@blamejs/core 0.13.12 → 0.13.14

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.14 (2026-05-27) — **DNSSEC chain validation now bounds KeyTrap (CVE-2023-50387) amplification with hard caps.** b.network.dns.dnssec.verifyChain tried every DNSKEY whose 16-bit key tag matched an RRSIG, with no cap on how many candidates or total signature verifications a single response could drive. A hostile zone publishing many DNSKEYs sharing one key tag (plus matching RRSIGs) could force O(keys x signatures) full public-key verifications from one query — the KeyTrap denial-of-service (CVE-2023-50387). Validation is now bounded by non-configurable caps that match the BIND / Unbound mitigations: at most 4 same-tag candidate keys are tried per RRSIG, at most 64 DNSKEYs per zone link and 16 DS records per delegation are accepted, the chain is at most 128 links deep, and the whole response is held to a signature-validation budget that scales with chain depth (so a legitimate deep delegation is never false-rejected while bounded collisions stay bounded); exceeding any of these refuses the response rather than performing the work. Separately, a domain name that encodes to more than 255 octets is now refused at canonicalization (RFC 1035 §2.3.4), which also bounds the NSEC3 closest-encloser label enumeration, and the NSEC3 iteration ceiling is lowered from 500 to 150 to match the BIND 9.16.33+ / Unbound 1.17.1 fix for the sibling CVE-2023-50868. **Security:** *`verifyChain` caps colliding-key fan-out and total signature validations (KeyTrap / CVE-2023-50387)* — A zone advertising many same-key-tag DNSKEYs and RRSIGs can no longer drive unbounded public-key verifications. New refusals: `dnssec/too-many-colliding-keys` (>4 same-tag candidates per RRSIG), `dnssec/too-many-dnskeys` (>64 DNSKEYs per zone link), `dnssec/too-many-ds` (>16 DS records per delegation), `dnssec/too-many-links` (chain deeper than 128), and `dnssec/validation-budget-exceeded` (signature validations beyond the depth-scaled budget). The caps are intentionally non-configurable — they sit well above any legitimate zone, and the budget scales with chain depth so deep delegations validate normally. · *Domain-name octet cap + lower NSEC3 iteration ceiling* — A name that canonicalizes to more than 255 octets is refused (`dnssec/bad-name`, RFC 1035 §2.3.4), which bounds the per-label NSEC3 closest-encloser enumeration (CVE-2023-50868 class). The default NSEC3 iteration ceiling drops from 500 to 150, matching the BIND 9.16.33+ / Unbound 1.17.1 post-CVE defaults (RFC 9276 recommends 0).
+
+- v0.13.13 (2026-05-27) — **Archive extraction-path verification now refuses Windows reserved names, NTFS data streams, and trailing-dot/space per segment.** b.guardFilename.verifyExtractionPath (the per-entry gate b.archive.read.zip.extract / b.safeArchive run on every extracted file) checked traversal, absolute paths, drive-letter and UNC prefixes, null bytes, PATH_MAX overflow, and realpath containment — but not the per-segment Windows write-target hazards the disk validate / sanitize paths already reject. An archive entry named CON, NUL.txt, subdir/LPT1, file.txt:hidden, or secret.txt. stayed inside the extraction root, so the containment and realpath checks passed it, yet on Windows it would resolve to a device, write a hidden NTFS stream, or (after Windows strips the trailing dot/space) overwrite a sibling file. These are now refused: any path segment that collides with a Windows reserved device name, uses NTFS alternate-data-stream syntax (name:stream), or carries a trailing dot or leading/trailing whitespace. The checks are platform-unconditional — a verifier running on Linux still refuses names that are only dangerous on the Windows host that ultimately extracts the archive — with a per-check opt-out (reservedNamePolicy / adsPolicy / leadingTrailingPolicy: "allow") for Linux-only targets. **Security:** *`verifyExtractionPath` refuses per-segment Windows extraction hazards (reserved names / NTFS ADS / trailing dot-space)* — Closes a within-root write-target-redirection gap: an extracted entry could stay inside the destination yet, on Windows, resolve to a device (`CON` / `NUL` / `COM1` / `LPT1`), write a hidden alternate data stream (`file.txt:payload`), or overwrite a sibling after Windows strips a trailing dot/space (`config.`). The verification gate now rejects all three per path segment. Refusal is platform-unconditional (the verifier may run on a different OS than the extractor); set `reservedNamePolicy` / `adsPolicy` / `leadingTrailingPolicy` to `"allow"` to opt a check out on a Linux-only target. Single-entry, name-only residuals — 8.3 short-name aliasing, case-insensitive cross-entry collisions, and archive symlink/hardlink entry-target validation — remain the extract orchestrator's responsibility (it owns the case-folded seen-set and the link-target gate).
+
 - v0.13.12 (2026-05-27) — **Inbound MX listener now runs the connection-level gate cascade it documented — HELO identity, DNS blocklist, and greylisting.** b.mail.server.mx.create documented helo / rbl / greylist gate options, but the listener never invoked them — an operator who wired them got silent acceptance of mail those gates would have rejected. They are now wired into the live SMTP state machine: the HELO-identity gate evaluates at HELO/EHLO and refuses a spoofed or malformed identity with 550; the DNS-blocklist gate evaluates the connecting IP once per connection and refuses a listed source with 554; the greylisting gate defers a first-seen (ip, sender, recipient) tuple with a 450 tempfail so legitimate senders retry and pass. Each gate is skipped when the operator doesn't wire it. Because these gates do DNS and store lookups, the per-connection command pump was reworked to process commands asynchronously and strictly in arrival order, so pipelined commands (RFC 2920) cannot overtake a gate still resolving and the existing SMTP-smuggling and STARTTLS-stripping defenses are unchanged. The message-authentication gate (SPF/DKIM/DMARC alignment via b.guardEnvelope) needs the inbound SPF + DKIM verification results as inputs; that inbound-auth pipeline lands as a follow-up, and the documentation no longer implies that gate is active today. **Added:** *HELO-identity / RBL / greylist gates wired into `b.mail.server.mx`* — When wired, `opts.helo` (FCrDNS / HELO-shape / self-name checks) refuses a bad HELO identity at HELO/EHLO with 550; `opts.rbl` refuses a connecting IP found on a DNS blocklist with 554 (evaluated once per connection); `opts.greylist` defers a first-seen (ip, sender, recipient) tuple with 450 4.7.1. Their verdicts surface on the `rcpt_to` event (`rblListed`, `greylist`) and the `helo` event (`heloVerdict`), with dedicated `helo_gate_refused` / `rbl_refused` / `greylist_deferred` audit events. A gate the operator doesn't supply is skipped, never synthesized. **Changed:** *MX command pump processes commands asynchronously and in arrival order* — Gate evaluation involves DNS and store lookups, so the per-connection command pump now awaits each command before the next. Pipelined commands are serialized so a gate resolving cannot let a later command answer ahead of an earlier one; reply ordering, the bare-LF SMTP-smuggling refusal, and the STARTTLS-stripping defense are unchanged. No change to the listener's external behaviour when no gates are wired. **Deprecated:** *SPF/DKIM/DMARC-alignment gate documentation corrected to match what is active* — The `envelope` (SPF/DKIM/DMARC alignment) and `dmarc` gate options were documented as wireable but require inbound SPF + DKIM verification results the listener does not yet produce. They are removed from the documented option set until the inbound-authentication pipeline (composing `b.mail.spf` + `b.mail.dmarc` + DKIM verification) lands; run those checks on the delivered message via the agent handoff in the meantime.
 
 - v0.13.11 (2026-05-27) — **Test-suite reliability: replaced fixed-delay waits in the rate-limiter and scheduler suites with condition polling.** No runtime behaviour changes. The rate-limiter, scheduler, and websocket-channel test suites waited for asynchronous work to settle by draining a fixed number of event-loop ticks before asserting. Under heavily parallel CI that budget was occasionally too short, so an assertion read state before the async work (a cluster-backend counter update, a scheduler tick-claim) had landed — an intermittent failure unrelated to the code under test. Those waits now poll the observable condition (helpers.waitUntil) and exit as soon as it holds, with a generous upper bound, so they pass quickly on fast machines and reliably under load. A build gate is added so the fixed-tick-drain shape cannot be reintroduced. **Fixed:** *Flaky fixed-budget waits in the rate-limiter / scheduler / sandbox test suites made contention-tolerant* — The rate-limit-cluster and scheduler-exactly-once suites drained a fixed count of event-loop ticks before asserting on asynchronously-updated state; under contended CI the budget could expire before the work settled, producing intermittent failures. They now wait on the actual observable condition (a written response, a settled counter). The sandbox suite's success-path cases gave the worker a 5 s execution budget that cold worker-thread startup under heavily parallel Windows CI could just exceed; those are raised to the framework's 10 s ceiling. Affects test code only — no change to shipped framework behaviour. The unused tick-drain helper in the websocket-channel suite was removed. **Detectors:** *Build gate rejects the fixed-tick-drain wait shape in tests* — A new test-suite lint rule flags the counted microtask/tick-drain idiom (reassigning a promise to its own `.then()` in a loop to wait a fixed number of ticks), the sibling of the existing fixed-`setTimeout`-sleep rule. A single event-loop yield is unaffected; only the drain-as-wait shape is rejected, directing the wait to condition polling instead.

package/lib/guard-filename.js

@@ -91,6 +91,20 @@ var WIN_RESERVED_NAMES = Object.freeze([
   "CLOCK$", "CONFIG$",
 ]);
 
+// Windows folds the superscript digits U+00B9 / U+00B2 / U+00B3 to
+// 1 / 2 / 3 when matching COM/LPT device names, so a superscript-digit
+// form resolves to the same device. Built from numeric codepoints so
+// the source stays pure-ASCII (guard-family rule).
+var _SUPERSCRIPT_DIGIT_MAP = (function () {
+  var m = {};
+  m[String.fromCharCode(0xB9)] = "1";
+  m[String.fromCharCode(0xB2)] = "2";
+  m[String.fromCharCode(0xB3)] = "3";
+  return m;
+})();
+var _SUPERSCRIPT_DIGIT_RE = new RegExp("[" + String.fromCharCode(0xB9, 0xB2, 0xB3) + "]", "g"); // allow:dynamic-regex — superscript-digit codepoints from a numeric table
+
+
 // Path-traversal indicators (anchored matches on raw and percent-decoded
 // forms).
 var PATH_TRAVERSAL_RE = /(^|[/\\])\.\.($|[/\\])/;
@@ -243,7 +257,16 @@ function _normalizeNFC(s) {
 function _isWinReserved(name) {
   // Reserved-name check applies to the base (without extension) AND to
   // the entire leaf — both `CON` and `CON.txt` collide with the device.
-  var upper = name.toUpperCase();
+  // Windows normalizes the superscript digits U+00B9 / U+00B2 / U+00B3
+  // to 1 / 2 / 3 when matching COM/LPT device names, so those superscript
+  // forms resolve to the same devices as COM1 / LPT3; fold them to ASCII
+  // before comparison so the spoofed forms are caught too. (Source stays
+  // pure-ASCII per the guard-family rule — the codepoints are escaped.)
+  // Fold COM/LPT superscript-digit spoofs to ASCII before matching
+  // (Windows treats them as the device). See _SUPERSCRIPT_DIGIT_* below.
+  var upper = name.toUpperCase().replace(_SUPERSCRIPT_DIGIT_RE, function (ch) {
+    return _SUPERSCRIPT_DIGIT_MAP[ch] || ch;
+  });
   for (var i = 0; i < WIN_RESERVED_NAMES.length; i += 1) {
     var r = WIN_RESERVED_NAMES[i];
     if (upper === r) return true;
@@ -952,6 +975,29 @@ var PATH_MAX_BYTES = 4096;
  * resolved absolute path on success; throws `GuardFilenameError` on
  * any refusal.
  *
+ * Per-segment Windows-extraction hazards are refused too — these are
+ * within-root write-target redirections / collisions that the
+ * containment + realpath checks structurally cannot see, so they need
+ * a name-level check the disk `validate` / `sanitize` paths already
+ * carry: a Windows reserved device name (`CON` / `NUL` / `COM1` / …,
+ * which resolves to the device), NTFS alternate-data-stream syntax
+ * (`name:stream`, which writes a hidden stream of the base file), and a
+ * trailing dot / leading-or-trailing whitespace (`secret.txt.`, which
+ * Windows strips so the entry overwrites an existing sibling). The
+ * checks are platform-unconditional — the verifier may run on Linux
+ * while extraction happens on Windows — and each has an opt-out for
+ * Linux-only targets (`reservedNamePolicy` / `adsPolicy` /
+ * `leadingTrailingPolicy: "allow"`), mirroring `validate`.
+ *
+ * Out of this primitive's scope (single-entry, name-only): 8.3 short-name
+ * aliasing (`PROGRA~1`), case-insensitive cross-entry collision
+ * (`Readme.txt` vs `README.TXT` on a case-preserving FS), and archive
+ * symlink/hardlink ENTRY-target validation. The first two are cross-entry
+ * properties and the third needs the entry's declared link target, which
+ * this function never sees — they belong to the extract orchestrator
+ * (`b.archive.read.zip.extract` / `b.safeArchive`), which owns the
+ * case-folded seen-set and the link-target gate.
+ *
  * Companion to `b.guardArchive.checkExtractionPath` (the string-only
  * portable gate the guard-archive primitive keeps fs-free for use as
  * a posture cascade member). `verifyExtractionPath` deliberately
@@ -964,8 +1010,13 @@ var PATH_MAX_BYTES = 4096;
  * Operators rolling their own extract loop call it per entry.
  *
  * @opts
- *   followSymlinks:  boolean,       // default false — symlink in the
+ *   followSymlinks:       boolean,  // default false — symlink in the
  *                                   //   resolved path refuses unless set
+ *   reservedNamePolicy:   string,   // "allow" opts out of the Windows
+ *                                   //   reserved-device-name segment check
+ *   adsPolicy:            string,   // "allow" opts out of the NTFS-ADS check
+ *   leadingTrailingPolicy: string,  // "allow" opts out of the trailing-dot /
+ *                                   //   leading-or-trailing-whitespace check
  *
  * @example
  *   var resolved = b.guardFilename.verifyExtractionPath(
@@ -1023,19 +1074,53 @@ function verifyExtractionPath(entryName, extractionRoot, opts) {
     throw new GuardFilenameError("filename.extraction-unc",
       "verifyExtractionPath: entryName starts with a UNC prefix");
   }
-  // `..` segment refuses — walk path components.
+  // `..` segment refuses — walk path components. The same walk also
+  // refuses per-segment Windows-extraction hazards the disk `validate`
+  // / `sanitize` paths already catch but that string-containment +
+  // realpath agreement cannot see, because they're WITHIN-root
+  // collisions / write-target redirections rather than boundary
+  // escapes. These checks are platform-UNCONDITIONAL: the verifier may
+  // run on Linux while the archive is extracted on Windows, so a name
+  // that's only dangerous on Windows must still be refused here.
+  // Operators on a Linux-only target opt out per check, mirroring
+  // `validate`'s policy vocabulary.
   var segs = normalized.split("/");
   for (var si = 0; si < segs.length; si += 1) {
-    if (segs[si] === ".." || segs[si] === "..\\" || segs[si] === "..%2f" || segs[si] === "..%5c") {
+    var seg = segs[si];
+    if (seg === ".." || seg === "..\\" || seg === "..%2f" || seg === "..%5c") {
       throw new GuardFilenameError("filename.extraction-traversal",
         "verifyExtractionPath: entryName contains .. segment");
     }
     // URL-encoded variants — explicit refusal so operators don't
     // need to percent-decode before passing the entry name in.
-    if (/%2e%2e/i.test(segs[si]) || /%c0%ae/i.test(segs[si])) {
+    if (/%2e%2e/i.test(seg) || /%c0%ae/i.test(seg)) {
       throw new GuardFilenameError("filename.extraction-traversal-encoded",
         "verifyExtractionPath: entryName contains encoded .. segment");
     }
+    if (seg === "" || seg === ".") continue;   // separators / current-dir — nothing to name-check
+    // Windows reserved device name (CON / NUL / COM1 / LPT1 / …): on
+    // Windows the segment resolves to the device, redirecting the write.
+    if (opts.reservedNamePolicy !== "allow" && _isWinReserved(seg)) {
+      throw new GuardFilenameError("filename.extraction-reserved-name",
+        "verifyExtractionPath: entryName segment " + JSON.stringify(seg) +
+        " collides with a Windows reserved device name");
+    }
+    // NTFS alternate data stream (name:stream): on Windows the write
+    // lands on a hidden stream of the base file, not a normal file.
+    if (opts.adsPolicy !== "allow" && /:[^:\\/]+$/.test(seg)) {
+      throw new GuardFilenameError("filename.extraction-ntfs-ads",
+        "verifyExtractionPath: entryName segment " + JSON.stringify(seg) +
+        " uses NTFS alternate-data-stream syntax (name:stream)");
+    }
+    // Trailing dot / leading-or-trailing whitespace: Windows silently
+    // strips these, so `secret.txt.` or `secret.txt ` collides with an
+    // existing sibling — an in-root overwrite the containment check
+    // cannot see.
+    if (opts.leadingTrailingPolicy !== "allow" && /^\s|\s$|\.$/.test(seg)) {
+      throw new GuardFilenameError("filename.extraction-leading-trailing",
+        "verifyExtractionPath: entryName segment " + JSON.stringify(seg) +
+        " has leading/trailing whitespace or a trailing dot (Windows strips it)");
+    }
   }
   // Resolve the destination path against the root via path.resolve
   // (string-level computation; no fs hits).

package/lib/network-dnssec.js

@@ -101,7 +101,16 @@ function _canonicalName(name) {
     parts.push(Buffer.from([lab.length]), lab);
   }
   parts.push(Buffer.from([0]));
-  return Buffer.concat(parts);
+  var wire = Buffer.concat(parts);
+  // RFC 1035 §2.3.4 — a domain name is at most 255 octets on the wire.
+  // Enforcing it here also bounds the per-label count (and thus the NSEC3
+  // closest-encloser candidate enumeration, CVE-2023-50868 class), since
+  // each label costs at least 2 octets.
+  if (wire.length > 255) {                                                               // allow:raw-byte-literal — RFC 1035 total-name octet cap
+    throw new DnssecError("dnssec/bad-name",
+      "dnssec: name '" + name + "' encodes to " + wire.length + " octets, exceeds RFC 1035 cap of 255");
+  }
+  return wire;
 }
 
 function _u16(n) { return Buffer.from([(n >> 8) & 0xff, n & 0xff]); }                    // allow:raw-byte-literal — 16-bit big-endian split
@@ -340,7 +349,28 @@ var BASE32HEX = "0123456789ABCDEFGHIJKLMNOPQRSTUV";          // allow:raw-byte-l
 var TYPE_DS = 43;                                            // allow:raw-byte-literal — IANA RR type DS
 var TYPE_CNAME = 5;
 var NSEC3_HASH_SHA1 = 1;                                     // RFC 5155 §5 — the only registered NSEC3 hash
-var DEFAULT_MAX_NSEC3_ITERATIONS = 500;                      // allow:raw-time-literal — DoS ceiling on iterated SHA-1 (RFC 9276 wants 0; deployed zones still use >0)
+var DEFAULT_MAX_NSEC3_ITERATIONS = 150;                      // allow:raw-time-literal — DoS ceiling on iterated SHA-1; matches BIND 9.16.33+/Unbound 1.17.1 post-CVE-2023-50868 (RFC 9276 wants 0; deployed zones still use >0)
+
+// KeyTrap (CVE-2023-50387) amplification caps. A hostile zone can publish
+// many DNSKEYs sharing one 16-bit key tag and many RRSIGs, forcing a
+// validator into O(keys x sigs) full signature verifications from a single
+// query. Bound both factors: the colliding-candidate fan-out per RRSIG, and
+// the total signature-validation work. Matches the BIND
+// `max-key-tag-collisions` + Unbound validation-budget mitigations.
+//
+// The per-response budget SCALES with declared chain depth so a legitimate
+// deep delegation isn't false-rejected: a valid N-link chain does ~2N-1
+// signature verifies (1 root DNSKEY + parent-DS + child-DNSKEY per child),
+// so the budget is links.length * MAX_VALIDATIONS_PER_LINK (= 2 RRSIGs/link
+// x MAX_COLLIDING_KEYS candidates), which always covers the legitimate work
+// while still bounding the bounded-collision amplification. Chain length
+// itself is capped (a delegation can't be deeper than a DNS name's label
+// count, RFC 1035), so the scaled budget can't be inflated arbitrarily.
+var MAX_COLLIDING_KEYS       = 4;                            // allow:raw-byte-literal — same-tag DNSKEY candidates tried per RRSIG
+var MAX_VALIDATIONS_PER_LINK = 8;                            // allow:raw-byte-literal — 2 RRSIGs/link x MAX_COLLIDING_KEYS; budget = links.length x this
+var MAX_CHAIN_LINKS          = 128;                          // allow:raw-byte-literal — max delegation depth (>= RFC 1035 max label count)
+var MAX_DNSKEYS_PER_ZONE     = 64;                           // allow:raw-byte-literal — DNSKEY RRset size cap per zone link
+var MAX_DS_RECORDS           = 16;                           // allow:raw-byte-literal — DS RRset size cap (parent-supplied)
 
 // RFC 4648 §7 base32hex decode (no padding, case-insensitive) — the
 // label encoding of an NSEC3 owner-name hash.
@@ -757,12 +787,31 @@ function _keysByTag(dnskeys, tag) {
 // returning the key that validated. A wrong colliding key yields
 // `dnssec/bad-signature` — that is not terminal, the next candidate is
 // tried; any other error (expired, alg) is terminal. RFC 4035 §5.3.1.
-function _verifyRrsetWithAnyKey(rrsetBase, rrsig, candidates, noKeyCode, noKeyMsg) {
+function _verifyRrsetWithAnyKey(rrsetBase, rrsig, candidates, noKeyCode, noKeyMsg, budget) {
   if (candidates.length === 0) throw new DnssecError(noKeyCode, noKeyMsg);
+  // KeyTrap (CVE-2023-50387): refuse an absurd same-tag fan-out outright —
+  // legitimate zones have 1-2 keys per tag; hundreds is an amplification
+  // attack, not a real collision.
+  if (candidates.length > MAX_COLLIDING_KEYS) {
+    throw new DnssecError("dnssec/too-many-colliding-keys",
+      "dnssec.verifyChain: " + candidates.length + " DNSKEYs share key tag " +
+      rrsig.keyTag + " (cap " + MAX_COLLIDING_KEYS +
+      ") — refused as a KeyTrap (CVE-2023-50387) amplification vector");
+  }
   var lastErr = null;
   for (var i = 0; i < candidates.length; i++) {
     var kp = _dnskeyParts(candidates[i]);
     if (kp.algorithm !== rrsig.algorithm) { lastErr = new DnssecError("dnssec/alg-mismatch", "dnssec.verifyChain: candidate key algorithm does not match the RRSIG"); continue; }
+    // Per-response signature-validation budget — bound the total expensive
+    // pubkey verifies across the whole chain walk, not just per RRSIG.
+    if (budget) {
+      if (budget.remaining <= 0) {
+        throw new DnssecError("dnssec/validation-budget-exceeded",
+          "dnssec.verifyChain: per-response signature-validation budget " +
+          "exhausted — refused as a KeyTrap (CVE-2023-50387) amplification vector");
+      }
+      budget.remaining -= 1;
+    }
     try {
       verifyRrset(Object.assign({}, rrsetBase, { rrsig: rrsig, dnskey: { algorithm: kp.algorithm, publicKey: kp.publicKey } }));
       return candidates[i];
@@ -795,6 +844,20 @@ function _verifyRrsetWithAnyKey(rrsetBase, rrsig, candidates, noKeyCode, noKeyMs
  * passes to <code>verifyRrset</code> / <code>verifyDenial</code> for the
  * actual answer.
  *
+ * KeyTrap (CVE-2023-50387) amplification is bounded with non-configurable
+ * caps: at most 4 same-tag DNSKEY candidates are tried per RRSIG, at most
+ * 64 DNSKEYs per zone link and 16 DS records per delegation are accepted,
+ * the chain is at most 128 links deep, and the whole response is held to a
+ * signature-validation budget that scales with chain depth (so a
+ * legitimate deep delegation always fits while bounded collisions stay
+ * bounded). A hostile zone publishing many colliding keys / signatures is
+ * refused with <code>dnssec/too-many-colliding-keys</code> /
+ * <code>dnssec/too-many-dnskeys</code> / <code>dnssec/too-many-ds</code> /
+ * <code>dnssec/too-many-links</code> /
+ * <code>dnssec/validation-budget-exceeded</code> rather than driving
+ * O(keys x sigs) verifications. (NSEC3 iteration counts are separately
+ * capped at 150 per RFC 9276 / the CVE-2023-50868 fix.)
+ *
  * @opts
  *   {
  *     links: [ {                        // ordered root-first
@@ -816,14 +879,35 @@ function verifyChain(opts) {
   validateOpts.requireObject(opts, "dnssec.verifyChain", DnssecError);
   validateOpts(opts, ["links", "trustAnchors", "at"], "dnssec.verifyChain");
   if (!Array.isArray(opts.links) || opts.links.length === 0) throw new DnssecError("dnssec/bad-arg", "dnssec.verifyChain: opts.links must be a non-empty array");
+  // Cap delegation depth — a real chain can't be deeper than a DNS name's
+  // label count (RFC 1035), and the per-response validation budget below
+  // scales with this, so it must be bounded.
+  if (opts.links.length > MAX_CHAIN_LINKS) {
+    throw new DnssecError("dnssec/too-many-links",
+      "dnssec.verifyChain: " + opts.links.length + " chain links (cap " +
+      MAX_CHAIN_LINKS + ") — refused as an amplification vector");
+  }
   var anchors = opts.trustAnchors !== undefined ? opts.trustAnchors : DEFAULT_ROOT_ANCHORS;
   if (!Array.isArray(anchors) || anchors.length === 0) throw new DnssecError("dnssec/bad-arg", "dnssec.verifyChain: opts.trustAnchors must be a non-empty array");
 
+  // KeyTrap budget shared across every signature-validation in this
+  // response, scaled to the declared chain depth so a legitimate deep
+  // delegation (2N-1 verifies) always fits while bounded collisions stay
+  // bounded. Chain length is capped above, so this can't be inflated.
+  var budget = { remaining: opts.links.length * MAX_VALIDATIONS_PER_LINK };
+
   var trustedKeys = null, path = [];
   for (var i = 0; i < opts.links.length; i++) {
     var link = opts.links[i];
     if (!link || typeof link.zone !== "string" || link.zone === "") throw new DnssecError("dnssec/bad-link", "dnssec.verifyChain: links[" + i + "].zone is required");
     if (!Array.isArray(link.dnskeys) || link.dnskeys.length === 0) throw new DnssecError("dnssec/bad-link", "dnssec.verifyChain: links[" + i + "].dnskeys must be a non-empty array");
+    // KeyTrap: bound the DNSKEY RRset size per zone so a giant key set
+    // can't blow up the key-tag scan / candidate fan-out.
+    if (link.dnskeys.length > MAX_DNSKEYS_PER_ZONE) {
+      throw new DnssecError("dnssec/too-many-dnskeys",
+        "dnssec.verifyChain: links[" + i + "] has " + link.dnskeys.length +
+        " DNSKEYs (cap " + MAX_DNSKEYS_PER_ZONE + ") — refused as a KeyTrap (CVE-2023-50387) amplification vector");
+    }
     if (!link.dnskeyRrsig || typeof link.dnskeyRrsig !== "object") throw new DnssecError("dnssec/bad-link", "dnssec.verifyChain: links[" + i + "].dnskeyRrsig is required");
 
     // 1. The DNSKEY RRset is self-signed by one of its own keys (trying
@@ -832,7 +916,8 @@ function verifyChain(opts) {
       { name: link.zone, type: "DNSKEY", rdatas: link.dnskeys, at: opts.at },
       link.dnskeyRrsig,
       _keysByTag(link.dnskeys, link.dnskeyRrsig.keyTag),
-      "dnssec/chain-no-signing-key", "dnssec.verifyChain: no DNSKEY in '" + link.zone + "' verifies the DNSKEY RRSIG"
+      "dnssec/chain-no-signing-key", "dnssec.verifyChain: no DNSKEY in '" + link.zone + "' verifies the DNSKEY RRSIG",
+      budget
     );
 
     // 2. Establish trust in the signing key.
@@ -851,11 +936,19 @@ function verifyChain(opts) {
       if (!Array.isArray(link.dsRdatas) || link.dsRdatas.length === 0 || !link.dsRrsig || typeof link.dsRrsig !== "object") {
         throw new DnssecError("dnssec/bad-link", "dnssec.verifyChain: links[" + i + "] needs dsRdatas + dsRrsig (DS served by the parent)");
       }
+      // Bound the parent-supplied DS RRset — the DS-match loop below
+      // iterates it, and an oversize set is an amplification vector.
+      if (link.dsRdatas.length > MAX_DS_RECORDS) {
+        throw new DnssecError("dnssec/too-many-ds",
+          "dnssec.verifyChain: links[" + i + "] has " + link.dsRdatas.length +
+          " DS records (cap " + MAX_DS_RECORDS + ") — refused as an amplification vector");
+      }
       _verifyRrsetWithAnyKey(
         { name: link.zone, type: "DS", rdatas: link.dsRdatas, at: opts.at },
         link.dsRrsig,
         _keysByTag(trustedKeys, link.dsRrsig.keyTag),
-        "dnssec/chain-no-parent-key", "dnssec.verifyChain: no trusted parent key verifies the DS RRSIG for '" + link.zone + "'"
+        "dnssec/chain-no-parent-key", "dnssec.verifyChain: no trusted parent key verifies the DS RRSIG for '" + link.zone + "'",
+        budget
       );
       var dsMatched = false;
       for (var d = 0; d < link.dsRdatas.length; d++) {

package/lib/parsers/safe-toml.js

@@ -681,6 +681,14 @@ function parse(input, opts) {
               "toml/redefine");
           }
           t = sub[sub.length - 1];
+          // The array's last element must itself be a table to descend
+          // into. A plain VALUE array (e.g. `a = [3]` then `[a.s]`) has a
+          // scalar last element — descending would set a property on a
+          // number and throw a raw TypeError; refuse it cleanly instead.
+          if (t === null || typeof t !== "object" || Array.isArray(t)) {
+            throw _err("cannot descend into '" + seg +
+              "' — it is a value array, not an array of tables", "toml/redefine");
+          }
           continue;
         }
         if (typeof sub !== "object" || sub === null) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.12",
+  "version": "0.13.14",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:cfe1e116-abd7-4631-96e5-8a2a865e2a16",
+  "serialNumber": "urn:uuid:7b7971af-a00b-4343-af83-3f8ef1a433dc",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-27T11:02:44.192Z",
+    "timestamp": "2026-05-27T13:56:08.465Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.12",
+      "bom-ref": "@blamejs/core@0.13.14",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.12",
+      "version": "0.13.14",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.12",
+      "purl": "pkg:npm/%40blamejs/core@0.13.14",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.12",
+      "ref": "@blamejs/core@0.13.14",
       "dependsOn": []
     }
   ]