npm - @blamejs/core - Versions diffs - 0.7.62 → 0.7.64 - Mend

@blamejs/core 0.7.62 → 0.7.64

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 ## v0.7.x
+- **0.7.64** (2026-05-06) — HTTP/2 + WebSocket DoS hardening. **HTTP/2 server caps** — `lib/router.js` `http2.createSecureServer` now ships framework-default hardening: `maxConcurrentStreams: 100` (CVE-2023-44487 Rapid Reset cap; Node default was 4294967295), `maxSessionMemory: 10` (MB), `maxHeaderListPairs: 100` (CVE-2024-27983 / CVE-2024-28182 CONTINUATION-flood cap), `maxSettings: 32`, `peerMaxConcurrentStreams: 100`, `unknownProtocolTimeout: 10s` (Slowloris-h2 variant). Operator-supplied `tlsOptions` override any of these. **Slowloris timeouts** — `server.headersTimeout = 60s`, `server.requestTimeout = 5min`, `server.keepAliveTimeout = 5s` set explicitly post-listen. The framework was previously relying on Node-version-shifting defaults; pinning brings older Node releases up to the modern bar. **WebSocket origin default** — *breaking change* (pre-1.0, no compat shim per CLAUDE.md): when `origins` is omitted from `b.websocket.create({ ... })`, the new default is **same-origin enforcement** (Origin header host must match Host header). Pre-0.7.64 the default was "accept all", which is the canonical Cross-Site WebSocket Hijacking (CSWSH) class. Operators needing cross-origin opt in via `origins: "*"` (with audited reason) or `origins: [...allowlist]`. Non-browser clients (no Origin header) continue to bypass — origin enforcement is a browser-class defense.
+- **0.7.63** (2026-05-06) — gitleaks regex allowlist extended to cover JWT fixtures split across multiple string literals. The v0.7.62 regex only matched the full three-segment JWT compact-serialization shape; source files split long JWT fixtures across literals for line-length, so gitleaks saw individual `eyJ...`-prefixed base64url segments and still flagged them. Added a second allowlist regex matching any `eyJ`-prefixed segment of substantive length (`{20,}`). Same rationale: real signing keys never appear as `eyJ...` base64url tokens — they're PEM / DER / PKCS#8.
 - **0.7.62** (2026-05-06) — gitleaks regex allowlist for JWT compact-serialization shape (`eyJ...header.eyJ...payload.signature`). The new `b.guardJwt` and `b.guardAuth` test fixtures legitimately embed JWT-shaped strings as benign + hostile inputs; gitleaks' default `generic-api-key` rule fires on the high-entropy base64url segments and refuses every release tag with the fixtures present. Real signing keys never appear in compact serialization shape — they're PEM / DER / PKCS#8 — so this allowlist doesn't suppress detection of actual key leaks. Allowlist regex added under the existing "Doc-string credential-shaped placeholders" block in `.gitleaks.toml`. No code change.
 - **0.7.61** (2026-05-06) — eslint cleanup in `lib/guard-regex.js` and `lib/guard-shell.js`. The `no-useless-escape` rule (eslint v9+) flagged unnecessary backslashes inside regex character classes — `*`, `+`, `?`, `[` don't need escaping when they appear inside `[...]`. Behavior unchanged: regex semantics are identical with or without the escapes (the engine treats both forms as the literal character). The framework's CI gate runs eslint with `--max-warnings 0`; this slice unblocks the CI lint job that's been failing on tag pushes since v0.7.53. No operator-facing behavior change.

package/lib/router.js CHANGED Viewed

@@ -626,10 +626,32 @@ class Router {
       // accept both. enableConnectProtocol: true is what enables h2
       // WebSocket (RFC 8441) — clients refuse to issue Extended CONNECT
       // until they see this in the server's SETTINGS frame.
+      // Framework-default HTTP/2 hardening — operator-supplied
+      // tlsOptions can override any of these.
+      //
+      // maxConcurrentStreams: cap concurrent streams per session (Node
+      //   default is 4294967295 — way too high; CVE-2023-44487 Rapid
+      //   Reset relies on the unbounded default).
+      // maxSessionMemory: 10 MB cap per session (Node default; explicit).
+      // maxHeaderListPairs: 100 header pairs max (Node default 128;
+      //   tightened — CVE-2024-27983 / CVE-2024-28182 CONTINUATION
+      //   flood relies on header-pair amplification).
+      // maxSettings: cap SETTINGS-frame entries.
+      // peerMaxConcurrentStreams: cap how many streams the peer is
+      //   willing to accept (limits server-initiated push, which the
+      //   framework doesn't use).
+      // unknownProtocolTimeout: 10s — drop sessions stuck in protocol-
+      //   detection (Slowloris-h2 variant).
       server = http2.createSecureServer(Object.assign({
-        allowHTTP1:    true,
-        ALPNProtocols: ["h2", "http/1.1"],
-        settings:      { enableConnectProtocol: true },
+        allowHTTP1:               true,
+        ALPNProtocols:             ["h2", "http/1.1"],
+        settings:                  { enableConnectProtocol: true },
+        maxConcurrentStreams:      100,                                            // allow:raw-byte-literal — CVE-2023-44487 Rapid Reset cap
+        maxSessionMemory:          10,                                             // allow:raw-byte-literal — MB cap (Node default explicit)
+        maxHeaderListPairs:        100,                                            // allow:raw-byte-literal — CVE-2024-27983 CONTINUATION-flood cap
+        maxSettings:               32,                                             // allow:raw-byte-literal — SETTINGS-frame entry ceiling
+        peerMaxConcurrentStreams:  100,                                            // allow:raw-byte-literal — peer-side stream cap
+        unknownProtocolTimeout:    C.TIME.seconds(10),
       }, tlsOptions), requestHandler);
     } else {
       // Cleartext path is h1-only. Operators wanting h2c on cleartext
@@ -710,7 +732,23 @@ class Router {
     if (host) server.listen(port, host, cb);
     else server.listen(port, cb);
-    server.timeout = C.TIME.minutes(5);
+    // Slowloris / slow-read defenses. Node defaults shifted across
+    // versions; the framework pins them explicitly so operators on
+    // older Node releases get the modern bar.
+    //
+    // headersTimeout: 60s — time allotted for the entire request-line
+    //   + header section. Slowloris's classic posture is a connection
+    //   that trickles headers indefinitely.
+    // requestTimeout: 5min — total wall-clock for a request including
+    //   body. Body-streaming uploads through fileUpload can take
+    //   minutes; this is the operator-overridable ceiling.
+    // keepAliveTimeout: 5s — idle timeout between requests on a
+    //   keep-alive connection.
+    // server.timeout: 5min — hardware/network timeout (legacy).
+    server.headersTimeout   = C.TIME.seconds(60);
+    server.requestTimeout   = C.TIME.minutes(5);
+    server.keepAliveTimeout = C.TIME.seconds(5);
+    server.timeout          = C.TIME.minutes(5);
     return server;
   }
 }

package/lib/websocket.js CHANGED Viewed

@@ -221,12 +221,17 @@ function negotiateSubprotocol(req, supported) {
 // origins shapes:
 //   array — strict allowlist, enforced
 //   "*"   — explicit "accept all" (operator opt-in to no checking)
-//   null/undefined — same as "*" but caller (router) is expected to
-//                    have logged a startup warning. Origin policy is a
-//                    framework-level decision; this primitive doesn't
-//                    re-warn here.
+//   null/undefined — DEFAULT: same-origin (Origin host matches Host
+//                    header). The pre-0.7.64 default was "accept all" —
+//                    flipped here because cross-site WebSocket
+//                    hijacking (CSWSH) is a real attacker capability
+//                    against any browser-targeted WebSocket route, and
+//                    same-origin is the safe default. Operators
+//                    needing cross-origin opt in explicitly via
+//                    `origins: "*"` (with audited reason) or
+//                    `origins: [...allowlist]`.
 function isOriginAllowed(req, origins) {
-  if (!origins || origins === "*") return true;
+  if (origins === "*") return true;
   var origin = (req.headers || {}).origin;
   // Non-browser clients (curl, server-to-server, native apps) don't
   // send Origin. Origin enforcement only meaningfully applies to
@@ -234,6 +239,17 @@ function isOriginAllowed(req, origins) {
   // the operator's network ACL / auth middleware, not Origin.
   if (!origin) return true;
   if (Array.isArray(origins)) return origins.indexOf(origin) !== -1;
+  // Default: same-origin. Compare the Origin header's hostname against
+  // the Host header. Operators behind a TLS-terminating LB pass the
+  // canonical Host through (or set `origins: [...]` explicitly).
+  if (!origins) {
+    var host = (req.headers || {}).host;
+    if (!host) return false;
+    var originHost;
+    try { originHost = new URL(origin).host; }                                   // allow:raw-new-url — comparing browser-supplied Origin header against Host; safeUrl.parse adds policy filtering that isn't appropriate for exact host comparison
+    catch (_e) { return false; }
+    return originHost === host;
+  }
   return false;
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.62",
+  "version": "0.7.64",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json CHANGED Viewed

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:dd45b15b-229b-45b9-bfa9-61c962a76fb3",
+  "serialNumber": "urn:uuid:186ac1cf-f222-4ea2-81b9-ad8a89f1849e",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T00:25:44.109Z",
+    "timestamp": "2026-05-06T00:58:07.750Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.62",
+      "bom-ref": "@blamejs/core@0.7.64",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.62",
+      "version": "0.7.64",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.62",
+      "purl": "pkg:npm/%40blamejs/core@0.7.64",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.62",
+      "ref": "@blamejs/core@0.7.64",
       "dependsOn": []
     }
   ]