION_FIXTURES = gateContract.identifierFixtures(
|
|
535
|
+
"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9." +
|
|
613
536
|
"eyJpc3MiOiJleGFtcGxlIiwiZXhwIjo5OTk5OTk5OTk5LCJpYXQiOjE3MDAwMDAwMDB9." +
|
|
614
537
|
"sig",
|
|
615
|
-
|
|
616
|
-
|
|
617
|
-
"eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0." +
|
|
618
|
-
"eyJzdWIiOiJhdHRhY2tlciIsImV4cCI6OTk5OTk5OTk5OX0.", "utf8"),
|
|
619
|
-
hostileIdentifier:
|
|
620
|
-
"eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0." +
|
|
621
|
-
"eyJzdWIiOiJhdHRhY2tlciIsImV4cCI6OTk5OTk5OTk5OX0.",
|
|
622
|
-
});
|
|
538
|
+
"eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0." +
|
|
539
|
+
"eyJzdWIiOiJhdHRhY2tlciIsImV4cCI6OTk5OTk5OTk5OX0.");
|
|
623
540
|
|
|
624
541
|
// Assembled from the gate-contract guard factory. KIND "identifier"; the
|
|
625
542
|
// gate is the standard serve -> audit-only -> refuse chain over
|
|
@@ -632,11 +549,12 @@ module.exports = gateContract.defineGuard({
|
|
|
632
549
|
kind: "identifier",
|
|
633
550
|
errorClass: GuardJwtError,
|
|
634
551
|
profiles: PROFILES,
|
|
635
|
-
|
|
636
|
-
postures: COMPLIANCE_POSTURES,
|
|
552
|
+
base: 256,
|
|
637
553
|
integrationFixtures: INTEGRATION_FIXTURES,
|
|
638
|
-
|
|
639
|
-
|
|
554
|
+
detect: _detectIssues,
|
|
555
|
+
sanitizeTransform: _sanitizeTransform,
|
|
556
|
+
intOpts: ["maxBytes", "maxHeaderBytes", "maxPayloadBytes",
|
|
557
|
+
"maxSignatureBytes", "nbfFutureSlackMs", "iatFutureSlackMs"],
|
|
640
558
|
extra: {
|
|
641
559
|
kidSafe: kidSafe,
|
|
642
560
|
},
|
|
@@ -74,6 +74,7 @@
|
|
|
74
74
|
var C = require("./constants");
|
|
75
75
|
var { defineClass } = require("./framework-error");
|
|
76
76
|
var gateContract = require("./gate-contract");
|
|
77
|
+
var codepointClass = require("./codepoint-class");
|
|
77
78
|
|
|
78
79
|
var GuardListIdError = defineClass("GuardListIdError", { alwaysPermanent: true });
|
|
79
80
|
|
|
@@ -272,13 +273,7 @@ function validate(headerValue, opts) {
|
|
|
272
273
|
// generator.
|
|
273
274
|
|
|
274
275
|
function _hasControlChar(s) {
|
|
275
|
-
|
|
276
|
-
var c = s.charCodeAt(i);
|
|
277
|
-
if (c === 0x00 || c === 0x7f || (c < 0x20 && c !== 0x09)) { // RFC 5322 control + TAB allow
|
|
278
|
-
return true;
|
|
279
|
-
}
|
|
280
|
-
}
|
|
281
|
-
return false;
|
|
276
|
+
return codepointClass.firstControlCharOffset(s) !== -1;
|
|
282
277
|
}
|
|
283
278
|
|
|
284
279
|
function _refuse(reason) {
|
|
@@ -80,6 +80,7 @@ var C = require("./constants");
|
|
|
80
80
|
var { defineClass } = require("./framework-error");
|
|
81
81
|
var safeUrl = require("./safe-url");
|
|
82
82
|
var gateContract = require("./gate-contract");
|
|
83
|
+
var codepointClass = require("./codepoint-class");
|
|
83
84
|
|
|
84
85
|
var GuardListUnsubscribeError = defineClass("GuardListUnsubscribeError", { alwaysPermanent: true });
|
|
85
86
|
|
|
@@ -354,13 +355,7 @@ function _extractUris(raw, maxUris) {
|
|
|
354
355
|
}
|
|
355
356
|
|
|
356
357
|
function _hasControlChar(s) {
|
|
357
|
-
|
|
358
|
-
var c = s.charCodeAt(i);
|
|
359
|
-
if (c === 0x00 || c === 0x7f || (c < 0x20 && c !== 0x09)) { // RFC 5322 control + TAB allow
|
|
360
|
-
return true;
|
|
361
|
-
}
|
|
362
|
-
}
|
|
363
|
-
return false;
|
|
358
|
+
return codepointClass.firstControlCharOffset(s) !== -1;
|
|
364
359
|
}
|
|
365
360
|
|
|
366
361
|
function _trunc(s) {
|
|
@@ -37,6 +37,7 @@
|
|
|
37
37
|
|
|
38
38
|
var { defineClass } = require("./framework-error");
|
|
39
39
|
var gateContract = require("./gate-contract");
|
|
40
|
+
var codepointClass = require("./codepoint-class");
|
|
40
41
|
|
|
41
42
|
var GuardMailComposeError = defineClass("GuardMailComposeError", { alwaysPermanent: true });
|
|
42
43
|
|
|
@@ -229,12 +230,10 @@ function _checkBody(body, profile, allowAlt) {
|
|
|
229
230
|
}
|
|
230
231
|
|
|
231
232
|
function _checkHeaderValue(v, label) {
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
"guardMailCompose.validate: control char 0x" + c.toString(16) + " in " + label);
|
|
237
|
-
}
|
|
233
|
+
var ctrlAt = codepointClass.firstControlCharOffset(v); // C0 (except TAB) + DEL refusal in header
|
|
234
|
+
if (ctrlAt !== -1) {
|
|
235
|
+
throw new GuardMailComposeError("mail-compose/control-char-in-header",
|
|
236
|
+
"guardMailCompose.validate: control char 0x" + v.charCodeAt(ctrlAt).toString(16) + " in " + label);
|
|
238
237
|
}
|
|
239
238
|
}
|
|
240
239
|
|
|
@@ -35,6 +35,7 @@
|
|
|
35
35
|
|
|
36
36
|
var { defineClass } = require("./framework-error");
|
|
37
37
|
var gateContract = require("./gate-contract");
|
|
38
|
+
var codepointClass = require("./codepoint-class");
|
|
38
39
|
|
|
39
40
|
var GuardMailMoveError = defineClass("GuardMailMoveError", { alwaysPermanent: true });
|
|
40
41
|
|
|
@@ -159,7 +160,7 @@ function _checkFolderName(name, label, profile) {
|
|
|
159
160
|
}
|
|
160
161
|
for (var i = 0; i < name.length; i += 1) {
|
|
161
162
|
var c = name.charCodeAt(i);
|
|
162
|
-
if (c
|
|
163
|
+
if (codepointClass.isForbiddenControlChar(c, { forbidTab: true })) { // C0 + DEL refusal
|
|
163
164
|
throw new GuardMailMoveError("mail-move/control-char-in-name",
|
|
164
165
|
"guardMailMove.validate: " + label + " contains control char 0x" + c.toString(16));
|
|
165
166
|
}
|
|
@@ -28,6 +28,8 @@
|
|
|
28
28
|
|
|
29
29
|
var { defineClass } = require("./framework-error");
|
|
30
30
|
var gateContract = require("./gate-contract");
|
|
31
|
+
var pick = require("./pick");
|
|
32
|
+
var boundedMap = require("./bounded-map");
|
|
31
33
|
|
|
32
34
|
var GuardMailQueryError = defineClass("GuardMailQueryError", { alwaysPermanent: true });
|
|
33
35
|
|
|
@@ -211,10 +213,10 @@ function _walk(node, depth, profile, visited) {
|
|
|
211
213
|
throw new GuardMailQueryError("mail-query/buffer-not-allowed",
|
|
212
214
|
"guardMailQuery.validate: Buffer refused inside filter");
|
|
213
215
|
}
|
|
214
|
-
|
|
216
|
+
boundedMap.requireAbsentMember(visited, node, function () {
|
|
215
217
|
throw new GuardMailQueryError("mail-query/cycle",
|
|
216
218
|
"guardMailQuery.validate: cyclic filter refused");
|
|
217
|
-
}
|
|
219
|
+
});
|
|
218
220
|
visited.add(node);
|
|
219
221
|
|
|
220
222
|
if (Array.isArray(node)) {
|
|
@@ -235,7 +237,7 @@ function _walk(node, depth, profile, visited) {
|
|
|
235
237
|
}
|
|
236
238
|
for (var ki = 0; ki < keys.length; ki += 1) {
|
|
237
239
|
var k = keys[ki];
|
|
238
|
-
if (k
|
|
240
|
+
if (pick.isPoisonedKey(k)) {
|
|
239
241
|
throw new GuardMailQueryError("mail-query/proto-key",
|
|
240
242
|
"guardMailQuery.validate: forbidden key '" + k + "'");
|
|
241
243
|
}
|
|
@@ -34,6 +34,7 @@
|
|
|
34
34
|
|
|
35
35
|
var { defineClass } = require("./framework-error");
|
|
36
36
|
var gateContract = require("./gate-contract");
|
|
37
|
+
var codepointClass = require("./codepoint-class");
|
|
37
38
|
|
|
38
39
|
var GuardMailSieveError = defineClass("GuardMailSieveError", { alwaysPermanent: true });
|
|
39
40
|
|
|
@@ -125,12 +126,10 @@ function validate(op, opts) {
|
|
|
125
126
|
// Control-char refusal in script (NUL is always refused; other
|
|
126
127
|
// C0 except CR/LF/TAB are refused too — Sieve scripts are
|
|
127
128
|
// text-only per RFC 5228 §1.4).
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
"guardMailSieve.validate: control char 0x" + c.toString(16) + " at offset " + j);
|
|
133
|
-
}
|
|
129
|
+
var ctrlAt = codepointClass.firstControlCharOffset(op.script, { allowLf: true, allowCr: true }); // NUL / C0 except TAB/LF/CR / DEL refusal
|
|
130
|
+
if (ctrlAt !== -1) {
|
|
131
|
+
throw new GuardMailSieveError("mail-sieve/control-char-in-script",
|
|
132
|
+
"guardMailSieve.validate: control char 0x" + op.script.charCodeAt(ctrlAt).toString(16) + " at offset " + ctrlAt);
|
|
134
133
|
}
|
|
135
134
|
}
|
|
136
135
|
|
|
@@ -169,7 +168,7 @@ function _checkName(name, profile) {
|
|
|
169
168
|
}
|
|
170
169
|
for (var i = 0; i < name.length; i += 1) {
|
|
171
170
|
var c = name.charCodeAt(i);
|
|
172
|
-
if (c
|
|
171
|
+
if (codepointClass.isForbiddenControlChar(c, { forbidTab: true }) || c === 0x2F || c === 0x5C) { // C0 / DEL / slash / backslash refusal
|
|
173
172
|
throw new GuardMailSieveError("mail-sieve/bad-name-char",
|
|
174
173
|
"guardMailSieve.validate: op.name contains forbidden char 0x" + c.toString(16));
|
|
175
174
|
}
|
|
@@ -102,6 +102,8 @@
|
|
|
102
102
|
|
|
103
103
|
var { defineClass } = require("./framework-error");
|
|
104
104
|
var gateContract = require("./gate-contract");
|
|
105
|
+
var codepointClass = require("./codepoint-class");
|
|
106
|
+
var safeBuffer = require("./safe-buffer");
|
|
105
107
|
|
|
106
108
|
var GuardManageSieveCommandError = defineClass("GuardManageSieveCommandError",
|
|
107
109
|
{ alwaysPermanent: true });
|
|
@@ -214,9 +216,9 @@ function validate(line, opts) {
|
|
|
214
216
|
throw new GuardManageSieveCommandError("guard-managesieve-command/empty-line",
|
|
215
217
|
"guardManageSieveCommand.validate: empty command line");
|
|
216
218
|
}
|
|
217
|
-
if (line
|
|
219
|
+
if (safeBuffer.byteLengthOf(line) > caps.maxLineBytes) {
|
|
218
220
|
throw new GuardManageSieveCommandError("guard-managesieve-command/line-too-long",
|
|
219
|
-
"guardManageSieveCommand.validate: line " + line
|
|
221
|
+
"guardManageSieveCommand.validate: line " + safeBuffer.byteLengthOf(line) +
|
|
220
222
|
" bytes exceeds cap " + caps.maxLineBytes);
|
|
221
223
|
}
|
|
222
224
|
|
|
@@ -232,8 +234,7 @@ function validate(line, opts) {
|
|
|
232
234
|
continue;
|
|
233
235
|
}
|
|
234
236
|
if (inQuote) continue;
|
|
235
|
-
if (
|
|
236
|
-
if (c === 0x0A && caps.allowBareLf) continue;
|
|
237
|
+
if (codepointClass.isForbiddenControlChar(c, { allowLf: caps.allowBareLf })) { // control-byte refusal (bare LF only when caps allow)
|
|
237
238
|
throw new GuardManageSieveCommandError("guard-managesieve-command/bad-byte",
|
|
238
239
|
"guardManageSieveCommand.validate: control byte 0x" +
|
|
239
240
|
c.toString(16) + " at offset " + i); // base-16 toString radix
|