@blamejs/core 0.14.19 → 0.14.21

package/lib/mail-auth.js

@@ -50,6 +50,7 @@ var validateOpts = require("./validate-opts");
 var bCrypto = require("./crypto");
 var C = require("./constants");
 var dkim = require("./mail-dkim");
+var mimeParse = require("./mime-parse");
 var safeXml = require("./parsers/safe-xml");
 var ipUtils = require("./ip-utils");
 var publicSuffix = require("./public-suffix");
@@ -2615,6 +2616,337 @@ async function iprevVerify(ip) {
   };
 }
 
+// ---- DMARC forensic (RUF) failure-report parser (RFC 6591 + RFC 7489 §7.3) ----
+//
+// A domain publishing a DMARC `ruf=` policy receives per-message
+// failure reports when an authentication check fails. RFC 7489 §7.3
+// specifies the Authentication Failure Reporting Format (AFRF) of
+// RFC 6591 for these: a multipart/report (report-type=feedback-report)
+// carrying a `message/feedback-report` part whose header block adds the
+// DMARC-specific fields (Auth-Failure, Delivery-Result, Identity-
+// Alignment, DKIM-*/SPF-* result fields) on top of the RFC 5965 base
+// fields, plus a third part (message/rfc822 or text/rfc822-headers)
+// with the reported message (in full or headers-only).
+//
+// Composes the shared lib/mime-parse.js substrate (the same MIME walker
+// the RFC 5965 ARF ingest in lib/mail-arf.js uses) for the
+// multipart/report bisection + message/feedback-report extraction, then
+// shapes the full RFC 6591 §3.1 forensic field set (which the abuse-
+// report profile does not model) plus the reported message's headers.
+//
+//   var rv = b.mail.dmarc.parseForensicReport(rawMessageBytes);
+//   if (!rv.ok) { /* rv.error.code / rv.error.message */ }
+//   else        { /* rv.report.feedbackType / .authFailure / … */ }
+//
+// Validation tier: DEFENSIVE READER. The input is hostile-by-default
+// (a per-message failure report arrives at an operator endpoint from an
+// arbitrary reporting peer). The parser RETURNS a typed error object on
+// any malformed / over-cap / wrong-shape input — it does NOT throw in
+// the hot path, so a crafted report can't crash the request that
+// ingested it. Bytes + part-count + reported-header counts are bounded
+// (CWE-400 resource-exhaustion class) like the sibling aggregate-report
+// parser.
+//
+//   { ok: true,  report: { … } }
+//   { ok: false, error: { code: "<slug>", message: "<reason>" } }
+
+// RFC 6591 §3.2 — the report is small in practice; cap at 8 MiB to match
+// the sibling DMARC aggregate-report ceiling so operators have one
+// mental model for "what fits".
+var DMARC_RUF_MAX_REPORT_BYTES = C.BYTES.mib(8);
+
+// RFC 2046 §5.1 — a multipart/report failure report has a handful of
+// parts (text/plain + message/feedback-report + the reported message);
+// bound the part count so a hostile report with thousands of empty
+// boundary delimiters can't force unbounded walk work.
+var DMARC_RUF_MAX_PARTS = 64;                                                    // resource-exhaustion bound (CWE-400)
+
+// RFC 6591 §3.1 — required forensic fields. Feedback-Type and Auth-
+// Failure are the two that make an auth-failure report a DMARC forensic
+// report (RFC 7489 §7.3). User-Agent / Version are advisory in practice.
+var DMARC_RUF_REQUIRED_FIELDS = ["feedback-type", "auth-failure"];
+
+// RFC 6591 §3.1 — Auth-Failure registry values. Unknown values pass
+// through (the IANA "Authentication Failure" registry grows); this set
+// documents the launch vocabulary so operators can route on it.
+var DMARC_RUF_AUTH_FAILURE_TYPES = Object.freeze({
+  adsp:       1,                                                                 // RFC 6591 §3.1 (historic ADSP)
+  "bodyhash": 1,                                                                 // DKIM body-hash mismatch
+  dkim:       1,                                                                 // DKIM signature failure
+  dmarc:      1,                                                                 // RFC 7489 §7.3 — DMARC evaluation failure
+  revoked:    1,                                                                 // signing key revoked
+  signature:  1,                                                                 // DKIM signature syntactically invalid
+  spf:        1,                                                                 // SPF check failure
+});
+void DMARC_RUF_AUTH_FAILURE_TYPES;
+
+// RFC 6591 §3.2 — the reported message's header section can be large but
+// is bounded; cap the number of reported headers we normalize so a
+// crafted report can't force unbounded work. The full reported message
+// text is still surfaced verbatim under `reportedMessage` (bounded by
+// the overall byte cap), but the parsed `reportedHeaders` list is
+// header-count-capped.
+var DMARC_RUF_MAX_REPORTED_HEADERS = 256;                                       // resource-exhaustion bound (CWE-400)
+
+function _rufError(code, message) {
+  return { ok: false, error: { code: code, message: message } };
+}
+
+// Parse the reported message's headers (RFC 6591 §3.2 — the third part
+// of the report carries the message that failed authentication, in full
+// or headers-only). Returns an own-keys-only map (null-prototype) of
+// header-name → value (last-wins for duplicate single-valued lookups;
+// the full ordered list is also returned) so a header named
+// `__proto__` / `constructor` in a hostile report can't pollute the
+// prototype chain (prototype-pollution class).
+function _parseReportedHeaders(reportedMessage) {
+  var ordered = [];
+  var map = Object.create(null);
+  if (typeof reportedMessage !== "string" || reportedMessage.length === 0) {
+    return { headers: ordered, map: map, truncated: false };
+  }
+  var split;
+  try { split = mimeParse.splitHeadersAndBody(reportedMessage); }
+  catch (_e) { return { headers: ordered, map: map, truncated: false }; }
+  var hdrs = Array.isArray(split.headers) ? split.headers : [];
+  var truncated = false;
+  for (var i = 0; i < hdrs.length; i += 1) {
+    if (ordered.length >= DMARC_RUF_MAX_REPORTED_HEADERS) { truncated = true; break; }
+    var h = hdrs[i];
+    if (!h || typeof h.name !== "string") continue;
+    var name = h.name;
+    var value = typeof h.value === "string" ? h.value : "";
+    ordered.push({ name: name, value: value });
+    // Own-key assignment on a null-prototype object: a reported header
+    // named __proto__ / constructor / prototype is stored as data, not
+    // walked up the chain.
+    map[name.toLowerCase()] = value;
+  }
+  return { headers: ordered, map: map, truncated: truncated };
+}
+
+// Reassemble a MIME part's headers + body so a reported message that
+// ships as text/rfc822-headers (no separate body) still round-trips its
+// header bytes (RFC 6591 §3.2 permits headers-only).
+function _reassembleRufPart(part) {
+  var hdrs = "";
+  var ph = Array.isArray(part.headers) ? part.headers : [];
+  for (var i = 0; i < ph.length; i += 1) {
+    hdrs += ph[i].name + ": " + ph[i].value + "\r\n";
+  }
+  return hdrs + "\r\n" + (part.body || "");
+}
+
+function dmarcParseForensicReport(input, opts) {
+  opts = opts || {};
+
+  // ---- Coerce + byte-cap (defensive: typed error, never throw) ----
+  var asString;
+  if (typeof input === "string") asString = input;
+  else if (Buffer.isBuffer(input)) asString = input.toString("utf8");
+  else {
+    return _rufError("mail-auth/dmarc-ruf-bad-input",
+      "dmarc.parseForensicReport: input must be a string or Buffer");
+  }
+  var maxBytes = (typeof opts.maxBytes === "number" && isFinite(opts.maxBytes) && opts.maxBytes > 0)
+    ? opts.maxBytes
+    : DMARC_RUF_MAX_REPORT_BYTES;
+  if (asString.length > maxBytes) {
+    return _rufError("mail-auth/dmarc-ruf-too-large",
+      "dmarc.parseForensicReport: report exceeds " + maxBytes + " bytes (got " + asString.length + ")");
+  }
+
+  // ---- Bisect top-level headers / body; require multipart/report ----
+  var top;
+  try { top = mimeParse.splitHeadersAndBody(asString); }
+  catch (e) {
+    return _rufError("mail-auth/dmarc-ruf-bad-report",
+      "dmarc.parseForensicReport: header/body split failed: " + ((e && e.message) || String(e)));
+  }
+  var ct = mimeParse.parseContentType(mimeParse.findHeader(top.headers, "Content-Type") || "");
+  if (ct.type !== "multipart/report") {
+    return _rufError("mail-auth/dmarc-ruf-bad-report",
+      "dmarc.parseForensicReport: top-level Content-Type must be multipart/report (got '" + ct.type + "')");
+  }
+  // RFC 6591 §2 / RFC 5965 §2 — report-type=feedback-report. Tolerate an
+  // omitted report-type (shipping reporters sometimes drop it); refuse a
+  // mismatched value.
+  if (ct.params["report-type"] && ct.params["report-type"].toLowerCase() !== "feedback-report") {
+    return _rufError("mail-auth/dmarc-ruf-bad-report",
+      "dmarc.parseForensicReport: report-type must be feedback-report (got '" +
+      ct.params["report-type"] + "')");
+  }
+  if (!ct.params.boundary) {
+    return _rufError("mail-auth/dmarc-ruf-bad-report",
+      "dmarc.parseForensicReport: multipart/report Content-Type lacks boundary parameter");
+  }
+
+  // ---- Walk the parts; find message/feedback-report + reported msg ----
+  var parts = mimeParse.splitMimeParts(top.body, ct.params.boundary);
+  if (parts.length === 0) {
+    return _rufError("mail-auth/dmarc-ruf-bad-report",
+      "dmarc.parseForensicReport: multipart/report body contains no parts");
+  }
+  if (parts.length > DMARC_RUF_MAX_PARTS) {
+    return _rufError("mail-auth/dmarc-ruf-too-many-parts",
+      "dmarc.parseForensicReport: report has " + parts.length + " parts (cap " +
+      DMARC_RUF_MAX_PARTS + ")");
+  }
+
+  var feedbackPart = null;
+  var reportedPart = null;
+  for (var pi = 0; pi < parts.length; pi += 1) {
+    var split;
+    try { split = mimeParse.splitHeadersAndBody(parts[pi]); }
+    catch (_e) { continue; }
+    var partCt = mimeParse.parseContentType(
+      mimeParse.findHeader(split.headers, "Content-Type") || "");
+    if (partCt.type === "message/feedback-report" && !feedbackPart) {
+      feedbackPart = split;
+    } else if ((partCt.type === "message/rfc822" ||
+                partCt.type === "text/rfc822-headers") && !reportedPart) {
+      reportedPart = split;
+    }
+  }
+  if (!feedbackPart) {
+    return _rufError("mail-auth/dmarc-ruf-no-feedback-report",
+      "dmarc.parseForensicReport: missing message/feedback-report subpart (RFC 6591 §3)");
+  }
+
+  // ---- Parse the feedback-report header block (RFC 6591 §3.1) ----
+  // Field names are stored own-key on a null-prototype map so a hostile
+  // field named __proto__ / constructor can't pollute the prototype.
+  var fields;
+  try { fields = mimeParse.parseHeaderBlock(feedbackPart.body); }
+  catch (e) {
+    return _rufError("mail-auth/dmarc-ruf-bad-report",
+      "dmarc.parseForensicReport: feedback-report field parse failed: " + ((e && e.message) || String(e)));
+  }
+  var fieldMap = Object.create(null);
+  var rcptToList = [];
+  for (var fi = 0; fi < fields.length; fi += 1) {
+    var f = fields[fi];
+    if (!f || typeof f.name !== "string") continue;
+    var lc = f.name.toLowerCase();
+    var val = typeof f.value === "string" ? f.value : "";
+    fieldMap[lc] = val;
+    if (lc === "original-rcpt-to") rcptToList.push(val);
+  }
+  function _field(name) {
+    return Object.prototype.hasOwnProperty.call(fieldMap, name) ? fieldMap[name] : null;
+  }
+
+  // ---- Required fields (RFC 6591 §3.1 / RFC 7489 §7.3) ----
+  for (var ri = 0; ri < DMARC_RUF_REQUIRED_FIELDS.length; ri += 1) {
+    var req = DMARC_RUF_REQUIRED_FIELDS[ri];
+    var rv = _field(req);
+    if (typeof rv !== "string" || rv.length === 0) {
+      if (req === "auth-failure") {
+        return _rufError("mail-auth/dmarc-ruf-missing-auth-failure",
+          "dmarc.parseForensicReport: required field 'Auth-Failure' is missing (RFC 6591 §3.1)");
+      }
+      return _rufError("mail-auth/dmarc-ruf-missing-field",
+        "dmarc.parseForensicReport: required field '" + req + "' is missing (RFC 6591 §3.1)");
+    }
+  }
+
+  // RFC 7489 §7.3 — a DMARC forensic report carries Feedback-Type:
+  // auth-failure (the AFRF profile of RFC 6591). A report whose Feedback-
+  // Type is another ARF class (e.g. plain "abuse") is a valid feedback
+  // report but NOT a DMARC forensic report; surface the mismatch rather
+  // than mislabeling it. Field values are case-insensitive tokens.
+  var feedbackType = String(_field("feedback-type")).toLowerCase();
+  if (feedbackType !== "auth-failure") {
+    return _rufError("mail-auth/dmarc-ruf-not-auth-failure",
+      "dmarc.parseForensicReport: Feedback-Type must be 'auth-failure' for a " +
+      "DMARC forensic report (RFC 7489 §7.3 / RFC 6591), got " +
+      JSON.stringify(_field("feedback-type")));
+  }
+
+  // ---- RFC 6591 §3.2 reported message ----
+  var reportedMessage = null;
+  if (reportedPart) {
+    reportedMessage = (reportedPart.body && reportedPart.body.length > 0)
+      ? reportedPart.body
+      : _reassembleRufPart(reportedPart);
+  }
+  var reported = _parseReportedHeaders(reportedMessage);
+
+  // ---- Normalize Arrival-Date / Incidents (RFC 5965 §3.1) ----
+  var arrivalRaw = _field("arrival-date") || _field("received-date") || null;
+  var arrivalIso = null;
+  if (arrivalRaw) {
+    var d = new Date(arrivalRaw);
+    if (!isNaN(d.getTime())) arrivalIso = d.toISOString();
+  }
+  var incidentsRaw = _field("incidents");
+  var incidents = null;
+  if (typeof incidentsRaw === "string") {
+    var inc = parseInt(incidentsRaw, 10);
+    if (isFinite(inc) && inc >= 0) incidents = inc;
+  }
+
+  // Surface unmodeled fields under extraFields for operator visibility
+  // (vendor X-* tags). Own-key copy off the null-prototype fieldMap onto
+  // a null-prototype target so a field named __proto__ / constructor in a
+  // hostile report is stored as data, not as a prototype mutation.
+  var KNOWN = Object.create(null);
+  ["feedback-type", "user-agent", "version", "auth-failure",
+   "delivery-result", "identity-alignment", "dkim-domain",
+   "dkim-identity", "dkim-selector", "dkim-canonicalized-header",
+   "dkim-canonicalized-body", "spf-dns", "original-mail-from",
+   "original-rcpt-to", "arrival-date", "received-date",
+   "reported-domain", "source-ip", "authentication-results",
+   "reported-uri", "incidents", "original-envelope-id"
+  ].forEach(function (k) { KNOWN[k] = 1; });
+  var extraFields = Object.create(null);
+  Object.keys(fieldMap).forEach(function (k) {
+    if (!Object.prototype.hasOwnProperty.call(KNOWN, k)) extraFields[k] = fieldMap[k];
+  });
+
+  var report = {
+    // ---- RFC 5965 base fields ----
+    feedbackType:          _field("feedback-type"),
+    userAgent:             _field("user-agent"),
+    version:               _field("version") || "1",
+    arrivalDate:           arrivalIso || arrivalRaw,
+    reportedDomain:        _field("reported-domain"),
+    sourceIp:              _field("source-ip"),
+    originalFrom:          _field("original-mail-from"),
+    originalRcptTo:        rcptToList,
+    originalEnvelopeId:    _field("original-envelope-id"),
+    authenticationResults: _field("authentication-results"),
+    incidents:             incidents,
+    reportedUri:           _field("reported-uri"),
+
+    // ---- RFC 6591 §3.1 / RFC 7489 §7.3 forensic-specific fields ----
+    authFailure:           _field("auth-failure"),                              // RFC 6591 §3.1 — "dkim" | "spf" | "dmarc" | "bodyhash" | …
+    deliveryResult:        _field("delivery-result"),                           // RFC 6591 §3.1 — "delivered" | "spam" | "policy" | "reject" | "other"
+    identityAlignment:     _field("identity-alignment"),                        // RFC 7489 §7.3 — "none" | "spf" | "dkim" | "dkim spf"
+    dkim: {
+      domain:              _field("dkim-domain"),                               // RFC 6591 §3.1
+      identity:            _field("dkim-identity"),
+      selector:            _field("dkim-selector"),
+      canonicalizedHeader: _field("dkim-canonicalized-header"),
+      canonicalizedBody:   _field("dkim-canonicalized-body"),
+    },
+    spf: {
+      dns:                 _field("spf-dns"),                                    // RFC 6591 §3.1 — the SPF DNS record at evaluation time
+    },
+
+    // ---- RFC 6591 §3.2 reported message ----
+    reportedMessage:       reportedMessage,
+    reportedHeaders:       reported.headers,                                    // [ { name, value }, … ] — order preserved
+    reportedHeaderMap:     reported.map,                                        // null-prototype lower-cased-name → value
+    reportedHeadersTruncated: reported.truncated,                               // true when the §3.2 header cap clipped the list
+
+    // ---- operator-visible passthrough for unmodeled fields ----
+    extraFields:           extraFields,
+  };
+
+  return { ok: true, report: report };
+}
+
 module.exports = {
   spf: Object.freeze({
     verify:        spfVerify,
@@ -2625,6 +2957,7 @@ module.exports = {
     parseRecord:              _parseDmarcRecord,
     parseAggregateReport:     dmarcParseAggregateReport,
     buildAggregateReport:     dmarcBuildAggregateReport,
+    parseForensicReport:      dmarcParseForensicReport,
   }),
   arc: Object.freeze({
     verify:        arcVerify,

package/lib/mail-deploy.js

@@ -919,7 +919,7 @@ function tlsRptIngestHttp(opts) {
   opts = opts || {};
   validateOpts(opts, ["authenticate", "trustedReporters", "maxCompressedBytes",
                        "maxDecompressedBytes", "maxRatio", "onAccept", "onRefuse",
-                       "audit", "compliance"],
+                       "audit"],
     "mail.deploy.tlsRptIngestHttp");
   validateOpts.optionalFunction(opts.authenticate, "tlsRptIngestHttp: opts.authenticate",
     MailDeployError, "mail-tlsrpt/bad-opts");

package/lib/mail-send-deliver.js

@@ -468,16 +468,25 @@ function create(opts) {
 
   var retryOpts = opts.retry || {};
   validateOpts(retryOpts, ["maxAttempts", "backoffMs"], "mail.send.deliver.create.retry");
-  var maxAttempts = typeof retryOpts.maxAttempts === "number" && retryOpts.maxAttempts > 0
-    ? Math.floor(retryOpts.maxAttempts) : DEFAULT_RETRY_BACKOFF_MS.length;
+  // Config-time entry-point opts: a typo (maxAttempts:"5", mxLookupMs:-1)
+  // must fail at create(), not silently fall back to the default. Absent
+  // keeps the default; present-but-bad throws. Matches opts.port above.
+  validateOpts.optionalPositiveInt(retryOpts.maxAttempts,
+    "mail.send.deliver.create.retry.maxAttempts", DeliverError, "deliver/bad-retry-maxAttempts");
+  var maxAttempts = retryOpts.maxAttempts !== undefined
+    ? retryOpts.maxAttempts : DEFAULT_RETRY_BACKOFF_MS.length;
   var backoffMs = Array.isArray(retryOpts.backoffMs) && retryOpts.backoffMs.length > 0
     ? retryOpts.backoffMs.slice() : DEFAULT_RETRY_BACKOFF_MS.slice();
 
   var timeouts = opts.timeouts || {};
   validateOpts(timeouts, ["mxLookupMs", "perHostMs"], "mail.send.deliver.create.timeouts");
-  var mxLookupTimeoutMs = typeof timeouts.mxLookupMs === "number" && timeouts.mxLookupMs > 0
+  validateOpts.optionalPositiveInt(timeouts.mxLookupMs,
+    "mail.send.deliver.create.timeouts.mxLookupMs", DeliverError, "deliver/bad-timeout-mxLookupMs");
+  validateOpts.optionalPositiveInt(timeouts.perHostMs,
+    "mail.send.deliver.create.timeouts.perHostMs", DeliverError, "deliver/bad-timeout-perHostMs");
+  var mxLookupTimeoutMs = timeouts.mxLookupMs !== undefined
     ? timeouts.mxLookupMs : DEFAULT_MX_LOOKUP_TIMEOUT_MS;
-  var perHostTimeoutMs = typeof timeouts.perHostMs === "number" && timeouts.perHostMs > 0
+  var perHostTimeoutMs = timeouts.perHostMs !== undefined
     ? timeouts.perHostMs : DEFAULT_PER_HOST_TIMEOUT_MS;
 
   var dsnOpts = opts.dsn || null;