@blamejs/core 0.14.1 → 0.14.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/_test/crypto-fixtures.js +3 -3
- package/lib/a2a-tasks.js +18 -18
- package/lib/a2a.js +4 -4
- package/lib/acme.js +3 -3
- package/lib/agent-idempotency.js +1 -1
- package/lib/agent-orchestrator.js +8 -8
- package/lib/agent-posture-chain.js +2 -2
- package/lib/agent-saga.js +1 -1
- package/lib/agent-snapshot.js +1 -1
- package/lib/agent-stream.js +1 -1
- package/lib/agent-tenant.js +1 -1
- package/lib/agent-trace.js +3 -3
- package/lib/ai-capability.js +1 -1
- package/lib/ai-dp.js +4 -4
- package/lib/ai-input.js +3 -3
- package/lib/ai-model-manifest.js +7 -7
- package/lib/ai-pref.js +3 -3
- package/lib/archive-gz.js +2 -2
- package/lib/archive-read.js +25 -25
- package/lib/archive-tar-read.js +2 -2
- package/lib/archive-tar.js +20 -20
- package/lib/archive-wrap.js +10 -10
- package/lib/argon2-builtin.js +1 -1
- package/lib/asn1-der.js +34 -34
- package/lib/atomic-file.js +2 -2
- package/lib/audit-daily-review.js +3 -3
- package/lib/audit-sign.js +5 -5
- package/lib/audit-tools.js +1 -1
- package/lib/audit.js +2 -2
- package/lib/auth/acr-vocabulary.js +2 -2
- package/lib/auth/bot-challenge.js +3 -3
- package/lib/auth/ciba.js +7 -7
- package/lib/auth/dpop.js +3 -3
- package/lib/auth/fido-mds3.js +8 -8
- package/lib/auth/jwt-external.js +5 -5
- package/lib/auth/oauth.js +2 -2
- package/lib/auth/oid4vci.js +9 -9
- package/lib/auth/oid4vp.js +2 -2
- package/lib/auth/openid-federation.js +2 -2
- package/lib/auth/passkey.js +3 -3
- package/lib/auth/saml.js +23 -23
- package/lib/auth/sd-jwt-vc-disclosure.js +1 -1
- package/lib/auth/sd-jwt-vc.js +4 -4
- package/lib/auth/status-list.js +10 -10
- package/lib/auth/step-up.js +1 -1
- package/lib/auth-bot-challenge.js +1 -1
- package/lib/backup/index.js +7 -7
- package/lib/base32.js +8 -8
- package/lib/budr.js +2 -2
- package/lib/cache-status.js +2 -2
- package/lib/calendar.js +23 -23
- package/lib/cbor.js +12 -12
- package/lib/cdn-cache-control.js +1 -1
- package/lib/cert.js +5 -5
- package/lib/cloud-events.js +5 -5
- package/lib/cms-codec.js +21 -21
- package/lib/codepoint-class.js +12 -12
- package/lib/compliance-sanctions-fuzzy.js +4 -4
- package/lib/compliance-sanctions.js +4 -4
- package/lib/compliance.js +29 -29
- package/lib/content-credentials.js +36 -36
- package/lib/cookies.js +1 -1
- package/lib/cose.js +13 -13
- package/lib/cra-report.js +1 -1
- package/lib/crdt.js +1 -1
- package/lib/crypto-field.js +2 -2
- package/lib/crypto-xwing.js +7 -7
- package/lib/crypto.js +6 -6
- package/lib/csp.js +2 -2
- package/lib/cwt.js +4 -4
- package/lib/dark-patterns.js +2 -2
- package/lib/data-act.js +2 -2
- package/lib/db-file-lifecycle.js +4 -4
- package/lib/db-query.js +1 -1
- package/lib/db.js +6 -6
- package/lib/dbsc.js +13 -13
- package/lib/did.js +17 -17
- package/lib/dora.js +4 -4
- package/lib/dsr.js +1 -1
- package/lib/early-hints.js +2 -2
- package/lib/eat.js +4 -4
- package/lib/external-db-migrate.js +1 -1
- package/lib/external-db.js +1 -1
- package/lib/flag-cache.js +1 -1
- package/lib/flag-evaluation-context.js +2 -2
- package/lib/graphql-federation.js +5 -5
- package/lib/guard-agent-registry.js +5 -5
- package/lib/guard-archive.js +24 -24
- package/lib/guard-cidr.js +33 -33
- package/lib/guard-csv.js +1 -1
- package/lib/guard-domain.js +10 -10
- package/lib/guard-dsn.js +4 -4
- package/lib/guard-email.js +19 -19
- package/lib/guard-event-bus-payload.js +4 -4
- package/lib/guard-event-bus-topic.js +6 -6
- package/lib/guard-filename.js +7 -7
- package/lib/guard-graphql.js +9 -9
- package/lib/guard-html-wcag-tagwalk.js +1 -1
- package/lib/guard-html-wcag.js +4 -4
- package/lib/guard-html.js +7 -7
- package/lib/guard-idempotency-key.js +6 -6
- package/lib/guard-image.js +4 -4
- package/lib/guard-imap-command.js +17 -17
- package/lib/guard-jmap.js +20 -20
- package/lib/guard-json.js +12 -12
- package/lib/guard-jsonpath.js +3 -3
- package/lib/guard-jwt.js +4 -4
- package/lib/guard-list-id.js +7 -7
- package/lib/guard-list-unsubscribe.js +8 -8
- package/lib/guard-mail-compose.js +4 -4
- package/lib/guard-mail-move.js +5 -5
- package/lib/guard-mail-query.js +3 -3
- package/lib/guard-mail-reply.js +3 -3
- package/lib/guard-mail-sieve.js +6 -6
- package/lib/guard-managesieve-command.js +25 -25
- package/lib/guard-markdown.js +31 -31
- package/lib/guard-message-id.js +5 -5
- package/lib/guard-mime.js +1 -1
- package/lib/guard-oauth.js +3 -3
- package/lib/guard-pdf.js +6 -6
- package/lib/guard-pop3-command.js +11 -11
- package/lib/guard-posture-chain.js +5 -5
- package/lib/guard-regex.js +10 -10
- package/lib/guard-saga-config.js +5 -5
- package/lib/guard-smtp-command.js +6 -6
- package/lib/guard-snapshot-envelope.js +3 -3
- package/lib/guard-stream-args.js +4 -4
- package/lib/guard-svg.js +11 -11
- package/lib/guard-tenant-id.js +5 -5
- package/lib/guard-time.js +15 -15
- package/lib/guard-trace-context.js +4 -4
- package/lib/guard-uuid.js +11 -11
- package/lib/guard-xml.js +12 -12
- package/lib/guard-yaml.js +16 -16
- package/lib/honeytoken.js +5 -5
- package/lib/http-client.js +1 -1
- package/lib/http-message-signature.js +2 -2
- package/lib/iab-mspa.js +3 -3
- package/lib/iab-tcf.js +70 -70
- package/lib/inbox.js +4 -4
- package/lib/ip-utils.js +15 -15
- package/lib/jose-jwe-experimental.js +2 -2
- package/lib/json-path.js +3 -3
- package/lib/json-schema.js +1 -1
- package/lib/jsonapi.js +3 -3
- package/lib/jtd.js +2 -2
- package/lib/link-header.js +1 -1
- package/lib/local-db-thin.js +1 -1
- package/lib/log.js +1 -1
- package/lib/lro.js +4 -4
- package/lib/mail-agent.js +1 -1
- package/lib/mail-arc-sign.js +6 -6
- package/lib/mail-auth.js +43 -43
- package/lib/mail-bimi.js +3 -3
- package/lib/mail-crypto-pgp.js +31 -31
- package/lib/mail-crypto-smime.js +5 -5
- package/lib/mail-dav.js +1 -1
- package/lib/mail-deploy.js +39 -39
- package/lib/mail-dkim.js +11 -11
- package/lib/mail-greylist.js +12 -12
- package/lib/mail-helo.js +1 -1
- package/lib/mail-journal.js +8 -8
- package/lib/mail-rbl.js +7 -7
- package/lib/mail-scan.js +7 -7
- package/lib/mail-send-deliver.js +2 -2
- package/lib/mail-server-imap.js +12 -12
- package/lib/mail-server-jmap.js +16 -16
- package/lib/mail-server-managesieve.js +4 -4
- package/lib/mail-server-mx.js +17 -17
- package/lib/mail-server-pop3.js +4 -4
- package/lib/mail-server-rate-limit.js +2 -2
- package/lib/mail-server-submission.js +21 -21
- package/lib/mail-sieve.js +2 -2
- package/lib/mail-spam-score.js +5 -5
- package/lib/mail-srs.js +12 -12
- package/lib/mail-store-fts.js +2 -2
- package/lib/mail-store.js +8 -8
- package/lib/mail-unsubscribe.js +4 -4
- package/lib/mail.js +4 -4
- package/lib/mcp-tool-registry.js +4 -4
- package/lib/mcp.js +9 -9
- package/lib/mdoc.js +2 -2
- package/lib/metrics.js +8 -8
- package/lib/middleware/age-gate.js +1 -1
- package/lib/middleware/api-encrypt.js +7 -7
- package/lib/middleware/assetlinks.js +2 -2
- package/lib/middleware/asyncapi-serve.js +2 -2
- package/lib/middleware/bearer-auth.js +5 -5
- package/lib/middleware/body-parser.js +5 -5
- package/lib/middleware/compose-pipeline.js +15 -15
- package/lib/middleware/csp-report.js +4 -4
- package/lib/middleware/daily-byte-quota.js +1 -1
- package/lib/middleware/dpop.js +1 -1
- package/lib/middleware/headers.js +2 -2
- package/lib/middleware/host-allowlist.js +1 -1
- package/lib/middleware/idempotency-key.js +12 -12
- package/lib/middleware/nel.js +1 -1
- package/lib/middleware/openapi-serve.js +2 -2
- package/lib/middleware/protected-resource-metadata.js +2 -2
- package/lib/middleware/require-aal.js +1 -1
- package/lib/middleware/require-bound-key.js +2 -2
- package/lib/middleware/require-content-type.js +1 -1
- package/lib/middleware/require-methods.js +1 -1
- package/lib/middleware/require-step-up.js +2 -2
- package/lib/middleware/scim-server.js +1 -1
- package/lib/middleware/security-txt.js +3 -3
- package/lib/middleware/tus-upload.js +12 -12
- package/lib/middleware/web-app-manifest.js +2 -2
- package/lib/network-byte-quota.js +1 -1
- package/lib/network-dns-resolver.js +23 -23
- package/lib/network-dns.js +29 -29
- package/lib/network-dnssec.js +33 -33
- package/lib/network-smtp-policy.js +10 -10
- package/lib/network-tls.js +87 -87
- package/lib/network-tsig.js +33 -33
- package/lib/nis2-report.js +1 -1
- package/lib/ntp-check.js +3 -3
- package/lib/observability-otlp-exporter.js +17 -17
- package/lib/observability-tracer.js +6 -6
- package/lib/observability.js +8 -8
- package/lib/openapi-yaml.js +1 -1
- package/lib/openapi.js +1 -1
- package/lib/outbox.js +6 -6
- package/lib/pqc-agent.js +4 -4
- package/lib/pqc-software.js +1 -1
- package/lib/privacy-pass.js +5 -5
- package/lib/problem-details.js +5 -5
- package/lib/promise-pool.js +1 -1
- package/lib/protobuf-encoder.js +1 -1
- package/lib/redact.js +2 -2
- package/lib/request-helpers.js +1 -1
- package/lib/router.js +10 -10
- package/lib/safe-async.js +2 -2
- package/lib/safe-dns.js +71 -71
- package/lib/safe-ical.js +19 -19
- package/lib/safe-icap.js +24 -24
- package/lib/safe-jsonpath.js +2 -2
- package/lib/safe-mime.js +10 -10
- package/lib/safe-mount-info.js +3 -3
- package/lib/safe-redirect.js +1 -1
- package/lib/safe-sieve.js +23 -23
- package/lib/safe-smtp.js +1 -1
- package/lib/safe-vcard.js +14 -14
- package/lib/sandbox.js +5 -5
- package/lib/sec-cyber.js +1 -1
- package/lib/self-update-standalone-verifier.js +3 -3
- package/lib/self-update.js +3 -3
- package/lib/server-timing.js +3 -3
- package/lib/session-device-binding.js +7 -7
- package/lib/session.js +8 -8
- package/lib/standard-webhooks.js +4 -4
- package/lib/storage.js +2 -2
- package/lib/stream-throttle.js +1 -1
- package/lib/structured-fields.js +15 -15
- package/lib/subject.js +1 -1
- package/lib/tcpa-10dlc.js +1 -1
- package/lib/tenant-quota.js +3 -3
- package/lib/test-harness.js +1 -1
- package/lib/tracing.js +1 -1
- package/lib/tsa.js +5 -5
- package/lib/uri-template.js +5 -5
- package/lib/vault/index.js +2 -2
- package/lib/vault/seal-pem-file.js +4 -4
- package/lib/vc.js +2 -2
- package/lib/vendor-data.js +1 -1
- package/lib/watcher.js +4 -4
- package/lib/web-push-vapid.js +21 -21
- package/lib/webhook.js +2 -2
- package/lib/websocket.js +3 -3
- package/lib/worker-pool.js +3 -3
- package/lib/ws-client.js +24 -24
- package/lib/xml-c14n.js +2 -2
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
package/lib/router.js
CHANGED
|
@@ -62,11 +62,11 @@ var HTTP_STATUS = requestHelpers.HTTP_STATUS;
|
|
|
62
62
|
// even when Node's nghttp2 vendor lags the upstream fix: tag every
|
|
63
63
|
// session with `_blamejsGoawaySent` on the framework's GOAWAY emission,
|
|
64
64
|
// and force-destroy on any subsequent frame activity.
|
|
65
|
-
var WINDOW_UPDATE_FRAME_TYPE = 0x8; //
|
|
65
|
+
var WINDOW_UPDATE_FRAME_TYPE = 0x8; // RFC 7540 §6.9 frame type
|
|
66
66
|
// Per-stream WINDOW_UPDATE rate cap. Above this rate the framework
|
|
67
67
|
// destroys the stream; legitimate clients never burst this fast on a
|
|
68
68
|
// healthy connection.
|
|
69
|
-
var WINDOW_UPDATE_RATE_CAP = 100; //
|
|
69
|
+
var WINDOW_UPDATE_RATE_CAP = 100; // frames per second per stream
|
|
70
70
|
var WINDOW_UPDATE_RATE_WINDOW_MS = C.TIME.seconds(1);
|
|
71
71
|
|
|
72
72
|
// Cap on operator-defined route patterns. A route registration that
|
|
@@ -287,7 +287,7 @@ var MIME_TYPES = {
|
|
|
287
287
|
// time and overrides "replay-cache" → "refuse" with an audit row.
|
|
288
288
|
var TLS_0RTT_VALID_POSTURES = ["refuse", "replay-cache"];
|
|
289
289
|
var TLS_0RTT_REPLAY_WINDOW_MS = C.TIME.seconds(10);
|
|
290
|
-
var TLS_0RTT_REPLAY_CACHE_CAP = 4096; //
|
|
290
|
+
var TLS_0RTT_REPLAY_CACHE_CAP = 4096; // entry count, not bytes
|
|
291
291
|
var TLS_0RTT_FAILCLOSED_POSTURES = ["pci-dss", "fapi2"];
|
|
292
292
|
|
|
293
293
|
class Router {
|
|
@@ -671,7 +671,7 @@ class Router {
|
|
|
671
671
|
var queryKeyCount = 0;
|
|
672
672
|
for (var pair of parsed.searchParams) {
|
|
673
673
|
queryKeyCount += 1;
|
|
674
|
-
if (queryKeyCount > 1000) { //
|
|
674
|
+
if (queryKeyCount > 1000) { // CVE-2026-21717 V8 HashDoS query-key cap
|
|
675
675
|
res.statusCode = 400;
|
|
676
676
|
res.end("400 Bad Request: too many query keys");
|
|
677
677
|
return;
|
|
@@ -1046,12 +1046,12 @@ class Router {
|
|
|
1046
1046
|
allowHTTP1: true,
|
|
1047
1047
|
ALPNProtocols: ["h2", "http/1.1"],
|
|
1048
1048
|
settings: { enableConnectProtocol: true },
|
|
1049
|
-
maxConcurrentStreams: 100, //
|
|
1050
|
-
maxSessionMemory: 10, //
|
|
1051
|
-
maxHeaderListPairs: 100, //
|
|
1052
|
-
maxSettings: 32, //
|
|
1053
|
-
peerMaxConcurrentStreams: 100, //
|
|
1054
|
-
maxOutstandingPings: 10, //
|
|
1049
|
+
maxConcurrentStreams: 100, // CVE-2023-44487 Rapid Reset cap
|
|
1050
|
+
maxSessionMemory: 10, // MB cap (Node default explicit)
|
|
1051
|
+
maxHeaderListPairs: 100, // CVE-2024-27983 CONTINUATION-flood cap
|
|
1052
|
+
maxSettings: 32, // SETTINGS-frame entry ceiling
|
|
1053
|
+
peerMaxConcurrentStreams: 100, // peer-side stream cap
|
|
1054
|
+
maxOutstandingPings: 10, // CVE-2019-9512 ping-flood cap (pin to Node default rather than letting it drift)
|
|
1055
1055
|
unknownProtocolTimeout: C.TIME.seconds(10),
|
|
1056
1056
|
}, tlsOptions), requestHandler);
|
|
1057
1057
|
|
package/lib/safe-async.js
CHANGED
|
@@ -631,8 +631,8 @@ function makeScheduledFlush(delayMs, flushFn) {
|
|
|
631
631
|
// opts.signal: AbortSignal — cancels by refusing to dispatch
|
|
632
632
|
// further items; in-flight promises run to settle.
|
|
633
633
|
|
|
634
|
-
var PARALLEL_DEFAULT_CONCURRENCY = 8; //
|
|
635
|
-
var PARALLEL_MAX_CONCURRENCY = 256; //
|
|
634
|
+
var PARALLEL_DEFAULT_CONCURRENCY = 8; // worker pool count, not bytes
|
|
635
|
+
var PARALLEL_MAX_CONCURRENCY = 256; // worker pool ceiling, not bytes
|
|
636
636
|
|
|
637
637
|
/**
|
|
638
638
|
* @primitive b.safeAsync.parallel
|
package/lib/safe-dns.js
CHANGED
|
@@ -60,27 +60,27 @@ var { defineClass } = require("./framework-error");
|
|
|
60
60
|
|
|
61
61
|
var SafeDnsError = defineClass("SafeDnsError", { alwaysPermanent: true });
|
|
62
62
|
|
|
63
|
-
//
|
|
63
|
+
// RFC 1035 §3.1 single-label cap (octet 0 high
|
|
64
64
|
// 2 bits reserved for compression pointer; label-length field is 6 bits).
|
|
65
65
|
var DNS_MAX_LABEL_BYTES = 63;
|
|
66
66
|
|
|
67
|
-
//
|
|
67
|
+
// RFC 1035 §3.1 wire-format name absolute cap
|
|
68
68
|
// (sum of all label-length bytes + label bytes + terminator).
|
|
69
69
|
var DNS_MAX_NAME_BYTES = 255;
|
|
70
70
|
|
|
71
|
-
//
|
|
71
|
+
// RFC 1035 §4.2.1 fixed header size.
|
|
72
72
|
var DNS_HEADER_BYTES = 12;
|
|
73
73
|
|
|
74
|
-
//
|
|
74
|
+
// RFC 1035 §3.2.1 RR fixed prefix
|
|
75
75
|
// (TYPE 2 + CLASS 2 + TTL 4 + RDLENGTH 2 = 10 octets after NAME).
|
|
76
76
|
var DNS_RR_FIXED_BYTES = 10;
|
|
77
77
|
|
|
78
|
-
//
|
|
78
|
+
// RFC 6891 §6.1 OPT pseudo-RR upper bound for
|
|
79
79
|
// EDNS0 payload size we'll accept. 64 KiB is the protocol absolute
|
|
80
80
|
// max; resolver-side default is much smaller.
|
|
81
81
|
var EDNS0_HARD_MAX = 65535;
|
|
82
82
|
|
|
83
|
-
//
|
|
83
|
+
// RFC 1035 §3.2.2 record-type codes we route
|
|
84
84
|
// through type-specific decoders. Anything not listed parses as raw
|
|
85
85
|
// rdata bytes (operator inspects the RDLENGTH-bounded slice).
|
|
86
86
|
var RTYPE_A = 1;
|
|
@@ -89,30 +89,30 @@ var RTYPE_CNAME = 5;
|
|
|
89
89
|
var RTYPE_SOA = 6;
|
|
90
90
|
var RTYPE_PTR = 12;
|
|
91
91
|
var RTYPE_MX = 15;
|
|
92
|
-
var RTYPE_TXT = 16; //
|
|
92
|
+
var RTYPE_TXT = 16; // RFC 1035 §3.2.2 TXT record type code
|
|
93
93
|
var RTYPE_AAAA = 28;
|
|
94
94
|
var RTYPE_SRV = 33;
|
|
95
95
|
var RTYPE_OPT = 41;
|
|
96
96
|
var RTYPE_DS = 43;
|
|
97
97
|
var RTYPE_RRSIG = 46;
|
|
98
|
-
var RTYPE_DNSKEY = 48; //
|
|
98
|
+
var RTYPE_DNSKEY = 48; // RFC 4034 DNSKEY record type code
|
|
99
99
|
var RTYPE_TLSA = 52;
|
|
100
100
|
|
|
101
101
|
var RTYPE_NAMES = Object.freeze({
|
|
102
102
|
1: "A", 2: "NS", 5: "CNAME", 6: "SOA", 12: "PTR", 15: "MX",
|
|
103
|
-
16: "TXT", 28: "AAAA", 33: "SRV", 41: "OPT", 43: "DS", //
|
|
104
|
-
46: "RRSIG", 47: "NSEC", 48: "DNSKEY", 50: "NSEC3", 52: "TLSA", //
|
|
105
|
-
64: "SVCB", 65: "HTTPS", //
|
|
103
|
+
16: "TXT", 28: "AAAA", 33: "SRV", 41: "OPT", 43: "DS", // IANA DNS record type codes
|
|
104
|
+
46: "RRSIG", 47: "NSEC", 48: "DNSKEY", 50: "NSEC3", 52: "TLSA", // IANA DNS record type codes
|
|
105
|
+
64: "SVCB", 65: "HTTPS", // IANA DNS record type codes
|
|
106
106
|
});
|
|
107
107
|
|
|
108
108
|
var DEFAULT_MAX_RESPONSE_BYTES = C.BYTES.kib(4);
|
|
109
109
|
var DEFAULT_MAX_EDNS0_BYTES = C.BYTES.kib(4);
|
|
110
|
-
var DEFAULT_MAX_LABELS = 127; //
|
|
111
|
-
var DEFAULT_MAX_POINTER_DEPTH = 16; //
|
|
110
|
+
var DEFAULT_MAX_LABELS = 127; // RFC 1035 §2.3.4 label count cap (count, not bytes)
|
|
111
|
+
var DEFAULT_MAX_POINTER_DEPTH = 16; // compression-pointer chain depth (count, not bytes)
|
|
112
112
|
var DEFAULT_MAX_CNAME_DEPTH = 8;
|
|
113
|
-
var DEFAULT_MAX_ANSWER_RRS = 64; //
|
|
114
|
-
var DEFAULT_MAX_AUTHORITY_RRS = 32; //
|
|
115
|
-
var DEFAULT_MAX_ADDITIONAL_RRS = 32; //
|
|
113
|
+
var DEFAULT_MAX_ANSWER_RRS = 64; // RR count cap (count, not bytes)
|
|
114
|
+
var DEFAULT_MAX_AUTHORITY_RRS = 32; // RR count cap (count, not bytes)
|
|
115
|
+
var DEFAULT_MAX_ADDITIONAL_RRS = 32; // RR count cap (count, not bytes)
|
|
116
116
|
var DEFAULT_MAX_TXT_RDATA = C.BYTES.kib(64);
|
|
117
117
|
|
|
118
118
|
var DEFAULT_PROFILE = "strict";
|
|
@@ -134,21 +134,21 @@ var PROFILES = Object.freeze({
|
|
|
134
134
|
maxEdns0Bytes: C.BYTES.kib(16),
|
|
135
135
|
maxLabels: DEFAULT_MAX_LABELS,
|
|
136
136
|
maxPointerDepth: DEFAULT_MAX_POINTER_DEPTH,
|
|
137
|
-
maxCnameDepth: 16, //
|
|
138
|
-
maxAnswerRrs: 128, //
|
|
139
|
-
maxAuthorityRrs: 64, //
|
|
140
|
-
maxAdditionalRrs: 64, //
|
|
137
|
+
maxCnameDepth: 16, // RR count, not bytes
|
|
138
|
+
maxAnswerRrs: 128, // RR count
|
|
139
|
+
maxAuthorityRrs: 64, // RR count
|
|
140
|
+
maxAdditionalRrs: 64, // RR count
|
|
141
141
|
maxTxtRdata: C.BYTES.kib(128),
|
|
142
142
|
},
|
|
143
143
|
permissive: {
|
|
144
144
|
maxResponseBytes: C.BYTES.kib(64),
|
|
145
145
|
maxEdns0Bytes: C.BYTES.kib(64),
|
|
146
146
|
maxLabels: DEFAULT_MAX_LABELS,
|
|
147
|
-
maxPointerDepth: 32, //
|
|
148
|
-
maxCnameDepth: 32, //
|
|
149
|
-
maxAnswerRrs: 256, //
|
|
150
|
-
maxAuthorityRrs: 128, //
|
|
151
|
-
maxAdditionalRrs: 128, //
|
|
147
|
+
maxPointerDepth: 32, // pointer chain count
|
|
148
|
+
maxCnameDepth: 32, // chain count
|
|
149
|
+
maxAnswerRrs: 256, // RR count
|
|
150
|
+
maxAuthorityRrs: 128, // RR count
|
|
151
|
+
maxAdditionalRrs: 128, // RR count
|
|
152
152
|
maxTxtRdata: C.BYTES.kib(512),
|
|
153
153
|
},
|
|
154
154
|
});
|
|
@@ -239,13 +239,13 @@ function parseResponse(buf, opts) {
|
|
|
239
239
|
var question = [];
|
|
240
240
|
for (var q = 0; q < qdcount; q += 1) {
|
|
241
241
|
var qname = _readName(state, 0);
|
|
242
|
-
if (state.off + 4 > buf.length) { //
|
|
242
|
+
if (state.off + 4 > buf.length) { // RFC 1035 question fixed tail (QTYPE 2 + QCLASS 2)
|
|
243
243
|
throw new SafeDnsError("safe-dns/truncated-rr",
|
|
244
244
|
"safeDns.parseResponse: question RR truncated mid-fixed-tail");
|
|
245
245
|
}
|
|
246
246
|
var qtype = buf.readUInt16BE(state.off);
|
|
247
247
|
var qclass = buf.readUInt16BE(state.off + 2);
|
|
248
|
-
state.off += 4; //
|
|
248
|
+
state.off += 4; // RFC 1035 QTYPE 2 + QCLASS 2 advance
|
|
249
249
|
question.push({
|
|
250
250
|
name: qname,
|
|
251
251
|
type: qtype,
|
|
@@ -272,7 +272,7 @@ function parseResponse(buf, opts) {
|
|
|
272
272
|
|
|
273
273
|
return {
|
|
274
274
|
id: id,
|
|
275
|
-
rcode: flags & 0x0f, //
|
|
275
|
+
rcode: flags & 0x0f, // RFC 1035 §4.1.1 RCODE mask
|
|
276
276
|
flags: flags,
|
|
277
277
|
question: question,
|
|
278
278
|
answer: answer,
|
|
@@ -392,12 +392,12 @@ function _readName(state, pointerDepth) {
|
|
|
392
392
|
}
|
|
393
393
|
break;
|
|
394
394
|
}
|
|
395
|
-
if ((byte & 0xc0) === 0xc0) { //
|
|
395
|
+
if ((byte & 0xc0) === 0xc0) { // RFC 1035 §4.1.4 compression pointer mask
|
|
396
396
|
if (off + 1 >= state.buf.length) {
|
|
397
397
|
throw new SafeDnsError("safe-dns/truncated-name",
|
|
398
398
|
"safeDns.readName: compression pointer truncated");
|
|
399
399
|
}
|
|
400
|
-
var ptrOff = ((byte & 0x3f) << 8) | state.buf[off + 1]; //
|
|
400
|
+
var ptrOff = ((byte & 0x3f) << 8) | state.buf[off + 1]; // RFC 1035 §4.1.4 14-bit pointer offset
|
|
401
401
|
if (ptrOff >= state.buf.length) {
|
|
402
402
|
throw new SafeDnsError("safe-dns/truncated-name",
|
|
403
403
|
"safeDns.readName: compression pointer offset past message end");
|
|
@@ -405,12 +405,12 @@ function _readName(state, pointerDepth) {
|
|
|
405
405
|
// First compression pointer ends the in-line label walk
|
|
406
406
|
// (line break below). `jumped` can never already be true here;
|
|
407
407
|
// assign unconditionally per Codex code-quality review.
|
|
408
|
-
afterPointerOff = off + 2; //
|
|
408
|
+
afterPointerOff = off + 2; // RFC 1035 §4.1.4 2-byte pointer width
|
|
409
409
|
jumped = true;
|
|
410
410
|
var subState = { off: ptrOff, buf: state.buf, caps: state.caps };
|
|
411
411
|
var tailName = _readName(subState, pointerDepth + 1);
|
|
412
412
|
if (tailName.length) labels.push(tailName);
|
|
413
|
-
totalBytes += 2; //
|
|
413
|
+
totalBytes += 2; // RFC 1035 §4.1.4 2-byte pointer width
|
|
414
414
|
if (totalBytes > DNS_MAX_NAME_BYTES) {
|
|
415
415
|
throw new SafeDnsError("safe-dns/oversize-name",
|
|
416
416
|
"safeDns.readName: composite name=" + totalBytes + " bytes exceeds RFC 1035 cap=" +
|
|
@@ -450,9 +450,9 @@ function _readRr(state) {
|
|
|
450
450
|
"safeDns.readRr: RR truncated mid-fixed-prefix");
|
|
451
451
|
}
|
|
452
452
|
var rtype = state.buf.readUInt16BE(state.off);
|
|
453
|
-
var rclass = state.buf.readUInt16BE(state.off + 2); //
|
|
454
|
-
var ttl = state.buf.readUInt32BE(state.off + 4); //
|
|
455
|
-
var rdlen = state.buf.readUInt16BE(state.off + 8); //
|
|
453
|
+
var rclass = state.buf.readUInt16BE(state.off + 2); // RFC 1035 §3.2.1 CLASS offset
|
|
454
|
+
var ttl = state.buf.readUInt32BE(state.off + 4); // RFC 1035 §3.2.1 TTL offset
|
|
455
|
+
var rdlen = state.buf.readUInt16BE(state.off + 8); // RFC 1035 §3.2.1 RDLENGTH offset
|
|
456
456
|
state.off += DNS_RR_FIXED_BYTES;
|
|
457
457
|
if (state.off + rdlen > state.buf.length) {
|
|
458
458
|
throw new SafeDnsError("safe-dns/malformed-rdlength",
|
|
@@ -464,65 +464,65 @@ function _readRr(state) {
|
|
|
464
464
|
state.off += rdlen;
|
|
465
465
|
|
|
466
466
|
var decoded = null;
|
|
467
|
-
if (rtype === RTYPE_A && rdlen === 4) { //
|
|
468
|
-
decoded = rdata[0] + "." + rdata[1] + "." + rdata[2] + "." + rdata[3]; //
|
|
469
|
-
} else if (rtype === RTYPE_AAAA && rdlen === 16) { //
|
|
467
|
+
if (rtype === RTYPE_A && rdlen === 4) { // RFC 1035 §3.4.1 A record is 4 octets
|
|
468
|
+
decoded = rdata[0] + "." + rdata[1] + "." + rdata[2] + "." + rdata[3]; // dotted-quad indices into 4-octet A rdata
|
|
469
|
+
} else if (rtype === RTYPE_AAAA && rdlen === 16) { // RFC 3596 §2.2 AAAA record is 16 octets
|
|
470
470
|
decoded = _formatIpv6(rdata);
|
|
471
471
|
} else if (rtype === RTYPE_CNAME || rtype === RTYPE_NS || rtype === RTYPE_PTR) {
|
|
472
472
|
var subState = { off: rdataStart, buf: state.buf, caps: state.caps };
|
|
473
473
|
decoded = _readName(subState, 0);
|
|
474
|
-
} else if (rtype === RTYPE_MX && rdlen >= 3) { //
|
|
474
|
+
} else if (rtype === RTYPE_MX && rdlen >= 3) { // RFC 1035 §3.3.9 MX preference 2 + min exchange 1
|
|
475
475
|
var pref = rdata.readUInt16BE(0);
|
|
476
|
-
var mxState = { off: rdataStart + 2, buf: state.buf, caps: state.caps }; //
|
|
476
|
+
var mxState = { off: rdataStart + 2, buf: state.buf, caps: state.caps }; // MX preference field width
|
|
477
477
|
var exchange = _readName(mxState, 0);
|
|
478
478
|
decoded = { preference: pref, exchange: exchange };
|
|
479
479
|
} else if (rtype === RTYPE_TXT) {
|
|
480
480
|
decoded = _decodeTxt(rdata, rdlen, state.caps);
|
|
481
481
|
} else if (rtype === RTYPE_SOA) {
|
|
482
482
|
decoded = _decodeSoa(state.buf, rdataStart, rdlen, state.caps);
|
|
483
|
-
} else if (rtype === RTYPE_SRV && rdlen >= 7) { //
|
|
484
|
-
var srvState = { off: rdataStart + 6, buf: state.buf, caps: state.caps }; //
|
|
483
|
+
} else if (rtype === RTYPE_SRV && rdlen >= 7) { // RFC 2782 SRV fixed prefix 6 + min target 1
|
|
484
|
+
var srvState = { off: rdataStart + 6, buf: state.buf, caps: state.caps }; // RFC 2782 priority 2 + weight 2 + port 2
|
|
485
485
|
var target = _readName(srvState, 0);
|
|
486
486
|
decoded = {
|
|
487
487
|
priority: rdata.readUInt16BE(0),
|
|
488
|
-
weight: rdata.readUInt16BE(2), //
|
|
489
|
-
port: rdata.readUInt16BE(4), //
|
|
488
|
+
weight: rdata.readUInt16BE(2), // RFC 2782 weight offset
|
|
489
|
+
port: rdata.readUInt16BE(4), // RFC 2782 port offset
|
|
490
490
|
target: target,
|
|
491
491
|
};
|
|
492
|
-
} else if (rtype === RTYPE_DS && rdlen >= 4) { //
|
|
492
|
+
} else if (rtype === RTYPE_DS && rdlen >= 4) { // RFC 4034 §5.1 DS fixed prefix 4 + digest
|
|
493
493
|
decoded = {
|
|
494
494
|
keyTag: rdata.readUInt16BE(0),
|
|
495
495
|
algorithm: rdata.readUInt8(2),
|
|
496
496
|
digestType: rdata.readUInt8(3),
|
|
497
|
-
digest: rdata.slice(4), //
|
|
497
|
+
digest: rdata.slice(4), // RFC 4034 §5.1 digest start
|
|
498
498
|
};
|
|
499
|
-
} else if (rtype === RTYPE_DNSKEY && rdlen >= 4) { //
|
|
499
|
+
} else if (rtype === RTYPE_DNSKEY && rdlen >= 4) { // RFC 4034 §2.1 DNSKEY fixed prefix 4 + pubkey
|
|
500
500
|
decoded = {
|
|
501
501
|
flags: rdata.readUInt16BE(0),
|
|
502
502
|
protocol: rdata.readUInt8(2),
|
|
503
503
|
algorithm: rdata.readUInt8(3),
|
|
504
|
-
publicKey: rdata.slice(4), //
|
|
504
|
+
publicKey: rdata.slice(4), // RFC 4034 §2.1 publicKey start
|
|
505
505
|
};
|
|
506
|
-
} else if (rtype === RTYPE_RRSIG && rdlen >= 18) { //
|
|
507
|
-
var rrsigState = { off: rdataStart + 18, buf: state.buf, caps: state.caps }; //
|
|
506
|
+
} else if (rtype === RTYPE_RRSIG && rdlen >= 18) { // RFC 4034 §3.1 RRSIG fixed prefix 18 + signer + signature
|
|
507
|
+
var rrsigState = { off: rdataStart + 18, buf: state.buf, caps: state.caps }; // RFC 4034 §3.1 fixed prefix width
|
|
508
508
|
var signer = _readName(rrsigState, 0);
|
|
509
509
|
decoded = {
|
|
510
510
|
typeCovered: rdata.readUInt16BE(0),
|
|
511
511
|
algorithm: rdata.readUInt8(2),
|
|
512
512
|
labels: rdata.readUInt8(3),
|
|
513
|
-
originalTtl: rdata.readUInt32BE(4), //
|
|
514
|
-
sigExpiry: rdata.readUInt32BE(8), //
|
|
515
|
-
sigInception: rdata.readUInt32BE(12), //
|
|
516
|
-
keyTag: rdata.readUInt16BE(16), //
|
|
513
|
+
originalTtl: rdata.readUInt32BE(4), // RFC 4034 §3.1 originalTtl offset
|
|
514
|
+
sigExpiry: rdata.readUInt32BE(8), // RFC 4034 §3.1 expiry offset
|
|
515
|
+
sigInception: rdata.readUInt32BE(12), // RFC 4034 §3.1 inception offset
|
|
516
|
+
keyTag: rdata.readUInt16BE(16), // RFC 4034 §3.1 keyTag offset
|
|
517
517
|
signerName: signer,
|
|
518
518
|
signature: state.buf.slice(rrsigState.off, rdataStart + rdlen),
|
|
519
519
|
};
|
|
520
|
-
} else if (rtype === RTYPE_TLSA && rdlen >= 3) { //
|
|
520
|
+
} else if (rtype === RTYPE_TLSA && rdlen >= 3) { // RFC 6698 §2.1 TLSA fixed prefix 3 + certData
|
|
521
521
|
decoded = {
|
|
522
522
|
usage: rdata.readUInt8(0),
|
|
523
523
|
selector: rdata.readUInt8(1),
|
|
524
524
|
matchingType: rdata.readUInt8(2),
|
|
525
|
-
certData: rdata.slice(3), //
|
|
525
|
+
certData: rdata.slice(3), // RFC 6698 §2.1 certData start
|
|
526
526
|
};
|
|
527
527
|
}
|
|
528
528
|
|
|
@@ -544,15 +544,15 @@ function _readRr(state) {
|
|
|
544
544
|
// (::ffff:0:0/96) emit the trailing 32 bits as dotted-quad per
|
|
545
545
|
// RFC 5952 §5.
|
|
546
546
|
function _formatIpv6(rdata) {
|
|
547
|
-
var groups = new Array(8); //
|
|
548
|
-
for (var g = 0; g < 8; g += 1) groups[g] = rdata.readUInt16BE(g * 2); //
|
|
547
|
+
var groups = new Array(8); // RFC 4291 §2.2 8 IPv6 groups
|
|
548
|
+
for (var g = 0; g < 8; g += 1) groups[g] = rdata.readUInt16BE(g * 2); // RFC 4291 §2.2 group byte stride
|
|
549
549
|
|
|
550
550
|
// RFC 5952 §5 — IPv4-mapped: first 80 bits zero, next 16 bits 0xFFFF.
|
|
551
551
|
var isV4Mapped = true;
|
|
552
|
-
for (var z = 0; z < 5; z += 1) if (groups[z] !== 0) { isV4Mapped = false; break; } //
|
|
553
|
-
if (isV4Mapped && groups[5] !== 0xffff) isV4Mapped = false; //
|
|
552
|
+
for (var z = 0; z < 5; z += 1) if (groups[z] !== 0) { isV4Mapped = false; break; } // RFC 5952 §5 v4-mapped zero-prefix groups
|
|
553
|
+
if (isV4Mapped && groups[5] !== 0xffff) isV4Mapped = false; // RFC 5952 §5 v4-mapped marker group
|
|
554
554
|
if (isV4Mapped) {
|
|
555
|
-
var dotted = rdata[12] + "." + rdata[13] + "." + rdata[14] + "." + rdata[15]; //
|
|
555
|
+
var dotted = rdata[12] + "." + rdata[13] + "." + rdata[14] + "." + rdata[15]; // RFC 5952 §5 trailing v4 octets
|
|
556
556
|
return "::ffff:" + dotted;
|
|
557
557
|
}
|
|
558
558
|
|
|
@@ -561,7 +561,7 @@ function _formatIpv6(rdata) {
|
|
|
561
561
|
var bestLen = 0;
|
|
562
562
|
var curStart = -1;
|
|
563
563
|
var curLen = 0;
|
|
564
|
-
for (var i = 0; i < 8; i += 1) { //
|
|
564
|
+
for (var i = 0; i < 8; i += 1) { // RFC 4291 §2.2 IPv6 group iteration
|
|
565
565
|
if (groups[i] === 0) {
|
|
566
566
|
if (curStart === -1) curStart = i;
|
|
567
567
|
curLen += 1;
|
|
@@ -571,7 +571,7 @@ function _formatIpv6(rdata) {
|
|
|
571
571
|
curLen = 0;
|
|
572
572
|
}
|
|
573
573
|
}
|
|
574
|
-
var hex = groups.map(function (n) { return n.toString(16); }); //
|
|
574
|
+
var hex = groups.map(function (n) { return n.toString(16); }); // hex radix
|
|
575
575
|
if (bestLen < 2) return hex.join(":");
|
|
576
576
|
var head = hex.slice(0, bestStart).join(":");
|
|
577
577
|
var tail = hex.slice(bestStart + bestLen).join(":");
|
|
@@ -602,15 +602,15 @@ function _decodeSoa(buf, rdataStart, rdlen, caps) {
|
|
|
602
602
|
var state = { off: rdataStart, buf: buf, caps: caps };
|
|
603
603
|
var mname = _readName(state, 0);
|
|
604
604
|
var rname = _readName(state, 0);
|
|
605
|
-
if (state.off + 20 > rdataStart + rdlen) { //
|
|
605
|
+
if (state.off + 20 > rdataStart + rdlen) { // RFC 1035 §3.3.13 SOA tail = SERIAL 4 + REFRESH 4 + RETRY 4 + EXPIRE 4 + MINIMUM 4 = 20 octets
|
|
606
606
|
throw new SafeDnsError("safe-dns/malformed-rdlength",
|
|
607
607
|
"safeDns.decodeSoa: SOA tail truncated");
|
|
608
608
|
}
|
|
609
609
|
var serial = buf.readUInt32BE(state.off);
|
|
610
|
-
var refresh = buf.readUInt32BE(state.off + 4); //
|
|
611
|
-
var retry = buf.readUInt32BE(state.off + 8); //
|
|
612
|
-
var expire = buf.readUInt32BE(state.off + 12); //
|
|
613
|
-
var minimum = buf.readUInt32BE(state.off + 16); //
|
|
610
|
+
var refresh = buf.readUInt32BE(state.off + 4); // RFC 1035 §3.3.13 REFRESH offset
|
|
611
|
+
var retry = buf.readUInt32BE(state.off + 8); // RFC 1035 §3.3.13 RETRY offset
|
|
612
|
+
var expire = buf.readUInt32BE(state.off + 12); // RFC 1035 §3.3.13 EXPIRE offset
|
|
613
|
+
var minimum = buf.readUInt32BE(state.off + 16); // RFC 1035 §3.3.13 MINIMUM offset
|
|
614
614
|
return {
|
|
615
615
|
mname: mname, rname: rname,
|
|
616
616
|
serial: serial, refresh: refresh, retry: retry, expire: expire, minimum: minimum,
|
|
@@ -627,9 +627,9 @@ function _decodeOpt(rr, caps) {
|
|
|
627
627
|
"safeDns.decodeOpt: advertised buffer size=" + advertised +
|
|
628
628
|
" exceeds maxEdns0Bytes=" + caps.maxEdns0Bytes);
|
|
629
629
|
}
|
|
630
|
-
var extendedRcode = (rr.ttl >>> 24) & 0xff; //
|
|
631
|
-
var version = (rr.ttl >>> 16) & 0xff; //
|
|
632
|
-
var dnssecOk = (rr.ttl & 0x8000) !== 0; //
|
|
630
|
+
var extendedRcode = (rr.ttl >>> 24) & 0xff; // RFC 6891 §6.1.3 extended RCODE upper byte
|
|
631
|
+
var version = (rr.ttl >>> 16) & 0xff; // RFC 6891 §6.1.3 version byte
|
|
632
|
+
var dnssecOk = (rr.ttl & 0x8000) !== 0; // RFC 4035 §3.2.1 DO bit
|
|
633
633
|
return {
|
|
634
634
|
advertisedUdpSize: advertised,
|
|
635
635
|
extendedRcode: extendedRcode,
|
package/lib/safe-ical.js
CHANGED
|
@@ -86,33 +86,33 @@ var SafeIcalError = defineClass("SafeIcalError", { alwaysPermanent: true });
|
|
|
86
86
|
|
|
87
87
|
// RRULE caps are enforced regardless of profile — the recursion-DoS
|
|
88
88
|
// class has no safe permissive posture.
|
|
89
|
-
var RRULE_MAX_COUNT = 10000; //
|
|
90
|
-
var RRULE_MAX_BY_ENTRIES = 24; //
|
|
89
|
+
var RRULE_MAX_COUNT = 10000; // RFC 5545 §3.3.10 recurrence-count cap
|
|
90
|
+
var RRULE_MAX_BY_ENTRIES = 24; // BYxxx list-length cap
|
|
91
91
|
|
|
92
92
|
var PROFILES = Object.freeze({
|
|
93
93
|
strict: Object.freeze({
|
|
94
94
|
maxBytes: C.BYTES.kib(256),
|
|
95
95
|
maxLineBytes: C.BYTES.kib(8),
|
|
96
|
-
maxLines: 16384, //
|
|
97
|
-
maxNestingDepth: 16, //
|
|
98
|
-
maxComponents: 4096, //
|
|
99
|
-
maxPropertiesPerComponent: 256, //
|
|
96
|
+
maxLines: 16384, // line count cap, not byte size
|
|
97
|
+
maxNestingDepth: 16, // nesting depth cap, not bytes
|
|
98
|
+
maxComponents: 4096, // total component count cap, not bytes
|
|
99
|
+
maxPropertiesPerComponent: 256, // per-component prop count, not bytes
|
|
100
100
|
}),
|
|
101
101
|
balanced: Object.freeze({
|
|
102
102
|
maxBytes: C.BYTES.mib(1),
|
|
103
103
|
maxLineBytes: C.BYTES.kib(32),
|
|
104
|
-
maxLines: 65536, //
|
|
105
|
-
maxNestingDepth: 32, //
|
|
106
|
-
maxComponents: 16384, //
|
|
107
|
-
maxPropertiesPerComponent: 1024, //
|
|
104
|
+
maxLines: 65536, // line count cap, not byte size
|
|
105
|
+
maxNestingDepth: 32, // nesting depth cap, not bytes
|
|
106
|
+
maxComponents: 16384, // total component count cap, not bytes
|
|
107
|
+
maxPropertiesPerComponent: 1024, // per-component prop count, not bytes
|
|
108
108
|
}),
|
|
109
109
|
permissive: Object.freeze({
|
|
110
110
|
maxBytes: C.BYTES.mib(4),
|
|
111
111
|
maxLineBytes: C.BYTES.kib(128),
|
|
112
|
-
maxLines: 262144, //
|
|
113
|
-
maxNestingDepth: 64, //
|
|
114
|
-
maxComponents: 65536, //
|
|
115
|
-
maxPropertiesPerComponent: 4096, //
|
|
112
|
+
maxLines: 262144, // line count cap, not byte size
|
|
113
|
+
maxNestingDepth: 64, // nesting depth cap, not bytes
|
|
114
|
+
maxComponents: 65536, // total component count cap, not bytes
|
|
115
|
+
maxPropertiesPerComponent: 4096, // per-component prop count, not bytes
|
|
116
116
|
}),
|
|
117
117
|
});
|
|
118
118
|
|
|
@@ -345,7 +345,7 @@ function _unfold(s, caps) {
|
|
|
345
345
|
continue;
|
|
346
346
|
}
|
|
347
347
|
var firstChar = line.charCodeAt(0);
|
|
348
|
-
if (firstChar === 0x20 || firstChar === 0x09) { //
|
|
348
|
+
if (firstChar === 0x20 || firstChar === 0x09) { // SPACE / HTAB are RFC 5545 §3.1 fold markers
|
|
349
349
|
if (unfolded.length === 0) {
|
|
350
350
|
throw new SafeIcalError("safe-ical/bad-line",
|
|
351
351
|
"safeIcal.parse: continuation line before any content line");
|
|
@@ -393,7 +393,7 @@ function _parseContentLine(line) {
|
|
|
393
393
|
// value. Header-injection / log-poisoning defense.
|
|
394
394
|
for (var k = 0; k < value.length; k++) {
|
|
395
395
|
var cc = value.charCodeAt(k);
|
|
396
|
-
if ((cc < 0x20 && cc !== 0x09) || cc === 0x7F) { //
|
|
396
|
+
if ((cc < 0x20 && cc !== 0x09) || cc === 0x7F) { // C0 + DEL refusal
|
|
397
397
|
throw new SafeIcalError("safe-ical/control-char-in-value",
|
|
398
398
|
"safeIcal.parse: control char 0x" + cc.toString(16) +
|
|
399
399
|
" in property value (header-injection defense)");
|
|
@@ -427,8 +427,8 @@ function _findUnquotedColon(line) {
|
|
|
427
427
|
var inQ = false;
|
|
428
428
|
for (var i = 0; i < line.length; i++) {
|
|
429
429
|
var c = line.charCodeAt(i);
|
|
430
|
-
if (c === 0x22) { inQ = !inQ; continue; } //
|
|
431
|
-
if (c === 0x3A && !inQ) return i; //
|
|
430
|
+
if (c === 0x22) { inQ = !inQ; continue; } // DQUOTE per RFC 5545 §3.1 quoted-string
|
|
431
|
+
if (c === 0x3A && !inQ) return i; // colon separator per RFC 5545 §3.1
|
|
432
432
|
}
|
|
433
433
|
return -1;
|
|
434
434
|
}
|
|
@@ -620,7 +620,7 @@ function _shapeComponent(comp) {
|
|
|
620
620
|
|
|
621
621
|
function _preview(s) {
|
|
622
622
|
if (typeof s !== "string") s = String(s);
|
|
623
|
-
return s.length > 64 ? s.slice(0, 64) + "..." : s; //
|
|
623
|
+
return s.length > 64 ? s.slice(0, 64) + "..." : s; // log-preview length cap
|
|
624
624
|
}
|
|
625
625
|
|
|
626
626
|
module.exports = {
|