@blamejs/core 0.16.0 → 0.16.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/bin/blamejs.js +2 -0
- package/index.js +2 -0
- package/lib/_test/crypto-fixtures.js +2 -0
- package/lib/a2a-tasks.js +2 -0
- package/lib/a2a.js +2 -0
- package/lib/acme.js +7 -1
- package/lib/agent-audit.js +2 -0
- package/lib/agent-envelope-mac.js +2 -0
- package/lib/agent-event-bus.js +2 -0
- package/lib/agent-idempotency.js +2 -0
- package/lib/agent-orchestrator.js +2 -0
- package/lib/agent-posture-chain.js +2 -0
- package/lib/agent-saga.js +2 -0
- package/lib/agent-snapshot.js +2 -0
- package/lib/agent-stream.js +2 -0
- package/lib/agent-tenant.js +2 -0
- package/lib/agent-trace.js +2 -0
- package/lib/ai-adverse-decision.js +2 -0
- package/lib/ai-aedt-bias-audit.js +2 -0
- package/lib/ai-capability.js +2 -0
- package/lib/ai-content-detect.js +2 -0
- package/lib/ai-disclosure.js +2 -0
- package/lib/ai-dp.js +2 -0
- package/lib/ai-frontier-protocol.js +2 -0
- package/lib/ai-input.js +2 -0
- package/lib/ai-model-manifest.js +2 -0
- package/lib/ai-output.js +2 -0
- package/lib/ai-pref.js +2 -0
- package/lib/ai-prompt.js +2 -0
- package/lib/ai-quota.js +2 -0
- package/lib/api-key.js +2 -0
- package/lib/api-snapshot.js +2 -0
- package/lib/app-shutdown.js +2 -0
- package/lib/app.js +2 -0
- package/lib/archive-adapters.js +2 -0
- package/lib/archive-entry-policy.js +2 -0
- package/lib/archive-gz.js +2 -0
- package/lib/archive-read.js +2 -0
- package/lib/archive-tar-read.js +2 -0
- package/lib/archive-tar.js +2 -0
- package/lib/archive-wrap.js +2 -0
- package/lib/archive.js +2 -0
- package/lib/arg-parser.js +2 -0
- package/lib/argon2-builtin.js +2 -0
- package/lib/asn1-der.js +2 -0
- package/lib/asyncapi-bindings.js +2 -0
- package/lib/asyncapi-traits.js +2 -0
- package/lib/asyncapi.js +2 -0
- package/lib/atomic-file.js +2 -0
- package/lib/audit-chain.js +2 -0
- package/lib/audit-daily-review.js +2 -0
- package/lib/audit-emit.js +2 -0
- package/lib/audit-sign.js +2 -0
- package/lib/audit-tools.js +2 -0
- package/lib/audit.js +2 -0
- package/lib/auth/aal.js +2 -0
- package/lib/auth/access-lock.js +2 -0
- package/lib/auth/acr-vocabulary.js +2 -0
- package/lib/auth/ato-kill-switch.js +2 -0
- package/lib/auth/auth-time-tracker.js +2 -0
- package/lib/auth/bot-challenge.js +2 -0
- package/lib/auth/ciba.js +2 -0
- package/lib/auth/dpop.js +2 -0
- package/lib/auth/elevation-grant.js +2 -0
- package/lib/auth/fal.js +2 -0
- package/lib/auth/fido-mds3.js +2 -0
- package/lib/auth/jar.js +2 -0
- package/lib/auth/jwt-external.js +2 -0
- package/lib/auth/jwt.js +2 -0
- package/lib/auth/lockout.js +2 -0
- package/lib/auth/oauth.js +84 -17
- package/lib/auth/oid4vci.js +2 -0
- package/lib/auth/oid4vp.js +2 -0
- package/lib/auth/openid-federation.js +2 -0
- package/lib/auth/passkey.js +2 -0
- package/lib/auth/password.js +2 -0
- package/lib/auth/saml.js +30 -5
- package/lib/auth/sd-jwt-vc-disclosure.js +2 -0
- package/lib/auth/sd-jwt-vc-holder.js +2 -0
- package/lib/auth/sd-jwt-vc-issuer.js +2 -0
- package/lib/auth/sd-jwt-vc.js +2 -0
- package/lib/auth/status-list.js +2 -0
- package/lib/auth/step-up-policy.js +2 -0
- package/lib/auth/step-up.js +2 -0
- package/lib/auth-bot-challenge.js +2 -0
- package/lib/auth-header.js +2 -0
- package/lib/backup/bundle.js +2 -0
- package/lib/backup/crypto.js +2 -0
- package/lib/backup/index.js +14 -0
- package/lib/backup/manifest.js +2 -0
- package/lib/base32.js +2 -0
- package/lib/boot-gates.js +2 -0
- package/lib/bounded-map.js +2 -0
- package/lib/breach-deadline.js +2 -0
- package/lib/break-glass.js +2 -0
- package/lib/budr.js +2 -0
- package/lib/bundler.js +2 -0
- package/lib/cache-redis.js +2 -0
- package/lib/cache-status.js +2 -0
- package/lib/cache.js +2 -0
- package/lib/calendar.js +2 -0
- package/lib/canonical-json.js +2 -0
- package/lib/cbor.js +2 -0
- package/lib/cdn-cache-control.js +2 -0
- package/lib/cert.js +2 -0
- package/lib/chain-writer.js +2 -0
- package/lib/circuit-breaker.js +2 -0
- package/lib/cli-helpers.js +2 -0
- package/lib/cli.js +57 -20
- package/lib/client-hints.js +2 -0
- package/lib/cloud-events.js +2 -0
- package/lib/cluster-provider-db.js +2 -0
- package/lib/cluster-storage.js +2 -0
- package/lib/cluster.js +2 -0
- package/lib/cms-codec.js +2 -0
- package/lib/codepoint-class.js +2 -0
- package/lib/compliance-ai-act-logging.js +2 -0
- package/lib/compliance-ai-act-prohibited.js +2 -0
- package/lib/compliance-ai-act-risk.js +2 -0
- package/lib/compliance-ai-act-transparency.js +2 -0
- package/lib/compliance-ai-act.js +2 -0
- package/lib/compliance-eaa.js +2 -0
- package/lib/compliance-sanctions-aliases.js +2 -0
- package/lib/compliance-sanctions-fetcher.js +2 -0
- package/lib/compliance-sanctions-fuzzy.js +2 -0
- package/lib/compliance-sanctions.js +2 -0
- package/lib/compliance.js +2 -0
- package/lib/config-drift.js +2 -0
- package/lib/config.js +2 -0
- package/lib/consent.js +2 -0
- package/lib/constants.js +2 -0
- package/lib/content-credentials.js +2 -0
- package/lib/content-digest.js +2 -0
- package/lib/cookies.js +2 -0
- package/lib/cose.js +2 -0
- package/lib/cra-report.js +2 -0
- package/lib/crdt.js +2 -0
- package/lib/credential-hash.js +2 -0
- package/lib/crypto-field.js +2 -0
- package/lib/crypto-hpke-pq.js +2 -0
- package/lib/crypto-hpke.js +2 -0
- package/lib/crypto-oprf.js +2 -0
- package/lib/crypto-xwing.js +2 -0
- package/lib/crypto.js +2 -0
- package/lib/csp.js +2 -0
- package/lib/csv.js +2 -0
- package/lib/cwt.js +2 -0
- package/lib/daemon.js +2 -0
- package/lib/dark-patterns.js +2 -0
- package/lib/data-act.js +2 -0
- package/lib/db-collection.js +2 -0
- package/lib/db-declare-row-policy.js +2 -0
- package/lib/db-declare-view.js +2 -0
- package/lib/db-file-lifecycle.js +2 -0
- package/lib/db-query.js +2 -0
- package/lib/db-role-context.js +2 -0
- package/lib/db-schema.js +2 -0
- package/lib/db.js +2 -0
- package/lib/dbsc.js +2 -0
- package/lib/ddl-change-control.js +2 -0
- package/lib/deprecate.js +2 -0
- package/lib/dev.js +2 -0
- package/lib/did.js +2 -0
- package/lib/dora.js +2 -0
- package/lib/dr-runbook.js +2 -0
- package/lib/dsa.js +2 -0
- package/lib/dsr.js +2 -0
- package/lib/dual-control.js +2 -0
- package/lib/early-hints.js +2 -0
- package/lib/eat.js +2 -0
- package/lib/error-page.js +2 -0
- package/lib/events.js +2 -0
- package/lib/external-db-migrate.js +2 -0
- package/lib/external-db.js +2 -0
- package/lib/fapi2.js +2 -0
- package/lib/fda-21cfr11.js +2 -0
- package/lib/fdx.js +2 -0
- package/lib/fedcm.js +2 -0
- package/lib/file-type.js +2 -0
- package/lib/file-upload.js +2 -0
- package/lib/flag-cache.js +2 -0
- package/lib/flag-evaluation-context.js +2 -0
- package/lib/flag-providers.js +2 -0
- package/lib/flag-targeting.js +2 -0
- package/lib/flag.js +2 -0
- package/lib/forms.js +2 -0
- package/lib/framework-error.js +2 -0
- package/lib/framework-files.js +2 -0
- package/lib/framework-schema.js +2 -0
- package/lib/framework-sha1-hibp.js +2 -0
- package/lib/fsm.js +2 -0
- package/lib/gate-contract.js +2 -0
- package/lib/gdpr-ropa.js +2 -0
- package/lib/graphql-federation.js +2 -0
- package/lib/guard-agent-registry.js +2 -0
- package/lib/guard-all.js +2 -0
- package/lib/guard-archive.js +2 -0
- package/lib/guard-auth.js +2 -0
- package/lib/guard-cidr.js +2 -0
- package/lib/guard-csv.js +2 -0
- package/lib/guard-domain.js +2 -0
- package/lib/guard-dsn.js +2 -0
- package/lib/guard-email.js +2 -0
- package/lib/guard-envelope.js +2 -0
- package/lib/guard-event-bus-payload.js +2 -0
- package/lib/guard-event-bus-topic.js +2 -0
- package/lib/guard-filename.js +2 -0
- package/lib/guard-graphql.js +2 -0
- package/lib/guard-html-wcag-aria.js +2 -0
- package/lib/guard-html-wcag-forms.js +2 -0
- package/lib/guard-html-wcag-tables.js +2 -0
- package/lib/guard-html-wcag-tagwalk.js +2 -0
- package/lib/guard-html-wcag.js +2 -0
- package/lib/guard-html.js +2 -0
- package/lib/guard-idempotency-key.js +2 -0
- package/lib/guard-image.js +2 -0
- package/lib/guard-imap-command.js +2 -0
- package/lib/guard-jmap.js +2 -0
- package/lib/guard-json.js +2 -0
- package/lib/guard-jsonpath.js +2 -0
- package/lib/guard-jwt.js +2 -0
- package/lib/guard-list-id.js +2 -0
- package/lib/guard-list-unsubscribe.js +2 -0
- package/lib/guard-mail-compose.js +2 -0
- package/lib/guard-mail-move.js +2 -0
- package/lib/guard-mail-query.js +2 -0
- package/lib/guard-mail-reply.js +2 -0
- package/lib/guard-mail-sieve.js +2 -0
- package/lib/guard-managesieve-command.js +2 -0
- package/lib/guard-markdown.js +2 -0
- package/lib/guard-message-id.js +2 -0
- package/lib/guard-mime.js +2 -0
- package/lib/guard-oauth.js +2 -0
- package/lib/guard-pdf.js +2 -0
- package/lib/guard-pop3-command.js +2 -0
- package/lib/guard-posture-chain.js +2 -0
- package/lib/guard-regex.js +2 -0
- package/lib/guard-saga-config.js +2 -0
- package/lib/guard-shell.js +2 -0
- package/lib/guard-smtp-command.js +2 -0
- package/lib/guard-snapshot-envelope.js +2 -0
- package/lib/guard-sql.js +2 -0
- package/lib/guard-stream-args.js +2 -0
- package/lib/guard-svg.js +2 -0
- package/lib/guard-template.js +2 -0
- package/lib/guard-tenant-id.js +2 -0
- package/lib/guard-text.js +2 -0
- package/lib/guard-time.js +2 -0
- package/lib/guard-trace-context.js +2 -0
- package/lib/guard-uuid.js +2 -0
- package/lib/guard-xml.js +2 -0
- package/lib/guard-yaml.js +2 -0
- package/lib/hal.js +2 -0
- package/lib/handlers.js +2 -0
- package/lib/honeytoken.js +2 -0
- package/lib/html-balance.js +2 -0
- package/lib/http-client-cache.js +2 -0
- package/lib/http-client-cookie-jar.js +2 -0
- package/lib/http-client.js +2 -0
- package/lib/http-message-signature.js +2 -0
- package/lib/http2-teardown.js +2 -0
- package/lib/i18n-messageformat.js +2 -0
- package/lib/i18n.js +2 -0
- package/lib/iab-mspa.js +2 -0
- package/lib/iab-tcf.js +2 -0
- package/lib/importmap-integrity.js +2 -0
- package/lib/inbox.js +2 -0
- package/lib/incident-report.js +2 -0
- package/lib/ip-utils.js +2 -0
- package/lib/jobs.js +2 -0
- package/lib/jose-jwe-experimental.js +2 -0
- package/lib/json-merge-patch.js +2 -0
- package/lib/json-patch.js +2 -0
- package/lib/json-path.js +2 -0
- package/lib/json-pointer.js +2 -0
- package/lib/json-schema.js +2 -0
- package/lib/jsonapi.js +2 -0
- package/lib/jtd.js +2 -0
- package/lib/jwk.js +2 -0
- package/lib/keychain.js +32 -10
- package/lib/lazy-require.js +2 -0
- package/lib/legal-hold.js +2 -0
- package/lib/link-header.js +2 -0
- package/lib/local-db-thin.js +2 -0
- package/lib/log-stream-cloudwatch.js +2 -0
- package/lib/log-stream-local.js +2 -0
- package/lib/log-stream-otlp-grpc.js +2 -0
- package/lib/log-stream-otlp.js +2 -0
- package/lib/log-stream-syslog.js +2 -0
- package/lib/log-stream-webhook.js +2 -0
- package/lib/log-stream.js +2 -0
- package/lib/log.js +2 -0
- package/lib/lro.js +2 -0
- package/lib/mail-agent.js +2 -0
- package/lib/mail-arc-reuse-token.js +2 -0
- package/lib/mail-arc-sign.js +2 -0
- package/lib/mail-arf.js +2 -0
- package/lib/mail-auth.js +7 -1
- package/lib/mail-bimi.js +2 -0
- package/lib/mail-bounce.js +2 -0
- package/lib/mail-crypto-pgp.js +2 -0
- package/lib/mail-crypto-smime.js +2 -0
- package/lib/mail-crypto.js +2 -0
- package/lib/mail-dav.js +2 -0
- package/lib/mail-deploy.js +2 -0
- package/lib/mail-dkim.js +2 -0
- package/lib/mail-greylist.js +2 -0
- package/lib/mail-helo.js +2 -0
- package/lib/mail-journal.js +2 -0
- package/lib/mail-mdn.js +2 -0
- package/lib/mail-rbl.js +2 -0
- package/lib/mail-require-tls.js +2 -0
- package/lib/mail-scan.js +2 -0
- package/lib/mail-send-deliver.js +2 -0
- package/lib/mail-server-imap.js +2 -0
- package/lib/mail-server-jmap.js +2 -0
- package/lib/mail-server-managesieve.js +2 -0
- package/lib/mail-server-mx.js +2 -0
- package/lib/mail-server-net.js +2 -0
- package/lib/mail-server-pop3.js +2 -0
- package/lib/mail-server-rate-limit.js +2 -0
- package/lib/mail-server-registry.js +2 -0
- package/lib/mail-server-submission.js +2 -0
- package/lib/mail-server-tls.js +2 -0
- package/lib/mail-sieve.js +2 -0
- package/lib/mail-spam-score.js +2 -0
- package/lib/mail-srs.js +2 -0
- package/lib/mail-store-fts.js +2 -0
- package/lib/mail-store.js +2 -0
- package/lib/mail-unsubscribe.js +2 -0
- package/lib/mail.js +2 -0
- package/lib/markup-escape.js +2 -0
- package/lib/markup-tokenizer.js +2 -0
- package/lib/mcp-tool-registry.js +2 -0
- package/lib/mcp.js +2 -0
- package/lib/mdoc.js +2 -0
- package/lib/metrics.js +2 -0
- package/lib/middleware/age-gate.js +2 -0
- package/lib/middleware/ai-act-disclosure.js +2 -0
- package/lib/middleware/api-encrypt.js +2 -0
- package/lib/middleware/assetlinks.js +2 -0
- package/lib/middleware/asyncapi-serve.js +2 -0
- package/lib/middleware/attach-user.js +2 -0
- package/lib/middleware/bearer-auth.js +2 -0
- package/lib/middleware/body-parser.js +2 -0
- package/lib/middleware/bot-disclose.js +2 -0
- package/lib/middleware/bot-guard.js +2 -0
- package/lib/middleware/clear-site-data.js +2 -0
- package/lib/middleware/compose-pipeline.js +2 -0
- package/lib/middleware/compression.js +2 -0
- package/lib/middleware/cookies.js +2 -0
- package/lib/middleware/cors.js +2 -0
- package/lib/middleware/csp-nonce.js +2 -0
- package/lib/middleware/csp-report.js +2 -0
- package/lib/middleware/csrf-protect.js +2 -0
- package/lib/middleware/daily-byte-quota.js +2 -0
- package/lib/middleware/db-role-for.js +2 -0
- package/lib/middleware/deny-response.js +2 -0
- package/lib/middleware/dpop.js +2 -0
- package/lib/middleware/error-handler.js +2 -0
- package/lib/middleware/fetch-metadata.js +2 -0
- package/lib/middleware/flag-context.js +2 -0
- package/lib/middleware/gpc.js +2 -0
- package/lib/middleware/headers.js +2 -0
- package/lib/middleware/health.js +2 -0
- package/lib/middleware/host-allowlist.js +2 -0
- package/lib/middleware/idempotency-key.js +2 -0
- package/lib/middleware/index.js +2 -0
- package/lib/middleware/nel.js +2 -0
- package/lib/middleware/network-allowlist.js +2 -0
- package/lib/middleware/no-cache.js +2 -0
- package/lib/middleware/openapi-serve.js +2 -0
- package/lib/middleware/protected-resource-metadata.js +2 -0
- package/lib/middleware/rate-limit.js +2 -0
- package/lib/middleware/request-id.js +2 -0
- package/lib/middleware/request-log.js +2 -0
- package/lib/middleware/require-aal.js +2 -0
- package/lib/middleware/require-auth.js +2 -0
- package/lib/middleware/require-bound-key.js +2 -0
- package/lib/middleware/require-content-type.js +2 -0
- package/lib/middleware/require-methods.js +2 -0
- package/lib/middleware/require-mtls.js +2 -0
- package/lib/middleware/require-step-up.js +2 -0
- package/lib/middleware/scim-server.js +2 -0
- package/lib/middleware/security-headers.js +2 -0
- package/lib/middleware/security-txt.js +2 -0
- package/lib/middleware/span-http-server.js +2 -0
- package/lib/middleware/speculation-rules.js +2 -0
- package/lib/middleware/sse.js +2 -0
- package/lib/middleware/trace-log-correlation.js +2 -0
- package/lib/middleware/trace-propagate.js +2 -0
- package/lib/middleware/tus-upload.js +2 -0
- package/lib/middleware/web-app-manifest.js +2 -0
- package/lib/migration-files.js +2 -0
- package/lib/migrations.js +2 -0
- package/lib/mime-parse.js +2 -0
- package/lib/module-loader.js +2 -0
- package/lib/money.js +2 -0
- package/lib/mtls-ca.js +2 -0
- package/lib/mtls-engine-default.js +2 -0
- package/lib/network-byte-quota.js +2 -0
- package/lib/network-dane.js +2 -0
- package/lib/network-dns-resolver.js +2 -0
- package/lib/network-dns.js +2 -0
- package/lib/network-dnssec.js +2 -0
- package/lib/network-heartbeat.js +2 -0
- package/lib/network-nts.js +2 -0
- package/lib/network-proxy.js +2 -0
- package/lib/network-smtp-policy.js +6 -1
- package/lib/network-tls.js +2 -0
- package/lib/network-tsig.js +2 -0
- package/lib/network.js +2 -0
- package/lib/nis2-report.js +2 -0
- package/lib/nist-crosswalk.js +2 -0
- package/lib/nonce-store.js +2 -0
- package/lib/notify.js +2 -0
- package/lib/ntp-check.js +2 -0
- package/lib/numeric-bounds.js +2 -0
- package/lib/numeric-checks.js +2 -0
- package/lib/object-store/azure-blob-bucket-ops.js +2 -0
- package/lib/object-store/azure-blob.js +2 -0
- package/lib/object-store/gcs-bucket-ops.js +2 -0
- package/lib/object-store/gcs.js +2 -0
- package/lib/object-store/http-put.js +2 -0
- package/lib/object-store/http-request.js +2 -0
- package/lib/object-store/index.js +2 -0
- package/lib/object-store/local.js +2 -0
- package/lib/object-store/sigv4-bucket-ops.js +2 -0
- package/lib/object-store/sigv4.js +2 -0
- package/lib/observability-otlp-exporter.js +2 -0
- package/lib/observability-tracer.js +2 -0
- package/lib/observability.js +2 -0
- package/lib/openapi-paths-builder.js +2 -0
- package/lib/openapi-schema-walk.js +2 -0
- package/lib/openapi-security.js +2 -0
- package/lib/openapi-yaml.js +2 -0
- package/lib/openapi.js +2 -0
- package/lib/otel-export.js +2 -0
- package/lib/outbox.js +2 -0
- package/lib/pagination.js +2 -0
- package/lib/parsers/index.js +2 -0
- package/lib/parsers/safe-env.js +2 -0
- package/lib/parsers/safe-ini.js +2 -0
- package/lib/parsers/safe-toml.js +2 -0
- package/lib/parsers/safe-xml.js +2 -0
- package/lib/parsers/safe-yaml.js +2 -0
- package/lib/permissions.js +2 -0
- package/lib/pick.js +2 -0
- package/lib/pipl-cn.js +2 -0
- package/lib/pqc-agent.js +2 -0
- package/lib/pqc-gate.js +2 -0
- package/lib/pqc-software.js +2 -0
- package/lib/privacy-pass.js +2 -0
- package/lib/privacy.js +2 -0
- package/lib/problem-details.js +2 -0
- package/lib/process-spawn.js +2 -0
- package/lib/promise-pool.js +2 -0
- package/lib/protobuf-encoder.js +2 -0
- package/lib/protocol-dispatcher.js +2 -0
- package/lib/public-suffix.js +2 -0
- package/lib/pubsub-cluster.js +2 -0
- package/lib/pubsub-redis.js +2 -0
- package/lib/pubsub.js +2 -0
- package/lib/queue-local.js +2 -0
- package/lib/queue-redis.js +2 -0
- package/lib/queue-sqs.js +2 -0
- package/lib/queue.js +2 -0
- package/lib/redact.js +2 -0
- package/lib/redis-client.js +2 -0
- package/lib/render.js +2 -0
- package/lib/request-helpers.js +2 -0
- package/lib/resource-access-lock.js +2 -0
- package/lib/restore-bundle.js +2 -0
- package/lib/restore-rollback.js +2 -0
- package/lib/restore.js +2 -0
- package/lib/retention.js +2 -0
- package/lib/retry.js +2 -0
- package/lib/rfc3339.js +2 -0
- package/lib/router.js +83 -18
- package/lib/safe-archive.js +2 -0
- package/lib/safe-async.js +2 -0
- package/lib/safe-buffer.js +2 -0
- package/lib/safe-decompress.js +2 -0
- package/lib/safe-dns.js +2 -0
- package/lib/safe-ical.js +2 -0
- package/lib/safe-icap.js +2 -0
- package/lib/safe-json.js +2 -0
- package/lib/safe-jsonpath.js +2 -0
- package/lib/safe-mime.js +2 -0
- package/lib/safe-mount-info.js +2 -0
- package/lib/safe-path.js +2 -0
- package/lib/safe-redirect.js +2 -0
- package/lib/safe-schema.js +2 -0
- package/lib/safe-sieve.js +2 -0
- package/lib/safe-smtp.js +2 -0
- package/lib/safe-sql.js +2 -0
- package/lib/safe-url.js +2 -0
- package/lib/safe-vcard.js +2 -0
- package/lib/sandbox-worker.js +2 -0
- package/lib/sandbox.js +2 -0
- package/lib/scheduler.js +2 -0
- package/lib/scitt.js +2 -0
- package/lib/sd-notify.js +2 -0
- package/lib/sec-cyber.js +2 -0
- package/lib/security-assert.js +2 -0
- package/lib/seeders.js +2 -0
- package/lib/self-update-standalone-verifier.js +2 -0
- package/lib/self-update.js +2 -0
- package/lib/server-timing.js +2 -0
- package/lib/session-device-binding.js +2 -0
- package/lib/session-stores.js +2 -0
- package/lib/session.js +2 -0
- package/lib/slug.js +2 -0
- package/lib/sql.js +2 -0
- package/lib/sse.js +2 -0
- package/lib/ssrf-guard.js +2 -0
- package/lib/standard-webhooks.js +2 -0
- package/lib/static.js +2 -0
- package/lib/storage.js +2 -0
- package/lib/stream-throttle.js +2 -0
- package/lib/structured-fields.js +2 -0
- package/lib/subject.js +2 -0
- package/lib/tcpa-10dlc.js +2 -0
- package/lib/template.js +2 -0
- package/lib/tenant-quota.js +2 -0
- package/lib/test-harness.js +2 -0
- package/lib/testing.js +2 -0
- package/lib/time.js +2 -0
- package/lib/tls-exporter.js +2 -0
- package/lib/totp.js +2 -0
- package/lib/tracing.js +2 -0
- package/lib/tsa.js +2 -0
- package/lib/uri-template.js +2 -0
- package/lib/uuid.js +2 -0
- package/lib/validate-opts.js +2 -0
- package/lib/vault/index.js +2 -0
- package/lib/vault/passphrase-ops.js +2 -0
- package/lib/vault/passphrase-source.js +2 -0
- package/lib/vault/rotate.js +2 -0
- package/lib/vault/seal-pem-file.js +2 -0
- package/lib/vault/wrap.js +2 -0
- package/lib/vault-aad.js +2 -0
- package/lib/vc.js +2 -0
- package/lib/vendor-data.js +2 -0
- package/lib/vex.js +2 -0
- package/lib/watcher.js +2 -0
- package/lib/web-push-vapid.js +2 -0
- package/lib/webhook-dispatcher.js +2 -0
- package/lib/webhook.js +2 -0
- package/lib/websocket-channels.js +2 -0
- package/lib/websocket.js +2 -0
- package/lib/wiki-concepts.js +2 -0
- package/lib/worker-pool.js +2 -0
- package/lib/worm.js +2 -0
- package/lib/ws-client.js +2 -0
- package/lib/x509-chain.js +2 -0
- package/lib/xml-c14n.js +2 -0
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
package/lib/parsers/index.js
CHANGED
package/lib/parsers/safe-env.js
CHANGED
package/lib/parsers/safe-ini.js
CHANGED
package/lib/parsers/safe-toml.js
CHANGED
package/lib/parsers/safe-xml.js
CHANGED
package/lib/parsers/safe-yaml.js
CHANGED
package/lib/permissions.js
CHANGED
package/lib/pick.js
CHANGED
package/lib/pipl-cn.js
CHANGED
package/lib/pqc-agent.js
CHANGED
package/lib/pqc-gate.js
CHANGED
package/lib/pqc-software.js
CHANGED
package/lib/privacy-pass.js
CHANGED
package/lib/privacy.js
CHANGED
package/lib/problem-details.js
CHANGED
package/lib/process-spawn.js
CHANGED
package/lib/promise-pool.js
CHANGED
package/lib/protobuf-encoder.js
CHANGED
package/lib/public-suffix.js
CHANGED
package/lib/pubsub-cluster.js
CHANGED
package/lib/pubsub-redis.js
CHANGED
package/lib/pubsub.js
CHANGED
package/lib/queue-local.js
CHANGED
package/lib/queue-redis.js
CHANGED
package/lib/queue-sqs.js
CHANGED
package/lib/queue.js
CHANGED
package/lib/redact.js
CHANGED
package/lib/redis-client.js
CHANGED
package/lib/render.js
CHANGED
package/lib/request-helpers.js
CHANGED
package/lib/restore-bundle.js
CHANGED
package/lib/restore-rollback.js
CHANGED
package/lib/restore.js
CHANGED
package/lib/retention.js
CHANGED
package/lib/retry.js
CHANGED
package/lib/rfc3339.js
CHANGED
package/lib/router.js
CHANGED
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
// SPDX-License-Identifier: Apache-2.0
|
|
2
|
+
// Copyright (c) blamejs contributors
|
|
1
3
|
"use strict";
|
|
2
4
|
/**
|
|
3
5
|
* @module b.router
|
|
@@ -42,6 +44,7 @@ var requestHelpers = require("./request-helpers");
|
|
|
42
44
|
var lazyRequire = require("./lazy-require");
|
|
43
45
|
var safeAsync = require("./safe-async");
|
|
44
46
|
var safeEnv = require("./parsers/safe-env");
|
|
47
|
+
var safeJson = require("./safe-json");
|
|
45
48
|
var safeUrl = require("./safe-url");
|
|
46
49
|
var validateOpts = require("./validate-opts");
|
|
47
50
|
var websocket = require("./websocket");
|
|
@@ -161,9 +164,25 @@ function _makeSchemaValidator(spec) {
|
|
|
161
164
|
};
|
|
162
165
|
}
|
|
163
166
|
|
|
167
|
+
// True when a res.end body structurally looks like a JSON document — the
|
|
168
|
+
// first non-whitespace byte is an object/array opener. Narrow on purpose:
|
|
169
|
+
// a plain-text / HTML body on a response-schema route (leading "<", a bare
|
|
170
|
+
// word, etc.) is skipped so the validator never throws on a non-JSON
|
|
171
|
+
// response, and a JSON scalar (a bare number / quoted string) is not
|
|
172
|
+
// mistaken for a schema-shaped document.
|
|
173
|
+
function _bodyLooksLikeJson(text) {
|
|
174
|
+
for (var i = 0; i < text.length; i += 1) {
|
|
175
|
+
var ch = text.charCodeAt(i);
|
|
176
|
+
if (ch === 0x20 || ch === 0x09 || ch === 0x0A || ch === 0x0D) continue; // skip leading whitespace
|
|
177
|
+
return ch === 0x7B || ch === 0x5B; // "{" or "["
|
|
178
|
+
}
|
|
179
|
+
return false;
|
|
180
|
+
}
|
|
181
|
+
|
|
164
182
|
function _makeResponseValidator(spec) {
|
|
165
|
-
//
|
|
166
|
-
//
|
|
183
|
+
// Validate the response body against spec.response no matter which exit
|
|
184
|
+
// the handler used — res.json OR a raw res.end(JSON.stringify(...)) that
|
|
185
|
+
// ships a JSON-shaped buffer. Mode:
|
|
167
186
|
// - BLAMEJS_VALIDATE_RESPONSES=throw (or per-route validateResponse: "throw")
|
|
168
187
|
// → throw a SafeSchemaError-shaped error; route handler's caller sees a 500.
|
|
169
188
|
// - BLAMEJS_VALIDATE_RESPONSES=warn (or per-route validateResponse: "warn")
|
|
@@ -175,21 +194,59 @@ function _makeResponseValidator(spec) {
|
|
|
175
194
|
if (!mode) return function passthrough(_req, _res, next) { next(); };
|
|
176
195
|
|
|
177
196
|
return function responseValidator(req, res, next) {
|
|
197
|
+
// One request-scoped check shared by both the res.json and res.end
|
|
198
|
+
// wrappers so a single failure shape covers every exit.
|
|
199
|
+
var validated = false;
|
|
200
|
+
function runCheck(value, headersAlreadySent) {
|
|
201
|
+
var rr = spec.response.safeParse(value);
|
|
202
|
+
if (rr.ok) return;
|
|
203
|
+
if (mode === "throw") {
|
|
204
|
+
// A raw res.end after writeHead cannot be un-sent — throwing there
|
|
205
|
+
// would abort mid-flush and can't reach a clean 500. Degrade to a
|
|
206
|
+
// logged error in that case; res.json (and a pre-writeHead res.end)
|
|
207
|
+
// still throw before any header is committed.
|
|
208
|
+
if (!headersAlreadySent) {
|
|
209
|
+
throw new Error("router response-validation failed for " +
|
|
210
|
+
(req.method + " " + req.routePattern) + ": " +
|
|
211
|
+
JSON.stringify(rr.errors));
|
|
212
|
+
}
|
|
213
|
+
log.error("response-validation failed after headers sent on " +
|
|
214
|
+
req.method + " " + req.routePattern + ": " +
|
|
215
|
+
JSON.stringify(rr.errors).slice(0, 500));
|
|
216
|
+
return;
|
|
217
|
+
}
|
|
218
|
+
// warn mode
|
|
219
|
+
log.warn("response-validation drift on " + req.method + " " + req.routePattern +
|
|
220
|
+
": " + JSON.stringify(rr.errors).slice(0, 500));
|
|
221
|
+
}
|
|
222
|
+
|
|
178
223
|
var origJson = typeof res.json === "function" ? res.json.bind(res) : null;
|
|
179
224
|
if (origJson) {
|
|
180
225
|
res.json = function (value) {
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
185
|
-
|
|
186
|
-
|
|
226
|
+
runCheck(value, false); // res.json validates before it writes headers
|
|
227
|
+
validated = true; // res.json delegates to res.end internally — don't re-check
|
|
228
|
+
return origJson(value);
|
|
229
|
+
};
|
|
230
|
+
}
|
|
231
|
+
|
|
232
|
+
var origEnd = typeof res.end === "function" ? res.end.bind(res) : null;
|
|
233
|
+
if (origEnd) {
|
|
234
|
+
res.end = function (chunk) {
|
|
235
|
+
if (!validated) {
|
|
236
|
+
var text = null;
|
|
237
|
+
if (typeof chunk === "string") text = chunk;
|
|
238
|
+
else if (Buffer.isBuffer(chunk)) text = chunk.toString("utf8");
|
|
239
|
+
if (text !== null && _bodyLooksLikeJson(text)) {
|
|
240
|
+
var parsed;
|
|
241
|
+
var parsedOk = true;
|
|
242
|
+
try { parsed = safeJson.parse(text); } catch (_e) { parsedOk = false; }
|
|
243
|
+
if (parsedOk) {
|
|
244
|
+
validated = true;
|
|
245
|
+
runCheck(parsed, res.headersSent === true);
|
|
246
|
+
}
|
|
187
247
|
}
|
|
188
|
-
// warn mode
|
|
189
|
-
log.warn("response-validation drift on " + req.method + " " + req.routePattern +
|
|
190
|
-
": " + JSON.stringify(rr.errors).slice(0, 500));
|
|
191
248
|
}
|
|
192
|
-
return
|
|
249
|
+
return origEnd.apply(res, arguments);
|
|
193
250
|
};
|
|
194
251
|
}
|
|
195
252
|
next();
|
|
@@ -956,16 +1013,24 @@ class Router {
|
|
|
956
1013
|
"res.redirect: target must be a non-empty string"
|
|
957
1014
|
);
|
|
958
1015
|
}
|
|
959
|
-
// Reject
|
|
960
|
-
//
|
|
961
|
-
//
|
|
962
|
-
// a
|
|
1016
|
+
// Reject every byte a header line or a URL-parsing user agent
|
|
1017
|
+
// treats specially. CR / LF / NUL are the header-injection class
|
|
1018
|
+
// (Node's writeHead would refuse them too — the explicit refusal
|
|
1019
|
+
// gives operators a router-shaped error over ERR_INVALID_CHAR).
|
|
1020
|
+
// TAB (0x09) is the open-redirect class: Node PERMITS a horizontal
|
|
1021
|
+
// tab in a header value, but WHATWG URL removes ASCII TAB / LF / CR
|
|
1022
|
+
// from a URL before parsing it, so "/<TAB>/evil.example" — which
|
|
1023
|
+
// the same-origin heuristic below reads as a rooted path — collapses
|
|
1024
|
+
// to the protocol-relative "//evil.example" in the browser and
|
|
1025
|
+
// bounces to an attacker origin. Refuse the whole browser-stripped
|
|
1026
|
+
// set here so the byte the heuristic inspects is the byte the user
|
|
1027
|
+
// agent parses.
|
|
963
1028
|
for (var ci = 0; ci < url.length; ci += 1) {
|
|
964
1029
|
var cc = url.charCodeAt(ci);
|
|
965
|
-
if (cc === 0x00 || cc === 0x0A || cc === 0x0D) {
|
|
1030
|
+
if (cc === 0x00 || cc === 0x09 || cc === 0x0A || cc === 0x0D) {
|
|
966
1031
|
throw new RouterError(
|
|
967
1032
|
"router/redirect-target-has-control-chars",
|
|
968
|
-
"res.redirect: target must not contain CR / LF / NUL bytes"
|
|
1033
|
+
"res.redirect: target must not contain CR / LF / TAB / NUL bytes"
|
|
969
1034
|
);
|
|
970
1035
|
}
|
|
971
1036
|
}
|
package/lib/safe-archive.js
CHANGED
package/lib/safe-async.js
CHANGED
package/lib/safe-buffer.js
CHANGED
package/lib/safe-decompress.js
CHANGED
package/lib/safe-dns.js
CHANGED
package/lib/safe-ical.js
CHANGED
package/lib/safe-icap.js
CHANGED
package/lib/safe-json.js
CHANGED
package/lib/safe-jsonpath.js
CHANGED
package/lib/safe-mime.js
CHANGED
package/lib/safe-mount-info.js
CHANGED
package/lib/safe-path.js
CHANGED
package/lib/safe-redirect.js
CHANGED
package/lib/safe-schema.js
CHANGED
package/lib/safe-sieve.js
CHANGED
package/lib/safe-smtp.js
CHANGED
package/lib/safe-sql.js
CHANGED
package/lib/safe-url.js
CHANGED
package/lib/safe-vcard.js
CHANGED
package/lib/sandbox-worker.js
CHANGED
package/lib/sandbox.js
CHANGED
package/lib/scheduler.js
CHANGED
package/lib/scitt.js
CHANGED
package/lib/sd-notify.js
CHANGED
package/lib/sec-cyber.js
CHANGED
package/lib/security-assert.js
CHANGED
package/lib/seeders.js
CHANGED
package/lib/self-update.js
CHANGED
package/lib/server-timing.js
CHANGED