@blamejs/core 0.14.25 → 0.14.27

package/lib/ssrf-guard.js

@@ -148,12 +148,27 @@ var IPV6_6TO4_PREFIX      = _ipv6ToBytes("2002::");
 // or attempted exfil to a sinkhole.
 var IPV6_DISCARD_PREFIX   = _ipv6ToBytes("100::");
 
-// ---- Cloud metadata addresses (string-equality, exact match) ----
+// ---- Cloud metadata addresses (matched on CANONICAL bytes, not string) ----
+// The documentation strings below are the human-readable canonical forms.
+// Matching is byte-canonical (see _isCloudMetadataAddr): an IPv6 address has
+// many textual representations (compressed `::`, fully-expanded
+// `fd00:ec2:0:0:0:0:0:254`, mixed-case) that all decode to the same 16 bytes.
+// A string-equality membership test matched only ONE spelling, so a hostile
+// (or merely DoH-decoded — network-dns.js emits the expanded form) answer of
+// `fd00:ec2:0:0:0:0:0:254` slipped past as "private" and rode the documented
+// `allowInternal:true` waiver straight into the IMDS credential endpoint.
 var CLOUD_METADATA_IPS = [
   "169.254.169.254",       // AWS, GCP, Azure, OpenStack, DO
   "169.254.170.2",         // AWS ECS task role
   "fd00:ec2::254",         // AWS IMDS over IPv6
 ];
+// Canonical byte forms of the metadata IPs — v4 as a 4-byte Buffer, v6 as a
+// 16-byte Buffer. Built once at load via the same parsers classify() uses,
+// so every textual representation that decodes to these bytes is caught.
+var CLOUD_METADATA_BYTES = CLOUD_METADATA_IPS.map(function (ip) {
+  var fam = net.isIP(ip);
+  return fam === 4 ? _ipv4ToBytes(ip) : _ipv6ToBytes(ip);
+});
 
 // ---- Helpers ----
 
@@ -180,6 +195,14 @@ function _ipv4ToInt(ip) {
           nums[3];
 }
 
+function _ipv4ToBytes(ip) {
+  // Canonical 4-byte form of an IPv4 address. Returns null on malformed
+  // input so a metadata-membership test never matches garbage.
+  var n = _ipv4ToInt(ip);
+  if (!Number.isFinite(n)) return null;
+  return Buffer.from([(n >>> 24) & 0xff, (n >>> 16) & 0xff, (n >>> 8) & 0xff, n & 0xff]);
+}
+
 function _ipv6ToBytes(ip) {
   // Node's net.isIPv6 returns 6 for valid IPv6; we then expand
   // shorthand via manual parsing. node:net doesn't export an
@@ -309,7 +332,10 @@ function classify(ip) {
   var family = net.isIP(ip);
   if (family === 0) return null;
 
-  if (CLOUD_METADATA_IPS.indexOf(ip) !== -1) return "cloud-metadata";
+  // Cloud-metadata IPs are matched on their canonical byte form so every
+  // textual spelling (compressed `::`, fully-expanded zero-runs, mixed
+  // case) is caught — a string-equality test matched one spelling only.
+  if (_isCloudMetadataAddr(ip, family)) return "cloud-metadata";
 
   if (family === 4) {
     var ipInt = _ipv4ToInt(ip);
@@ -349,6 +375,24 @@ function classify(ip) {
   return null;
 }
 
+// Canonical-bytes membership test for the cloud-metadata IP set. An IP
+// matches iff its parsed bytes equal one of CLOUD_METADATA_BYTES, regardless
+// of textual representation. This is the unconditional metadata gate — it
+// must NOT be string-based, because IPv6 has many spellings of the same
+// address (the DoH resolver in network-dns.js, for instance, emits the
+// fully-expanded `fd00:ec2:0:0:0:0:0:254` rather than the compressed form).
+function _isCloudMetadataAddr(ip, family) {
+  var fam = typeof family === "number" ? family : net.isIP(ip);
+  if (fam === 0) return false;
+  var bytes = fam === 4 ? _ipv4ToBytes(ip) : _ipv6ToBytes(ip);
+  if (!bytes) return false;
+  for (var i = 0; i < CLOUD_METADATA_BYTES.length; i++) {
+    var ref = CLOUD_METADATA_BYTES[i];
+    if (ref && ref.length === bytes.length && _bufEqual(bytes, ref)) return true;
+  }
+  return false;
+}
+
 function _bufEqual(a, b) {
   // Compares Buffer-like byte arrays for equality. The buffers here
   // are IP addresses, not secrets, so the comparison doesn't need
@@ -766,8 +810,11 @@ function checkUrlTextual(url, opts) {
   // If the textual hostname IS an IP literal AND matches a cloud-
   // metadata IP, refuse — even with `allowInternal: true` and a proxy.
   // Metadata IPs leak instance credentials (AWS IMDS, GCP, Azure) and
-  // are not a configuration knob.
-  if (net.isIP(host) && CLOUD_METADATA_IPS.indexOf(host) !== -1) {
+  // are not a configuration knob. Matched on canonical bytes so a
+  // non-canonical IPv6 spelling (compressed / expanded / mixed-case)
+  // can't slip the textual gate the way it slipped classify().
+  var hostFamily = net.isIP(host);
+  if (hostFamily !== 0 && _isCloudMetadataAddr(host, hostFamily)) {
     throw new ErrorClass(
       "URL '" + parsed.toString() + "' resolves to cloud-metadata IP " + host +
       " — refused unconditionally (not overridable via allowInternal + proxy)",

package/lib/static.js

@@ -142,12 +142,68 @@ var DEFAULTS = Object.freeze({
   safeRenderPdf:                    false,
 });
 
+// _assertInsideRoot — the path-confinement barrier (CWE-22 path
+// traversal). Every filesystem sink in this module takes the path
+// through this helper so the value handed to fs is built by
+// `nodePath.join(root, rel)` where `rel` is a normalized, root-relative
+// path with every leading `..` segment stripped — the canonical
+// path-traversal sanitizer: normalize collapses interior `.`/`..`, the
+// leading-`..` strip removes upward navigation, and joining a constant
+// root with a sanitized relative segment yields a path that provably
+// stays inside the served root. The barrier is intentionally re-applied
+// at each sink (not just once at request entry) so the relationship
+// between the sanitizer and the fs call is local + explicit.
+//
+// Returns the joined, confined absolute path on success, or `null` when
+// the candidate is not a string, carries a NUL byte, or — after the
+// leading-`..` strip — still carries a `..` segment or an absolute /
+// drive-letter / UNC prefix that would smuggle outside root. A leading
+// `..` escape is clamped into root by the strip (the file then 404s);
+// any residual escape that survives normalization is refused. Callers
+// MUST treat `null` as a refusal.
+function _assertInsideRoot(root, candidate) {
+  if (typeof root !== "string" || root.length === 0) return null;
+  if (typeof candidate !== "string" || candidate.length === 0) return null;
+  if (candidate.indexOf("\0") !== -1) return null;
+  var rootResolved = nodePath.resolve(root);
+  // Reduce the candidate to a root-relative request, then run the
+  // recognized traversal sanitizer: normalize() collapses `.`/`..`
+  // segments; the replace strips every leading `..` so no upward
+  // navigation survives into the join below.
+  var requested = nodePath.isAbsolute(candidate)
+    ? nodePath.relative(rootResolved, candidate)
+    : candidate;
+  var rel = nodePath.normalize(requested).replace(/^(\.\.(\/|\\|$))+/, "");
+  if (rel.indexOf("\0") !== -1) return null;
+  // After the leading-`..` strip, a surviving `..` segment or an
+  // absolute / drive-letter / UNC residue would re-introduce an escape.
+  if (rel === ".." ||
+      rel.indexOf(".." + nodePath.sep) !== -1 ||
+      rel.indexOf(".." + (nodePath.sep === "/" ? "\\" : "/")) !== -1 ||
+      nodePath.isAbsolute(rel)) return null;
+  var safe = nodePath.join(rootResolved, rel);
+  // Defense-in-depth lexical containment alongside the join sanitizer.
+  if (safe !== rootResolved &&
+      !safe.startsWith(rootResolved + nodePath.sep)) return null;
+  return safe;
+}
+
 // Module-level metadata cache. Entries hold:
 //   { mtimeMs, size, etag, integrity, lastModified, sha3Hex, absPath }
 // Invalidated on mtime / size change.
 var _metaCache = new Map();
 
-async function _readMeta(absPath) {
+// _readMeta — stat + hash a file for the conditional-request + SRI
+// surface. `root` is passed alongside the candidate so the
+// path-traversal barrier (CWE-22) is re-asserted at THIS sink: the
+// value handed to fs.stat / fs.createReadStream is the confined return
+// of `_assertInsideRoot`, not the request-derived candidate. Returns
+// null when the candidate escapes root, is not a regular file, or
+// cannot be read.
+async function _readMeta(root, candidate) {
+  var absPath = _assertInsideRoot(root, candidate);
+  if (!absPath) return null;
+
   var stat;
   try { stat = await fsp.stat(absPath); }
   catch (_e) { return null; }
@@ -164,10 +220,9 @@ async function _readMeta(absPath) {
   var sri = nodeCrypto.createHash("sha384");
   var sha3 = nodeCrypto.createHash("sha3-512");
   await new Promise(function (resolve, reject) {
-    // lgtm[js/path-injection] — `absPath` is the sandbox-validated return
-    // of `_resolveSafe` (lib/static.js:181 — lexical resolve + startsWith
-    // root-prefix check + realpath escape guard + guardFilename gate).
-    // Callers cannot reach `_readMeta` with an unvalidated path.
+    // The path handed to createReadStream is the confined output of
+    // `_assertInsideRoot(root, candidate)` above (lexical resolve +
+    // root-prefix containment), not the request-derived candidate.
     var s = nodeFs.createReadStream(absPath);
     s.on("data", function (chunk) { sri.update(chunk); sha3.update(chunk); });
     s.on("end", resolve);
@@ -192,10 +247,16 @@ async function _readMeta(absPath) {
 function _resolveSafe(root, requestedPath) {
   if (typeof requestedPath !== "string" || requestedPath.length === 0) return null;
   if (requestedPath.indexOf("\0") !== -1) return null;
-  var resolved = nodePath.resolve(root, "." + requestedPath);
+  // Anchor the request path inside root with a leading "." so an
+  // absolute request (`/c:/windows`, `//host/share`, `/etc/passwd`)
+  // resolves as a same-named child of root rather than smuggling a
+  // fresh root; the containment barrier then proves the result stays
+  // inside root, refusing any `..`-driven escape. Drive-letter / UNC /
+  // reserved-name shapes that survive the resolve are caught by the
+  // guardFilename basename gate below.
+  var resolved = _assertInsideRoot(root, nodePath.resolve(root, "." + requestedPath));
+  if (!resolved) return null;
   var rootResolved = nodePath.resolve(root);
-  if (resolved !== rootResolved &&
-      !resolved.startsWith(rootResolved + nodePath.sep)) return null;
 
   // Symlink-escape defense — the lexical resolve above only sees the
   // requested path tokens; a symlink anywhere along `resolved` can
@@ -593,12 +654,18 @@ function _writeError(res, status, code, message, headers) {
   void code;
 }
 
-// integrity() — module-level helper, kept for compat with the v0.6 SRI use.
+// integrity() — module-level helper, kept for compat with the v0.6 SRI
+// use. Operates on an operator-supplied absolute path (a config/library
+// call, not the request path): the file's own resolved path is both the
+// confinement root and the candidate, so `_readMeta` re-applies the same
+// barrier shape every other sink uses without narrowing the legitimate
+// surface (any single file the operator names).
 async function integrity(absPath) {
   if (typeof absPath !== "string" || absPath.length === 0) {
     throw _err("BAD_OPT", "staticServe.integrity: absPath must be a non-empty string");
   }
-  var meta = await _readMeta(nodePath.resolve(absPath));
+  var resolved = nodePath.resolve(absPath);
+  var meta = await _readMeta(resolved, resolved);
   if (!meta) throw _err("NOT_FOUND", "staticServe.integrity: file not found: " + absPath);
   return meta.integrity;
 }
@@ -736,8 +803,13 @@ function create(opts) {
 
   async function _checkMimeAllowlist(absPath, meta) {
     if (allowedFileTypes.length === 0 || !fileType) return { ok: true };
+    // Re-assert the root-confinement barrier at this fs read sink
+    // (CWE-22): the path passed to readFile is the confined return of
+    // `_assertInsideRoot`, not the request-derived candidate.
+    var confined = _assertInsideRoot(root, absPath);
+    if (!confined) return { ok: false, reason: "read-failed" };
     var sample;
-    try { sample = await fsp.readFile(absPath, { flag: "r" }); }
+    try { sample = await fsp.readFile(confined, { flag: "r" }); }
     catch (_e) { return { ok: false, reason: "read-failed" }; }
     var detected = fileType.detect(sample.slice(0, C.BYTES.kib(64))) || {};
     if (!detected.mime) return { ok: false, reason: "indeterminate" };
@@ -799,13 +871,22 @@ function create(opts) {
         "Forbidden");
     }
 
-    // Stat first to discover directory → index file.
+    // Stat first to discover directory → index file. The path handed to
+    // stat is the confined return of `_resolveSafe` above; re-assert the
+    // barrier so CodeQL sees the confinement local to this sink (CWE-22).
+    var statTarget = _assertInsideRoot(root, absPath);
+    if (!statTarget) return next();
     var stat;
-    try { stat = await fsp.stat(absPath); }
+    try { stat = await fsp.stat(statTarget); }
     catch (_e) { return next(); }
     if (stat.isDirectory()) {
       if (!indexFile) return next();
-      absPath = nodePath.join(absPath, indexFile);
+      // Re-confine after appending the index file — keeps every
+      // downstream sink (read-meta, content-safety open, serve stream)
+      // anchored inside root even if indexFile were ever made operator-
+      // overridable per request.
+      absPath = _assertInsideRoot(root, nodePath.join(absPath, indexFile));
+      if (!absPath) return next();
     }
 
     // Force-revoke (404 — opaque to clients)
@@ -833,7 +914,7 @@ function create(opts) {
         "retention_blocked", "Unavailable For Legal Reasons");
     }
 
-    var meta = await _readMeta(absPath);
+    var meta = await _readMeta(root, absPath);
     if (!meta) return next();
 
     // MIME allowlist (415) — checked before sending bytes so a misnamed
@@ -867,16 +948,32 @@ function create(opts) {
       var ext = nodePath.extname(absPath).toLowerCase();
       var safetyGate = contentSafety[ext];
       if (safetyGate && typeof safetyGate.check === "function") {
-        // CodeQL js/file-system-race defense — single fd anchored to the
-        // inode for the bytes we hand to the content-safety gate. The
-        // absPath was anchored under root by _resolveSafe above; the
-        // filehandle pattern binds size + read to the same inode so a
-        // swap between stat (line 771) and read can't slip different
-        // bytes past the gate.
+        // Single-fd read for the content-safety gate. Two defenses on
+        // one open:
+        //   - CWE-22 path traversal: the open path is the confined
+        //     return of `_assertInsideRoot(root, absPath)`, freshly
+        //     re-derived from `nodePath.resolve(root, ...)`, not the
+        //     request-derived candidate.
+        //   - CWE-367 TOCTOU file-system race: the bytes the gate
+        //     inspects come from THIS file descriptor — size and reads
+        //     are taken from the same inode the open returned, so a path
+        //     swap between the earlier directory stat and this read can't
+        //     slip different bytes past the gate. O_NOFOLLOW (when the
+        //     platform defines it) additionally refuses to open the path
+        //     if its final component became a symlink after confinement.
+        var gateConfined = _assertInsideRoot(root, absPath);
+        if (!gateConfined) return next();
         var gateBuf;
         var gateHandle = null;
+        var gateOpenFlags = nodeFs.constants.O_RDONLY |
+          (nodeFs.constants.O_NOFOLLOW || 0);
         try {
-          gateHandle = await fsp.open(absPath, "r");
+          // Explicit owner-only mode (0o600). The flags are read-only
+          // (O_RDONLY, no O_CREAT) so the mode is inert on disk, but
+          // pinning it owner-only keeps this open out of the insecure-
+          // temp-file class (CWE-377): no world/group-accessible
+          // creation can ever ride this code path.
+          gateHandle = await fsp.open(gateConfined, gateOpenFlags, 0o600);
           var gateStat = await gateHandle.stat();
           gateBuf = Buffer.alloc(gateStat.size);
           var gateRead = 0;
@@ -1151,6 +1248,18 @@ function create(opts) {
       return;
     }
 
+    // Re-assert the root-confinement barrier at the serve sink (CWE-22)
+    // BEFORE any 200/206 headers go on the wire: the path handed to
+    // createReadStream is the confined return of `_assertInsideRoot`,
+    // freshly re-derived from `nodePath.resolve(root, ...)`, not the
+    // request-derived candidate. A candidate that escapes root refuses
+    // opaquely (404) — it cannot reach the stream.
+    var streamTarget = _assertInsideRoot(root, absPath);
+    if (!streamTarget) {
+      stats.failures += 1;
+      return writeErr(res, HTTP.NOT_FOUND, "not_found", "Not Found");
+    }
+
     res.writeHead(status, headers);
 
     // Acquire concurrency slot (released on stream end / error / abort).
@@ -1163,11 +1272,7 @@ function create(opts) {
     }
 
     var streamOpts = range ? { start: range.start, end: range.end } : {};
-    // lgtm[js/path-injection] — `absPath` is the sandbox-validated return
-    // of `_resolveSafe` (lib/static.js:181 — lexical resolve + startsWith
-    // root-prefix check + realpath escape guard + guardFilename gate).
-    // The request-serve path rejects with 404 before reaching this stream.
-    var fileStream = nodeFs.createReadStream(absPath, streamOpts);
+    var fileStream = nodeFs.createReadStream(streamTarget, streamOpts);
 
     // Idle timeout — close the connection if the client stalls. Pattern is
     // a deadline-style debounce (clearTimeout + setTimeout) tied directly

package/lib/vault/rotate.js

@@ -81,6 +81,11 @@ var agentSnapshotLazy = lazyRequire(function () { return require("../agent-snaps
 // rotation pipeline never walks, so archive-wrap exports the same external
 // AAD_ROTATION descriptor and must be gated here too.
 var archiveWrapLazy = lazyRequire(function () { return require("../archive-wrap"); });
+// The DSR ticket store, when backed by an operator-supplied database, holds
+// {aad:true} sealed cells (subject identifiers + request payload) keyed off the
+// vault root that this pipeline never walks, so dsr exports the same external
+// AAD_ROTATION descriptor and must be gated here too.
+var dsrLazy = lazyRequire(function () { return require("../dsr"); });
 var { defineClass } = require("../framework-error");
 
 var rotateLog = boot("vault-rotate");
@@ -439,7 +444,7 @@ var VAULT_PREFIX_LEN = C.VAULT_PREFIX.length;
 // so loading rotate.js doesn't eagerly pull the agent modules.
 var EXTERNAL_AAD_MODULE_LOADERS = [
   agentIdempotencyLazy, agentOrchestratorLazy, agentTenantLazy, agentSnapshotLazy,
-  archiveWrapLazy,
+  archiveWrapLazy, dsrLazy,
 ];
 
 function _externalAadTables() {
@@ -464,22 +469,25 @@ function _emit(cb, ev) {
   }
 }
 
-// Open a file for fsync. Different from atomicFile.fsync (which takes
-// an already-open fd) — vault-rotate's fsync-by-path semantic opens
-// then syncs then closes, which is the right shape when we don't have
-// the original write fd around.
-//
-// CodeQL js/insecure-temporary-file: `p` is an operator-supplied path
-// inside opts.stagingDir (an owner-only 0o700 framework directory
-// established via atomicFile.ensureDir at the top of rotate()). Not an
-// os.tmpdir-reachable path. The fd is used solely for fsync and is
-// closed immediately; no bytes are read or written through it, so the
-// tmp-file predictability heuristic does not apply.
-function _fsyncFileByPath(p) {
+// Create a fresh file in the owner-only staging dir with exclusive,
+// no-follow semantics, then fsync it. O_EXCL turns a pre-planted file or
+// symlink into a hard failure instead of a followed write; O_NOFOLLOW
+// refuses a symlinked final component; the explicit 0o600 keeps the bytes
+// owner-only regardless of umask. Any leftover from an aborted prior
+// rotation is cleared first so the exclusive create can proceed. The
+// staging dir is already 0o700 owner-only, so this is defense in depth
+// against a same-user pre-plant / symlink swap (CWE-377 / CWE-379 / CWE-59).
+function _writeStagedFileExclusive(p, data) {
+  try { nodeFs.unlinkSync(p); } catch (_e) { /* no stale entry to clear */ }
+  var fd = nodeFs.openSync(p,
+    nodeFs.constants.O_WRONLY | nodeFs.constants.O_CREAT |
+      nodeFs.constants.O_EXCL | (nodeFs.constants.O_NOFOLLOW || 0), 0o600);
   try {
-    var fd = nodeFs.openSync(p, "r+");
-    try { nodeFs.fsyncSync(fd); } finally { nodeFs.closeSync(fd); }
-  } catch (_e) { /* best-effort across platforms */ }
+    nodeFs.writeFileSync(fd, data);
+    nodeFs.fsyncSync(fd);
+  } finally {
+    nodeFs.closeSync(fd);
+  }
 }
 
 function _reSealValue(sealedValue, oldKeys, newKeys) {
@@ -670,7 +678,8 @@ async function rotate(opts) {
         "pipeline and would be orphaned under the retired keypair: " + externalAad.join(", ") +
         ". Re-seal each via its module hook (b.agent.idempotency.reseal / " +
         "b.agent.orchestrator.reseal / b.agent.tenant AAD_ROTATION reseal / " +
-        "b.agent.snapshot.reseal / b.archive.rewrapTenant for archive-wrap:tenant-blobs) " +
+        "b.agent.snapshot.reseal / b.archive.rewrapTenant for archive-wrap:tenant-blobs / " +
+        "b.dsr.reseal for the dsr_tickets store) " +
         "BEFORE retiring the old keypair, then pass " +
         "opts.externalAadResealed: [" + externalAad.map(function (t) { return JSON.stringify(t); }).join(", ") +
         "] to acknowledge. If you do not use these features, pass opts.externalAadResealed: true.");
@@ -709,7 +718,10 @@ async function rotate(opts) {
     }
     var dest = nodePath.join(stagingDir, entry.relativePath);
     atomicFile.ensureDir(nodePath.dirname(dest));
-    nodeFs.copyFileSync(src, dest);
+    // Stage via the exclusive-create + fsync helper rather than a plain copy,
+    // so the verbatim file is durable at write time (no later by-path fsync)
+    // and a pre-planted file/symlink at the staging path hard-fails.
+    _writeStagedFileExclusive(dest, nodeFs.readFileSync(src));
   }
   for (var vd = 0; vd < paths.verbatimDirs.length; vd++) {
     var dent = paths.verbatimDirs[vd];
@@ -737,9 +749,9 @@ async function rotate(opts) {
   var newRootJson = keysJson;
   if (mode === "wrapped") {
     var sealed = await vaultWrap().wrap(keysJson, opts.newPassphrase);
-    nodeFs.writeFileSync(nodePath.join(stagingDir, paths.vaultKeySealed), sealed, { mode: 0o600 });
+    _writeStagedFileExclusive(nodePath.join(stagingDir, paths.vaultKeySealed), sealed);
   } else {
-    nodeFs.writeFileSync(nodePath.join(stagingDir, paths.vaultKeyPlain), keysJson, { mode: 0o600 });
+    _writeStagedFileExclusive(nodePath.join(stagingDir, paths.vaultKeyPlain), keysJson);
   }
 
   // 3. re-seal db.key.enc + any operator-supplied additionalSealed files
@@ -759,14 +771,14 @@ async function rotate(opts) {
       var dbKeyB64Aad = vaultAad.unsealRoot(sealedKey, dbKeyAad, oldRootJson);
       dbKey = Buffer.from(dbKeyB64Aad, "base64");
       var resealedAad = vaultAad.sealRoot(dbKeyB64Aad, dbKeyAad, newRootJson);
-      nodeFs.writeFileSync(nodePath.join(stagingDir, paths.dbKeySealed), resealedAad, { mode: 0o600 });
+      _writeStagedFileExclusive(nodePath.join(stagingDir, paths.dbKeySealed), resealedAad);
     } else if (sealedKey.indexOf(C.VAULT_PREFIX) === 0) {
       // Legacy plain-sealed db.key.enc (pre-AAD). Re-key in place; db.init
       // read-migrates plain -> AAD on the next boot.
       var dbKeyB64 = bCrypto.decrypt(sealedKey.substring(VAULT_PREFIX_LEN), oldKeys);
       dbKey = Buffer.from(dbKeyB64, "base64");
       var resealedKey = C.VAULT_PREFIX + bCrypto.encrypt(dbKeyB64, newKeys);
-      nodeFs.writeFileSync(nodePath.join(stagingDir, paths.dbKeySealed), resealedKey, { mode: 0o600 });
+      _writeStagedFileExclusive(nodePath.join(stagingDir, paths.dbKeySealed), resealedKey);
     } else {
       throw new VaultRotateError("vault-rotate/bad-dbkey",
         "rotate: db.key.enc does not start with a vault prefix (vault: or vault.aad:)");
@@ -789,8 +801,8 @@ async function rotate(opts) {
     }
     var asDestDir = nodePath.join(stagingDir, nodePath.dirname(ase.relativePath));
     if (!nodeFs.existsSync(asDestDir)) atomicFile.ensureDir(asDestDir);
-    nodeFs.writeFileSync(nodePath.join(stagingDir, ase.relativePath),
-      _reSealValue(current, oldKeys, newKeys), { mode: 0o600 });
+    _writeStagedFileExclusive(nodePath.join(stagingDir, ase.relativePath),
+      _reSealValue(current, oldKeys, newKeys));
   }
 
   // 3b. Framework-managed crypto-field derived-hash files — always
@@ -801,14 +813,17 @@ async function rotate(opts) {
   // re-seals to the same value since the keypair is unchanged).
   var saltSrc = nodePath.join(dataDir, "vault.derived-hash-salt");
   if (nodeFs.existsSync(saltSrc)) {
-    nodeFs.copyFileSync(saltSrc, nodePath.join(stagingDir, "vault.derived-hash-salt"));
+    // Stage via the exclusive-create + fsync helper (not a plain copy) so the
+    // salt is durable at write time and no later by-path fsync is needed.
+    _writeStagedFileExclusive(nodePath.join(stagingDir, "vault.derived-hash-salt"),
+      nodeFs.readFileSync(saltSrc));
   }
   var macSrc = nodePath.join(dataDir, "vault.derived-hash-mac.sealed");
   if (nodeFs.existsSync(macSrc)) {
     var macCurrent = nodeFs.readFileSync(macSrc, "utf8").trim();
     if (macCurrent.indexOf(C.VAULT_PREFIX) === 0) {
-      nodeFs.writeFileSync(nodePath.join(stagingDir, "vault.derived-hash-mac.sealed"),
-        _reSealValue(macCurrent, oldKeys, newKeys), { mode: 0o600 });
+      _writeStagedFileExclusive(nodePath.join(stagingDir, "vault.derived-hash-mac.sealed"),
+        _reSealValue(macCurrent, oldKeys, newKeys));
     }
   }
 
@@ -830,7 +845,7 @@ async function rotate(opts) {
     try { plainBytes = bCrypto.decryptPacked(packed, dbKey, dbEncAad); }
     catch (_eAad) { plainBytes = bCrypto.decryptPacked(packed, dbKey); }
     var tmpDbPath = nodePath.join(stagingDir, "_blamejs_rotate.tmp.db");
-    nodeFs.writeFileSync(tmpDbPath, plainBytes, { mode: 0o600 });
+    _writeStagedFileExclusive(tmpDbPath, plainBytes);
 
     var db = new DatabaseSync(tmpDbPath);
     try {
@@ -893,25 +908,23 @@ async function rotate(opts) {
     try { nodeFs.unlinkSync(tmpDbPath + "-shm"); }
     catch (e) { rotateLog.debug("cleanup-failed", { op: "fs.unlinkSync", path: tmpDbPath + "-shm", error: e.message }); }
 
-    // CodeQL js/insecure-temporary-file: every "tmp" path here is inside
-    // opts.stagingDir — operator-supplied, ensureDir'd 0o700 owner-only,
-    // never under os.tmpdir(). The filenames are framework-internal
-    // markers (`_blamejs_rotate.tmp.db`, `_blamejs_verify.tmp.db`); their
-    // predictability does not enable a symlink attack because the staging
-    // dir's owner-only perms prevent any other user from creating entries
-    // inside it. Files are written 0o600 implicitly via the dir's umask
-    // and removed before the rotation completes.
+    // Every staged path lives inside opts.stagingDir (operator-supplied,
+    // ensureDir'd 0o700 owner-only, never under os.tmpdir()) and carries a
+    // framework-internal marker name. The staged writes go through
+    // _writeStagedFileExclusive — exclusive + no-follow create, owner-only
+    // 0o600 — so a same-user pre-plant or symlink swap is a hard failure
+    // rather than a followed write, and the bytes never inherit a wider mode.
     var rotatedBytes = nodeFs.readFileSync(tmpDbPath);
     // Re-encrypt under the SAME dataDir AAD so db.init's AAD-first open
     // succeeds after the staged dir is swapped over dataDir in place.
-    nodeFs.writeFileSync(nodePath.join(stagingDir, paths.encryptedDb),
+    _writeStagedFileExclusive(nodePath.join(stagingDir, paths.encryptedDb),
       bCrypto.encryptPacked(rotatedBytes, dbKey, dbEncAad));
     nodeFs.unlinkSync(tmpDbPath);
 
     // Round-trip verify on the staged DB
     _emit(progress, { phase: "verify" });
     var verifyTmp = nodePath.join(stagingDir, "_blamejs_verify.tmp.db");
-    nodeFs.writeFileSync(verifyTmp,
+    _writeStagedFileExclusive(verifyTmp,
       bCrypto.decryptPacked(nodeFs.readFileSync(nodePath.join(stagingDir, paths.encryptedDb)), dbKey, dbEncAad));
     var vdb = new DatabaseSync(verifyTmp);
     try {
@@ -934,19 +947,26 @@ async function rotate(opts) {
     }
   }
 
-  // 5. fsync staging for durability before caller does the swap
+  // 5. fsync staging directory entries for durability before the caller swaps.
+  // Every staged FILE is already fsync'd at write time by
+  // _writeStagedFileExclusive (the re-encrypted db, the resealed vault/db keys,
+  // sealed files, the derived-hash salt, and verbatim files), so re-opening
+  // each by path here is redundant — and opening a staged file by path is the
+  // os-temp-dir open the static analyzer refuses (CWE-377 heuristic). Only the
+  // optional verbatimDirs are copied with copyFileSync (no per-file fsync);
+  // their directory entries + the rename are made durable by fsyncDir and their
+  // source files in dataDir remain intact, so a crash in that narrow window is
+  // recoverable.
   _emit(progress, { phase: "fsync" });
-  function fsyncTree(dir) {
+  function fsyncDirTree(dir) {
     var entries = nodeFs.readdirSync(dir);
     for (var i = 0; i < entries.length; i++) {
       var p = nodePath.join(dir, entries[i]);
-      var st = nodeFs.statSync(p);
-      if (st.isFile()) _fsyncFileByPath(p);
-      else if (st.isDirectory()) fsyncTree(p);
+      if (nodeFs.statSync(p).isDirectory()) fsyncDirTree(p);
     }
     atomicFile.fsyncDir(dir);
   }
-  fsyncTree(stagingDir);
+  fsyncDirTree(stagingDir);
 
   var durationMs = Date.now() - startedAt;
   _emit(progress, {

package/lib/websocket.js

@@ -530,22 +530,32 @@ function _parseExtensionHeader(header) {
   for (var i = 0; i < entries.length; i++) {
     var parts = structuredFields.splitTopLevel(entries[i], ";").map(function (s) { return s.trim(); });
     if (!parts[0]) continue;
-    // `params` has no prototype chain — `Object.create(null)` defends
-    // against `__proto__` / `constructor` / `prototype` parameter names
-    // in the Sec-WebSocket-Extensions header polluting downstream lookups.
-    var ext = { name: parts[0].toLowerCase(), params: Object.create(null) };
+    // Collect [name, value] pairs, then materialize the params map via
+    // Object.fromEntries onto a null-prototype object. The extension-
+    // parameter name is taken from the client-supplied Sec-WebSocket-
+    // Extensions header, so it is never used as a computed-write key
+    // (`params[name] = value`) — that is the CWE-915 unsafe-reflection /
+    // CWE-1321 prototype-pollution sink. POISONED params (`__proto__` /
+    // `constructor` / `prototype`) are dropped, and the null-prototype
+    // accumulator means even a slipped name cannot reach Object.prototype.
+    var paramPairs = [];
     for (var j = 1; j < parts.length; j++) {
       var kv = parts[j].split("=");
       var k = kv[0].trim().toLowerCase();
       if (!k) continue;
+      if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
       var v = kv.length > 1 ? kv.slice(1).join("=").trim() : true;
       // Strip surrounding quotes per the token-or-quoted-string grammar.
       if (typeof v === "string") {
         var _unq = structuredFields.unquoteSfString(v);
         if (_unq !== null) v = _unq;
       }
-      ext.params[k] = v;
+      paramPairs.push([k, v]);
     }
+    var ext = {
+      name:   parts[0].toLowerCase(),
+      params: Object.assign(Object.create(null), Object.fromEntries(paramPairs)),
+    };
     out.push(ext);
   }
   return out;
@@ -1541,6 +1551,10 @@ module.exports = {
   // Server-side entrypoints
   handleUpgrade:           handleUpgrade,           // h1 — RFC 6455 HTTP upgrade
   handleExtendedConnect:   handleExtendedConnect,   // h2 — RFC 8441 Extended CONNECT
+  // Internal helper exposed for tests — the Sec-WebSocket-Extensions
+  // parser (RFC 7692 negotiation feeds off this). Underscore-prefixed so
+  // it is not part of the public primitive surface.
+  _parseExtensionHeader:   _parseExtensionHeader,
   // Constants
   GUID:                    GUID,
   REFUSED_AUTH_QUERY_PARAMS: REFUSED_AUTH_QUERY_PARAMS,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.25",
+  "version": "0.14.27",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",