@blamejs/core 0.10.2 → 0.10.3

package/CHANGELOG.md

@@ -8,6 +8,7 @@ upgrading across more than a few patches at a time.
 
 ## v0.10.x
 
+- v0.10.3 (2026-05-16) — **`b.crypto` hardening — three entry-tier refusals on hot paths.** **(a) `b.crypto.timingSafeEqual` rejects non-Buffer / non-string inputs** — previous `Buffer.from(String(x))` coercion let a prototype-pollution-influenced caller (an Object whose `toString` returns attacker-chosen bytes) redirect the compare through bytes unrelated to the supplied value. Now throws `TypeError` at the entry boundary; string args use explicit `Buffer.from(s, "utf8")` instead of bare coercion. **(b) `b.crypto.hashCertFingerprint` caps PEM input at 64 KiB** — the `/-----BEGIN .+? -----END/` lazy-quantifier on this hot path (mTLS bootstrap / webhook verification / peer-cert pinning) is polynomial-ReDoS-class on multi-MB attacker-controlled input ([CodeQL js/polynomial-redos](https://codeql.github.com/codeql-query-help/javascript/js-polynomial-redos/)). 64 KiB covers a P-384 cert + full chain at ~3× margin; larger inputs throw `TypeError` before the regex runs. **(c) `b.crypto.namespaceHash` refuses CR / LF in string-typed `value`** — closes a log-injection / record-separator surface where an attacker-controlled HTTP header (e.g. `Idempotency-Key`) could smuggle line-break bytes into any consumer that logs the value verbatim before hashing (debug paths, audit envelopes, derived-column shadow logs). NUL is NOT refused — multiple internal callers (`b.agent.idempotency` / `b.mail.greylist` / `b.middleware.composePipeline`) use NUL as a composite-key separator, and NUL is not a log-injection byte in any standard logger. `Buffer` / `Uint8Array` inputs remain operator-side opaque bytes by contract — `namespaceHash` digests them as raw bytes, not as text, so the control-char gate does not apply there either. **Operator impact:** any caller passing a number / Object / boolean to `b.crypto.timingSafeEqual` now throws at the entry boundary instead of silently comparing coerced bytes — the API contract was already documented as Buffer-or-string, this enforces it. PEM strings larger than 64 KiB to `b.crypto.hashCertFingerprint` now throw — operators with bespoke multi-cert bundles split the inputs before calling. `namespaceHash` callers passing strings with embedded CR / LF now throw — operators ingesting attacker-influenced text validate / strip line-break bytes at the boundary, or hash opaque bytes via `Buffer` / `Uint8Array`. References: [OWASP Log Injection](https://owasp.org/www-community/attacks/Log_Injection), [CWE-117](https://cwe.mitre.org/data/definitions/117.html), [CWE-1333 ReDoS](https://cwe.mitre.org/data/definitions/1333.html).
 - v0.10.2 (2026-05-16) — **CVE backstops layered on top of v0.10.0.** Five additional refusals across `b.guardRegex`, `b.otelExport`, `b.guardXml`, `b.guardGraphql`, plus a host-side ingress route for `b.cli`. Every change is opt-out (refusal at every profile); no API removals. **(a) `b.guardRegex` glob-shape detectors with explicit `inputKind` gate** — new `consecutiveStarPolicy` + `nestedExtglobPolicy` (defaults `"reject"`) + `maxConsecutiveStars` (default 2) + `inputKind: "regex" | "glob"` (default `"regex"`). The glob-shape detectors fire ONLY when the caller passes `inputKind: "glob"` — ECMAScript regex syntax cannot produce `***` (SyntaxError) and the extglob heads `*(`/`+(`/`?(`/`@(`/`!(`  collide with valid `quantifier + capturing group` shapes, so applying these detectors to regex inputs is false-positive territory. Callers handling glob fragments (picomatch / micromatch-style patterns) opt in via `inputKind: "glob"` and get refusals for ≥3 consecutive `*` metacharacters ([CVE-2026-26996](https://nvd.nist.gov/vuln/detail/CVE-2026-26996) — O(4^N) backtracking on non-matching literal) and for any extglob whose body contains another extglob ([CVE-2026-33671](https://nvd.nist.gov/vuln/detail/CVE-2026-33671) — picomatch nested-quantifier backtracking). `**` recursive-glob stays permitted under `maxConsecutiveStars: 2`. **(b) `b.cli --ignore` ReDoS ingress closure** — `cli --ignore <pattern>` arguments route through `b.guardRegex.sanitize({ profile: "strict" })` before reaching `new RegExp(pattern)`. Strict-profile refusal of nested-quantifier / lookaround-quantifier / unbounded-bounded-repeat shapes still applies in default `inputKind: "regex"` mode, closing the host-side surface for the classic ReDoS classes. **(c) `b.otelExport.flush()` response cap** — every outbound OTLP request now pins `maxResponseBytes: 1 MiB` + a typed `errorClass`, so a malicious / misconfigured collector cannot exhaust memory in the export loop ([CVE-2026-40891](https://nvd.nist.gov/vuln/detail/CVE-2026-40891) / [CVE-2026-40182](https://nvd.nist.gov/vuln/detail/CVE-2026-40182) class). **(d) `b.guardXml` numeric-character-reference fan-out cap** — new `maxNumericCharRefs` opt (strict 1024 / balanced 16384 / permissive 262144). NCRs are counted independently of `entityPolicy`, so a signed-XML path that legitimately permits entity expansion cannot accidentally disable the NCR cap ([CVE-2026-26278](https://nvd.nist.gov/vuln/detail/CVE-2026-26278) / [CVE-2026-33036](https://nvd.nist.gov/vuln/detail/CVE-2026-33036) — billion-NCR fan-out class). **(e) `b.guardGraphql` prototype-pollution refusal** — refuses `__proto__` / `constructor` / `prototype` as top-level variable keys (`Object.prototype.hasOwnProperty.call(variables, ...)` check, sidesteps a poisoned-prototype `in` lookup) AND as field / alias / `$variable` identifiers in the query body, including the no-whitespace alias form `query { a:__proto__ }` (the colon is a valid identifier-position prefix). Refused at every profile, severity `critical` ([CVE-2026-32621](https://nvd.nist.gov/vuln/detail/CVE-2026-32621) class). **(f) `b.auth.sdJwtVc.present()` defense-in-depth comment** — documents that the holder-side pre-parse of `_sd_alg` reads from unsigned bytes safely because `verify()` re-parses from the cryptographically-verified signing input; no behavioral change. **Regression coverage** — `test/fixtures/exploit-corpus/corpus.json` gains four entries: glob-mode positive refusal for `***+nonmatch` and `*(*(a))`, regex-mode pass for `a*(b+(c))` (false-positive class the design refused to ship), and the colon-prefix GraphQL alias `query { a:__proto__ }`. **Operator impact:** existing operators see no change in default behavior — the new glob detectors are opt-in via `inputKind: "glob"`. Operators wiring `b.guardRegex` over glob fragments (file-pattern allowlists, rsync-style rules) opt in and get the CVE-2026-26996 / -33671 refusals; opt back out per call via `consecutiveStarPolicy: "allow"` / `nestedExtglobPolicy: "allow"`. `b.guardXml` operators on signed-XML pipelines opt out via `maxNumericCharRefs: Infinity` if they bound NCRs upstream. GraphQL variable / query-body refusals are not opt-out — `__proto__` / `constructor` / `prototype` are never legitimate identifiers in operator-supplied input. References: [picomatch CVE-2024-4067 family](https://nvd.nist.gov/vuln/detail/CVE-2024-4067), [OWASP ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS), [OWASP XXE / Billion Laughs](https://owasp.org/www-community/vulnerabilities/XML_Entity_Expansion), [GraphQL Server Security Best Practices](https://www.apollographql.com/docs/router/configuration/overview/).
 - v0.10.1 (2026-05-16) — **First npm-published v0.10.x artifact.** v0.10.0 was tagged + released on GitHub but its npm-publish workflow OOM'd at the lint+smoke gate (default Node ~4GB heap couldn't load the expanded mail-stack + audit-fix test surface). v0.10.1 adds `NODE_OPTIONS=--max-old-space-size=8192` to the workflow's smoke step so the parent process gets the same headroom the forked test workers already get. No runtime / API changes from v0.10.0 — every primitive, posture, and security default ships exactly as documented in the v0.10.0 release notes below. Operators who fetched the v0.10.0 git tag can re-tag from v0.10.1 (`git fetch origin v0.10.1`) to land on the npm-published commit; the framework code itself is byte-identical apart from the workflow file + version bump.
 - v0.10.0 (2026-05-16) — **Mail-stack feature-complete + cross-surface hardening.** Bundled minor closing the blamepost mail-stack roadmap (five new operator-facing namespaces) plus a multi-domain hardening sweep across auth / crypto / vendor data / mail-protocol / mail-auth / agent substrate / Node.js CVE backstops.

package/lib/crypto.js

@@ -55,6 +55,11 @@ var C = require("./constants");
 // require() inside setImmediate (top-of-file requires per rule §3).
 var lazyRequire = require("./lazy-require");
 var audit       = lazyRequire(function () { return require("./audit"); });
+// safe-buffer hosts the canonical hasCrlf(s) helper used by every
+// log-injection / CRLF-smuggling refusal in the framework. Lazy-
+// loaded because safe-buffer.js itself imports b.crypto for
+// hex-compare helpers (circular).
+var safeBuffer  = lazyRequire(function () { return require("./safe-buffer"); });
 
 // Streaming-hash algorithm allowlist. Mirrors the framework's PQC-
 // first crypto policy: SHA3 / SHAKE family is the default surface;
@@ -399,12 +404,15 @@ function generateKeyPair(algorithm, options) {
  * @since     0.1.0
  * @related   b.crypto.hmacSha3
  *
- * Constant-time equality comparison. Coerces non-Buffer inputs via
- * `Buffer.from(String(...))`, returns `false` immediately when lengths
- * differ (length itself is not a secret), then routes equal-length
- * inputs through `crypto.timingSafeEqual`. Use when comparing HMAC
- * digests, session tokens, password-reset codes, or any
- * attacker-influenced value where a timing oracle would leak bits.
+ * Constant-time equality comparison. Accepts only Buffer or string
+ * inputs — non-string non-Buffer arguments throw at the entry tier so
+ * a `Object.prototype.toString`-poisoned caller can't redirect the
+ * compare through arbitrary attacker-controlled bytes. Returns
+ * `false` immediately when lengths differ (length itself is not a
+ * secret), then routes equal-length inputs through
+ * `crypto.timingSafeEqual`. Use when comparing HMAC digests, session
+ * tokens, password-reset codes, or any attacker-influenced value
+ * where a timing oracle would leak bits.
  *
  * @example
  *   var expected = b.crypto.hmacSha3("server-key", "payload");
@@ -413,8 +421,25 @@ function generateKeyPair(algorithm, options) {
  *   // → true when bytes match, false otherwise (no early exit on mismatch)
  */
 function timingSafeEqual(a, b) {
-  var bufA = Buffer.isBuffer(a) ? a : Buffer.from(String(a));
-  var bufB = Buffer.isBuffer(b) ? b : Buffer.from(String(b));
+  // Entry-tier validation. The prior `Buffer.from(String(x))` coercion
+  // let a prototype-pollution-influenced caller (Object whose toString
+  // returns attacker-chosen bytes) redirect the compare through bytes
+  // that have nothing to do with the supplied value. Refuse any
+  // non-string non-Buffer input outright.
+  if (!Buffer.isBuffer(a) && typeof a !== "string") {
+    throw new TypeError(
+      "crypto.timingSafeEqual: argument 'a' must be a Buffer or string, got " +
+      (a === null ? "null" : typeof a)
+    );
+  }
+  if (!Buffer.isBuffer(b) && typeof b !== "string") {
+    throw new TypeError(
+      "crypto.timingSafeEqual: argument 'b' must be a Buffer or string, got " +
+      (b === null ? "null" : typeof b)
+    );
+  }
+  var bufA = Buffer.isBuffer(a) ? a : Buffer.from(a, "utf8");
+  var bufB = Buffer.isBuffer(b) ? b : Buffer.from(b, "utf8");
   if (bufA.length !== bufB.length) return false;
   return nodeCrypto.timingSafeEqual(bufA, bufB);
 }
@@ -581,8 +606,10 @@ function namespaceHash(prefix, value, opts) {
   // caller surfaces the type error explicitly rather than silently
   // hashing `[object Object]`.
   var valueStr;
+  var valueWasString = false;
   if (typeof value === "string") {
     valueStr = value;
+    valueWasString = true;
   } else if (Buffer.isBuffer(value)) {
     valueStr = value.toString("utf8");
   } else if (value instanceof Uint8Array) {
@@ -592,6 +619,25 @@ function namespaceHash(prefix, value, opts) {
       "crypto.namespaceHash: value must be a string, Buffer, or Uint8Array"
     );
   }
+  // Refuse CR / LF in string-typed values. The prior gap let an
+  // attacker-controlled string `value` (e.g. an HTTP header that
+  // becomes an Idempotency-Key) smuggle log-injection / record-
+  // separator bytes into any consumer that logs the value verbatim
+  // before hashing (debug paths, audit envelopes, derived-column
+  // shadow logs). NUL is NOT refused — multiple internal callers
+  // use NUL as a composite-key separator (`method\0actorId\0key`
+  // shape in agent-idempotency / mail-greylist / compose-pipeline),
+  // and NUL is not a log-injection byte in any standard logger. NUL
+  // in operator-supplied content is the operator-boundary
+  // responsibility. Buffer / Uint8Array inputs remain operator-side
+  // opaque bytes by contract — namespaceHash treats them as raw
+  // bytes to be digested without rendering, so the control-char
+  // gate does not apply there either.
+  if (valueWasString && safeBuffer().hasCrlf(valueStr)) {
+    throw new TypeError(
+      "crypto.namespaceHash: value (string-typed) contains CR / LF — refuse"
+    );
+  }
   return hash(prefix + ":" + valueStr, "sha3-512").toString("hex");
 }
 
@@ -1664,6 +1710,20 @@ function _pemToDer(pemOrDer) {
   if (typeof pemOrDer !== "string") {
     throw new TypeError("crypto.hashCertFingerprint: input must be a Buffer (DER) or a PEM-encoded string");
   }
+  // Bound the regex input. The /-----BEGIN .+? -----END/ pattern is
+  // lazy-quantified, which CodeQL flags as polynomial-ReDoS
+  // (js/polynomial-redos) when fed multi-MB attacker-controlled input
+  // — every backtrack step is O(n) and the pattern is on a hot path
+  // for mTLS bootstrap / webhook verification / peer-cert pinning.
+  // 64 KiB caps the largest plausible PEM (a P-384 cert + chain) at
+  // ~3× margin while refusing pathological inputs outright.
+  if (pemOrDer.length > C.BYTES.kib(64)) {
+    throw new TypeError(
+      "crypto.hashCertFingerprint: PEM input exceeds 64 KiB (" +
+      pemOrDer.length + " bytes); refuse oversized input to avoid " +
+      "polynomial-ReDoS on the BEGIN/END marker regex"
+    );
+  }
   var match = pemOrDer.match(/-----BEGIN [A-Z0-9 ]+-----([\s\S]+?)-----END [A-Z0-9 ]+-----/);
   if (!match) {
     throw new TypeError("crypto.hashCertFingerprint: PEM input lacks BEGIN/END markers");

package/lib/middleware/compose-pipeline.js

@@ -244,7 +244,7 @@ function composePipeline(entries, opts) {
   }
 
   var pipelineId = bCrypto.namespaceHash("system.middleware.compose.pipeline",
-    resolved.map(function (r) { return r.name; }).join("\n"));
+    resolved.map(function (r) { return r.name; }).join("\0"));
 
   _emitAudit("system.middleware.compose.pipeline_built", {
     pipelineId:   pipelineId,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.10.2",
+  "version": "0.10.3",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:c1165275-044f-4a5a-b7dc-061727bfd076",
+  "serialNumber": "urn:uuid:65836635-3daf-43b2-804d-050f9f4a4082",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-16T23:28:39.659Z",
+    "timestamp": "2026-05-17T05:24:59.072Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.10.2",
+      "bom-ref": "@blamejs/core@0.10.3",
       "type": "library",
       "name": "blamejs",
-      "version": "0.10.2",
+      "version": "0.10.3",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.10.2",
+      "purl": "pkg:npm/%40blamejs/core@0.10.3",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.10.2",
+      "ref": "@blamejs/core@0.10.3",
       "dependsOn": []
     }
   ]