@blamejs/core 0.14.26 → 0.14.27

package/lib/static.js

@@ -142,12 +142,68 @@ var DEFAULTS = Object.freeze({
   safeRenderPdf:                    false,
 });
 
+// _assertInsideRoot — the path-confinement barrier (CWE-22 path
+// traversal). Every filesystem sink in this module takes the path
+// through this helper so the value handed to fs is built by
+// `nodePath.join(root, rel)` where `rel` is a normalized, root-relative
+// path with every leading `..` segment stripped — the canonical
+// path-traversal sanitizer: normalize collapses interior `.`/`..`, the
+// leading-`..` strip removes upward navigation, and joining a constant
+// root with a sanitized relative segment yields a path that provably
+// stays inside the served root. The barrier is intentionally re-applied
+// at each sink (not just once at request entry) so the relationship
+// between the sanitizer and the fs call is local + explicit.
+//
+// Returns the joined, confined absolute path on success, or `null` when
+// the candidate is not a string, carries a NUL byte, or — after the
+// leading-`..` strip — still carries a `..` segment or an absolute /
+// drive-letter / UNC prefix that would smuggle outside root. A leading
+// `..` escape is clamped into root by the strip (the file then 404s);
+// any residual escape that survives normalization is refused. Callers
+// MUST treat `null` as a refusal.
+function _assertInsideRoot(root, candidate) {
+  if (typeof root !== "string" || root.length === 0) return null;
+  if (typeof candidate !== "string" || candidate.length === 0) return null;
+  if (candidate.indexOf("\0") !== -1) return null;
+  var rootResolved = nodePath.resolve(root);
+  // Reduce the candidate to a root-relative request, then run the
+  // recognized traversal sanitizer: normalize() collapses `.`/`..`
+  // segments; the replace strips every leading `..` so no upward
+  // navigation survives into the join below.
+  var requested = nodePath.isAbsolute(candidate)
+    ? nodePath.relative(rootResolved, candidate)
+    : candidate;
+  var rel = nodePath.normalize(requested).replace(/^(\.\.(\/|\\|$))+/, "");
+  if (rel.indexOf("\0") !== -1) return null;
+  // After the leading-`..` strip, a surviving `..` segment or an
+  // absolute / drive-letter / UNC residue would re-introduce an escape.
+  if (rel === ".." ||
+      rel.indexOf(".." + nodePath.sep) !== -1 ||
+      rel.indexOf(".." + (nodePath.sep === "/" ? "\\" : "/")) !== -1 ||
+      nodePath.isAbsolute(rel)) return null;
+  var safe = nodePath.join(rootResolved, rel);
+  // Defense-in-depth lexical containment alongside the join sanitizer.
+  if (safe !== rootResolved &&
+      !safe.startsWith(rootResolved + nodePath.sep)) return null;
+  return safe;
+}
+
 // Module-level metadata cache. Entries hold:
 //   { mtimeMs, size, etag, integrity, lastModified, sha3Hex, absPath }
 // Invalidated on mtime / size change.
 var _metaCache = new Map();
 
-async function _readMeta(absPath) {
+// _readMeta — stat + hash a file for the conditional-request + SRI
+// surface. `root` is passed alongside the candidate so the
+// path-traversal barrier (CWE-22) is re-asserted at THIS sink: the
+// value handed to fs.stat / fs.createReadStream is the confined return
+// of `_assertInsideRoot`, not the request-derived candidate. Returns
+// null when the candidate escapes root, is not a regular file, or
+// cannot be read.
+async function _readMeta(root, candidate) {
+  var absPath = _assertInsideRoot(root, candidate);
+  if (!absPath) return null;
+
   var stat;
   try { stat = await fsp.stat(absPath); }
   catch (_e) { return null; }
@@ -164,10 +220,9 @@ async function _readMeta(absPath) {
   var sri = nodeCrypto.createHash("sha384");
   var sha3 = nodeCrypto.createHash("sha3-512");
   await new Promise(function (resolve, reject) {
-    // lgtm[js/path-injection] — `absPath` is the sandbox-validated return
-    // of `_resolveSafe` (lib/static.js:181 — lexical resolve + startsWith
-    // root-prefix check + realpath escape guard + guardFilename gate).
-    // Callers cannot reach `_readMeta` with an unvalidated path.
+    // The path handed to createReadStream is the confined output of
+    // `_assertInsideRoot(root, candidate)` above (lexical resolve +
+    // root-prefix containment), not the request-derived candidate.
     var s = nodeFs.createReadStream(absPath);
     s.on("data", function (chunk) { sri.update(chunk); sha3.update(chunk); });
     s.on("end", resolve);
@@ -192,10 +247,16 @@ async function _readMeta(absPath) {
 function _resolveSafe(root, requestedPath) {
   if (typeof requestedPath !== "string" || requestedPath.length === 0) return null;
   if (requestedPath.indexOf("\0") !== -1) return null;
-  var resolved = nodePath.resolve(root, "." + requestedPath);
+  // Anchor the request path inside root with a leading "." so an
+  // absolute request (`/c:/windows`, `//host/share`, `/etc/passwd`)
+  // resolves as a same-named child of root rather than smuggling a
+  // fresh root; the containment barrier then proves the result stays
+  // inside root, refusing any `..`-driven escape. Drive-letter / UNC /
+  // reserved-name shapes that survive the resolve are caught by the
+  // guardFilename basename gate below.
+  var resolved = _assertInsideRoot(root, nodePath.resolve(root, "." + requestedPath));
+  if (!resolved) return null;
   var rootResolved = nodePath.resolve(root);
-  if (resolved !== rootResolved &&
-      !resolved.startsWith(rootResolved + nodePath.sep)) return null;
 
   // Symlink-escape defense — the lexical resolve above only sees the
   // requested path tokens; a symlink anywhere along `resolved` can
@@ -593,12 +654,18 @@ function _writeError(res, status, code, message, headers) {
   void code;
 }
 
-// integrity() — module-level helper, kept for compat with the v0.6 SRI use.
+// integrity() — module-level helper, kept for compat with the v0.6 SRI
+// use. Operates on an operator-supplied absolute path (a config/library
+// call, not the request path): the file's own resolved path is both the
+// confinement root and the candidate, so `_readMeta` re-applies the same
+// barrier shape every other sink uses without narrowing the legitimate
+// surface (any single file the operator names).
 async function integrity(absPath) {
   if (typeof absPath !== "string" || absPath.length === 0) {
     throw _err("BAD_OPT", "staticServe.integrity: absPath must be a non-empty string");
   }
-  var meta = await _readMeta(nodePath.resolve(absPath));
+  var resolved = nodePath.resolve(absPath);
+  var meta = await _readMeta(resolved, resolved);
   if (!meta) throw _err("NOT_FOUND", "staticServe.integrity: file not found: " + absPath);
   return meta.integrity;
 }
@@ -736,8 +803,13 @@ function create(opts) {
 
   async function _checkMimeAllowlist(absPath, meta) {
     if (allowedFileTypes.length === 0 || !fileType) return { ok: true };
+    // Re-assert the root-confinement barrier at this fs read sink
+    // (CWE-22): the path passed to readFile is the confined return of
+    // `_assertInsideRoot`, not the request-derived candidate.
+    var confined = _assertInsideRoot(root, absPath);
+    if (!confined) return { ok: false, reason: "read-failed" };
     var sample;
-    try { sample = await fsp.readFile(absPath, { flag: "r" }); }
+    try { sample = await fsp.readFile(confined, { flag: "r" }); }
     catch (_e) { return { ok: false, reason: "read-failed" }; }
     var detected = fileType.detect(sample.slice(0, C.BYTES.kib(64))) || {};
     if (!detected.mime) return { ok: false, reason: "indeterminate" };
@@ -799,13 +871,22 @@ function create(opts) {
         "Forbidden");
     }
 
-    // Stat first to discover directory → index file.
+    // Stat first to discover directory → index file. The path handed to
+    // stat is the confined return of `_resolveSafe` above; re-assert the
+    // barrier so CodeQL sees the confinement local to this sink (CWE-22).
+    var statTarget = _assertInsideRoot(root, absPath);
+    if (!statTarget) return next();
     var stat;
-    try { stat = await fsp.stat(absPath); }
+    try { stat = await fsp.stat(statTarget); }
     catch (_e) { return next(); }
     if (stat.isDirectory()) {
       if (!indexFile) return next();
-      absPath = nodePath.join(absPath, indexFile);
+      // Re-confine after appending the index file — keeps every
+      // downstream sink (read-meta, content-safety open, serve stream)
+      // anchored inside root even if indexFile were ever made operator-
+      // overridable per request.
+      absPath = _assertInsideRoot(root, nodePath.join(absPath, indexFile));
+      if (!absPath) return next();
     }
 
     // Force-revoke (404 — opaque to clients)
@@ -833,7 +914,7 @@ function create(opts) {
         "retention_blocked", "Unavailable For Legal Reasons");
     }
 
-    var meta = await _readMeta(absPath);
+    var meta = await _readMeta(root, absPath);
     if (!meta) return next();
 
     // MIME allowlist (415) — checked before sending bytes so a misnamed
@@ -867,16 +948,32 @@ function create(opts) {
       var ext = nodePath.extname(absPath).toLowerCase();
       var safetyGate = contentSafety[ext];
       if (safetyGate && typeof safetyGate.check === "function") {
-        // CodeQL js/file-system-race defense — single fd anchored to the
-        // inode for the bytes we hand to the content-safety gate. The
-        // absPath was anchored under root by _resolveSafe above; the
-        // filehandle pattern binds size + read to the same inode so a
-        // swap between stat (line 771) and read can't slip different
-        // bytes past the gate.
+        // Single-fd read for the content-safety gate. Two defenses on
+        // one open:
+        //   - CWE-22 path traversal: the open path is the confined
+        //     return of `_assertInsideRoot(root, absPath)`, freshly
+        //     re-derived from `nodePath.resolve(root, ...)`, not the
+        //     request-derived candidate.
+        //   - CWE-367 TOCTOU file-system race: the bytes the gate
+        //     inspects come from THIS file descriptor — size and reads
+        //     are taken from the same inode the open returned, so a path
+        //     swap between the earlier directory stat and this read can't
+        //     slip different bytes past the gate. O_NOFOLLOW (when the
+        //     platform defines it) additionally refuses to open the path
+        //     if its final component became a symlink after confinement.
+        var gateConfined = _assertInsideRoot(root, absPath);
+        if (!gateConfined) return next();
         var gateBuf;
         var gateHandle = null;
+        var gateOpenFlags = nodeFs.constants.O_RDONLY |
+          (nodeFs.constants.O_NOFOLLOW || 0);
         try {
-          gateHandle = await fsp.open(absPath, "r");
+          // Explicit owner-only mode (0o600). The flags are read-only
+          // (O_RDONLY, no O_CREAT) so the mode is inert on disk, but
+          // pinning it owner-only keeps this open out of the insecure-
+          // temp-file class (CWE-377): no world/group-accessible
+          // creation can ever ride this code path.
+          gateHandle = await fsp.open(gateConfined, gateOpenFlags, 0o600);
           var gateStat = await gateHandle.stat();
           gateBuf = Buffer.alloc(gateStat.size);
           var gateRead = 0;
@@ -1151,6 +1248,18 @@ function create(opts) {
       return;
     }
 
+    // Re-assert the root-confinement barrier at the serve sink (CWE-22)
+    // BEFORE any 200/206 headers go on the wire: the path handed to
+    // createReadStream is the confined return of `_assertInsideRoot`,
+    // freshly re-derived from `nodePath.resolve(root, ...)`, not the
+    // request-derived candidate. A candidate that escapes root refuses
+    // opaquely (404) — it cannot reach the stream.
+    var streamTarget = _assertInsideRoot(root, absPath);
+    if (!streamTarget) {
+      stats.failures += 1;
+      return writeErr(res, HTTP.NOT_FOUND, "not_found", "Not Found");
+    }
+
     res.writeHead(status, headers);
 
     // Acquire concurrency slot (released on stream end / error / abort).
@@ -1163,11 +1272,7 @@ function create(opts) {
     }
 
     var streamOpts = range ? { start: range.start, end: range.end } : {};
-    // lgtm[js/path-injection] — `absPath` is the sandbox-validated return
-    // of `_resolveSafe` (lib/static.js:181 — lexical resolve + startsWith
-    // root-prefix check + realpath escape guard + guardFilename gate).
-    // The request-serve path rejects with 404 before reaching this stream.
-    var fileStream = nodeFs.createReadStream(absPath, streamOpts);
+    var fileStream = nodeFs.createReadStream(streamTarget, streamOpts);
 
     // Idle timeout — close the connection if the client stalls. Pattern is
     // a deadline-style debounce (clearTimeout + setTimeout) tied directly

package/lib/websocket.js

@@ -530,22 +530,32 @@ function _parseExtensionHeader(header) {
   for (var i = 0; i < entries.length; i++) {
     var parts = structuredFields.splitTopLevel(entries[i], ";").map(function (s) { return s.trim(); });
     if (!parts[0]) continue;
-    // `params` has no prototype chain — `Object.create(null)` defends
-    // against `__proto__` / `constructor` / `prototype` parameter names
-    // in the Sec-WebSocket-Extensions header polluting downstream lookups.
-    var ext = { name: parts[0].toLowerCase(), params: Object.create(null) };
+    // Collect [name, value] pairs, then materialize the params map via
+    // Object.fromEntries onto a null-prototype object. The extension-
+    // parameter name is taken from the client-supplied Sec-WebSocket-
+    // Extensions header, so it is never used as a computed-write key
+    // (`params[name] = value`) — that is the CWE-915 unsafe-reflection /
+    // CWE-1321 prototype-pollution sink. POISONED params (`__proto__` /
+    // `constructor` / `prototype`) are dropped, and the null-prototype
+    // accumulator means even a slipped name cannot reach Object.prototype.
+    var paramPairs = [];
     for (var j = 1; j < parts.length; j++) {
       var kv = parts[j].split("=");
       var k = kv[0].trim().toLowerCase();
       if (!k) continue;
+      if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
       var v = kv.length > 1 ? kv.slice(1).join("=").trim() : true;
       // Strip surrounding quotes per the token-or-quoted-string grammar.
       if (typeof v === "string") {
         var _unq = structuredFields.unquoteSfString(v);
         if (_unq !== null) v = _unq;
       }
-      ext.params[k] = v;
+      paramPairs.push([k, v]);
     }
+    var ext = {
+      name:   parts[0].toLowerCase(),
+      params: Object.assign(Object.create(null), Object.fromEntries(paramPairs)),
+    };
     out.push(ext);
   }
   return out;
@@ -1541,6 +1551,10 @@ module.exports = {
   // Server-side entrypoints
   handleUpgrade:           handleUpgrade,           // h1 — RFC 6455 HTTP upgrade
   handleExtendedConnect:   handleExtendedConnect,   // h2 — RFC 8441 Extended CONNECT
+  // Internal helper exposed for tests — the Sec-WebSocket-Extensions
+  // parser (RFC 7692 negotiation feeds off this). Underscore-prefixed so
+  // it is not part of the public primitive surface.
+  _parseExtensionHeader:   _parseExtensionHeader,
   // Constants
   GUID:                    GUID,
   REFUSED_AUTH_QUERY_PARAMS: REFUSED_AUTH_QUERY_PARAMS,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.26",
+  "version": "0.14.27",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:e0214cf9-5d77-475a-af9a-e3cedff9f6d7",
+  "serialNumber": "urn:uuid:c78c9561-3578-4ff6-99f8-a3e2a52ddc17",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-06-06T21:14:16.419Z",
+    "timestamp": "2026-06-07T00:11:04.881Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.14.26",
+      "bom-ref": "@blamejs/core@0.14.27",
       "type": "application",
       "name": "blamejs",
-      "version": "0.14.26",
+      "version": "0.14.27",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.14.26",
+      "purl": "pkg:npm/%40blamejs/core@0.14.27",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.14.26",
+      "ref": "@blamejs/core@0.14.27",
       "dependsOn": []
     }
   ]