@blamejs/core 0.7.74 → 0.7.76

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.76** (2026-05-06) — CVE-class web hardening sweep — Trojan Source (CVE-2021-42574) log defense + drive-by-MIME attachment opt for `staticServe`. **Trojan Source defense** in `b.log` output: every log line now post-processes Unicode bidi / format-control characters (U+061C / U+200E-200F / U+202A-202E / U+2066-2069) into their `\uXXXX` literal escape on the wire so a hostile log message can't re-order the visible line in a TTY / syslog / file reader. JSON.stringify alone does NOT escape these codepoints, so a captured-error message containing `U+202E` (RIGHT-TO-LEFT OVERRIDE) survives into the log surface and silently flips visible field/key associations. The escape applies to the entire serialized JSON line including any extras / bound-context fields. **`staticServe.create({ safeAttachmentForRiskyMimes: true })`** — opt-in flag that adds `Content-Disposition: attachment` to responses whose Content-Type is in the risky-inline-MIME set (`text/html`, `text/xml`, `application/xml`, `application/xhtml+xml`, `image/svg+xml`, `application/javascript`, `text/javascript`, `application/x-javascript`). Defends against drive-by execution of user-uploaded HTML / JS / SVG (CVE-2017-15012 SVG XSS / CVE-2009-1312 HTML drive-by class). Default `false` — operators serving framework asset bundles continue to render inline; operators serving user-content directories opt in. Filename is RFC 5987-encoded (ASCII filename + `filename*=UTF-8''...`) so non-ASCII filenames survive without allowing CR/LF header injection.
+
+- **0.7.75** (2026-05-06) — Audit-emit redaction pipeline. `b.audit.safeEmit` now scrubs the `actor` / `reason` / `metadata` fields through `b.redact.redact()` before they hit the audit handler. Operators who pass `metadata: { reason: e.message }` from a caught error could land DB connection strings, bearer tokens, JWT compact-serialization fixtures, AWS access keys, PEM private keys, SSH keys, credit cards, and SSNs in audit rows; the redact pipeline catches the common shapes (sensitive field names + value-shape detectors) and replaces them with markers (`[REDACTED]`, `[REDACTED-CONN-STRING]`, `[REDACTED-JWT]`, `[REDACTED-PEM]`, `[REDACTED-AWS-KEY]`, `[REDACTED-CC]`, `[REDACTED-SSN]`, `[REDACTED-SEALED]`, `[REDACTED-SSH-KEY]`). The `b.redact` primitive existed in lib/ since v0.4.x but was dead code — `audit.safeEmit` previously passed metadata through unchanged. New connection-string detector matches `protocol://user:pass@host` shapes that surface in error messages from external-DB / SMTP / HTTP drivers (RFC 3986 generic syntax). Drop-silent on redact failure — the pipeline never breaks the caller's audit attempt.
+
 - **0.7.74** (2026-05-06) — Email receive-side parity: DMARC aggregate (RUA) report parser + ARC trust evaluation + Authentication-Results header builder + TLS-RPT receive-side report parser. Closes the "framework can send mail compliantly but can't receive compliantly" gap. **`b.mail.dmarc.parseAggregateReport(xmlBytes, { contentType? })`** parses RFC 7489 §7.2 aggregate XML reports through the framework's existing `lib/parsers/safe-xml.js` (the existing security-focused XML parser handles XXE / DOCTYPE / entity-expansion defenses by default). Auto-detects gzip via magic bytes (`0x1f 0x8b`) or `Content-Type: application/gzip`. Returns `{ reportMetadata, policyPublished, records, totals }` with per-record source-IP / count / policy-evaluated dispositions / identifiers / DKIM + SPF auth results, plus aggregated `messages` / `aligned` / `notAligned` totals operators want for dashboards. Caps report size at 8 MiB and records-per-report at 10 000. **`b.mail.arc.evaluate(rfc822, { trustedSealers })`** wraps the existing `arc.verify` cryptographic chain check with the operator-side trust decision: given a passing chain, did any hop in the chain belong to a sealer the operator trusts? Returns `{ chainStatus, trusted, trustedHop, trustedDomain }` walking hops most-recent-first so the deepest trusted sealer wins. **`b.mail.authResults.emit({ authservId, results, fold? })`** builds the RFC 8601 Authentication-Results header value — operators consume per-method results from `b.mail.spf.verify` / `b.mail.dmarc.evaluate` / `b.mail.arc.verify`, hand them to `.emit`, and the framework formats the conformant header string with method-specific properties (`smtp.mailfrom`, `header.d`, `header.from`, `policy.iprev`, `policy.ip`, `policy.tls`). Refuses unknown methods / results at config-mistake time. **`b.network.smtp.tlsRpt.parseReport(body, { contentType? })`** is the receive-side counterpart to `tlsRpt.recordShape` / `tlsRpt.submit` — accepts a Buffer or string, auto-detects gzip, parses JSON, validates the RFC 8460 §4.4 required-fields shape (`organization-name`, `date-range`, `report-id`, `policies`), aggregates `total-successful-session-count` / `total-failure-session-count` across policies. Caps report size at 8 MiB and policies-per-report at 1024.
 
 - **0.7.73** (2026-05-06) — `b.auth.aal` + `b.middleware.requireAal({ minimum })` — NIST SP 800-63-4 Authentication Assurance Level bands. **`b.auth.aal.fromMethods({ password, totp, webauthn, ... })`** combines a set of operator-asserted authenticator methods into the resulting band: `AAL1` (single factor — memorized secret OR single-factor cryptographic), `AAL2` (multi-factor — memorized secret + OTP/SMS/hardware/mTLS), `AAL3` (phishing-resistant multi-factor — WebAuthn / passkey / hardware-+-PIN). Recognized methods: `password`, `pin`, `totp`, `sms`, `webauthn`, `passkey`, `hardware`, `mtls`. **`b.middleware.requireAal({ minimum, getAal?, audit?, realm? })`** gates routes by the request's AAL band — reads `req.user.aal` by default (or operator-supplied `getAal(req)`), compares against the minimum, returns 401 with `WWW-Authenticate: AAL-StepUp realm="...", required="AAL2"` on insufficient assurance. The bespoke scheme name signals to the operator's frontend that a step-up flow should be triggered (re-prompt for TOTP / passkey) without reusing the generic `Bearer` challenge namespace. Audit emits `auth.aal.granted` / `auth.aal.denied` (drop-silent on observability sink failure). The framework leaves AMR/ACR claim emission to the operator's IdP; the new `b.auth.aal.AMR` constants object provides consistent OIDC-conformant strings for operators emitting access tokens with AAL info. Also exposes `b.auth.aal.meets(actual, required)` for ad-hoc band comparisons outside the middleware. **CI vendor-manifest gate fix**: vendor files now have an explicit `.gitattributes` `lib/vendor/** -text binary` declaration so git never rewrites line endings between Windows and Linux checkouts. The `lib/vendor/noble-ciphers.cjs` file was renormalized to LF on disk and re-hashed in `lib/vendor/MANIFEST.json`. Closes the v0.7.65–0.7.72 npm-publish.yml smoke-test failures (`vendor manifest: @noble/ciphers :: server hash matches`).

package/lib/audit.js

@@ -44,6 +44,7 @@ var { generateToken } = require("./crypto");
 var cryptoField = require("./crypto-field");
 var handlers = require("./handlers");
 var { boot } = require("./log");
+var redact = require("./redact");
 var safeAsync = require("./safe-async");
 var C = require("./constants");
 var lazyRequire = require("./lazy-require");
@@ -734,13 +735,30 @@ function safeEmit(event) {
   if (!event || typeof event !== "object") return;
   if (typeof event.action !== "string") return;  // can't emit without an action
   try {
+    // Scrub credentials before they hit the audit handler. Operators
+    // who pass `metadata: { reason: e.message }` from a caught error
+    // can land DB connection strings, bearer tokens, and JWT compact-
+    // serialization fixtures in audit rows; redact.redact() catches the
+    // common shapes (sensitive field names + value-shape detectors:
+    // credit-card / JWT / PEM / AWS key / SSN / connection string) and
+    // replaces them with markers. Same pass also applies to actor +
+    // reason so the entire event surface is consistent. Drop-silent on
+    // redact failure — never break the caller's audit attempt.
+    var actor = event.actor || {};
+    var reason = event.reason || null;
+    var metadata = event.metadata || null;
+    try {
+      actor = redact.redact(actor);
+      if (reason !== null) reason = redact.redact(reason);
+      if (metadata !== null) metadata = redact.redact(metadata);
+    } catch (_e) { /* fall through with original values */ }
     _ensureHandler().emit({
-      actor:     event.actor    || {},
+      actor:     actor,
       action:    event.action,
       resource:  event.resource || null,
       outcome:   event.outcome  || "success",
-      reason:    event.reason   || null,
-      metadata:  event.metadata || null,
+      reason:    reason,
+      metadata:  metadata,
       requestId: event.requestId || null,
     });
   } catch (_e) { /* audit best-effort — never break the caller */ }

package/lib/log.js

@@ -279,6 +279,14 @@ function create(opts) {
         _logError: "extras not serializable",
       }) + "\n";
     }
+    // Trojan-Source defense (CVE-2021-42574). JSON.stringify does NOT
+    // escape Unicode bidi / format controls, so a hostile log message
+    // containing U+202E (RIGHT-TO-LEFT OVERRIDE) survives into TTY /
+    // syslog / file sinks where it can re-order the visible line —
+    // forging which fields appear under which keys when the operator
+    // reads the log. Escape the entire bidi/format-control set to
+    // `\uXXXX` literals on the wire.
+    line = _escapeBidiControls(line);
 
     var lvlNum = LEVELS[levelName];
     for (var s = 0; s < sinks.length; s++) {
@@ -479,6 +487,25 @@ function makeViaOrFallback(operatorLog, fallbackLog) {
 
 // Boot-time minimum level (debug suppressed unless explicitly enabled).
 // Uses raw process.env per the documented load-cycle exception: log.js
+// Trojan-Source defense (CVE-2021-42574). Replace Unicode bidi /
+// format-control characters with their `\uXXXX` literal escape so a
+// hostile log message can't re-order the visible line in a TTY /
+// syslog reader. Set covers:
+//   U+061C — Arabic Letter Mark
+//   U+200E/U+200F — LRM/RLM
+//   U+202A-U+202E — LRE/RLE/PDF/LRO/RLO
+//   U+2066-U+2069 — LRI/RLI/FSI/PDI
+var _BIDI_CONTROL_RE = /[؜‎‏‪‫‬‭‮⁦⁧⁨⁩]/g;
+
+function _escapeBidiControls(s) {
+  if (typeof s !== "string" || s.length === 0) return s;
+  return s.replace(_BIDI_CONTROL_RE, function (ch) {
+    var code = ch.charCodeAt(0).toString(16);                                      // allow:raw-byte-literal — Unicode hex radix
+    while (code.length < 4) code = "0" + code;
+    return "\\u" + code;
+  });
+}
+
 // runs before safeEnv on the boot path; safeEnv requires log, so log
 // can't go through safeEnv to read its own level.
 function _bootMinLevel() {

package/lib/redact.js

@@ -23,6 +23,8 @@
  *   redact.MARKER                            → '[REDACTED]'
  */
 
+var C = require("./constants");
+
 var DEFAULT_MARKER = "[REDACTED]";
 
 // Field names that are always redacted, regardless of value contents.
@@ -97,6 +99,22 @@ var VALUE_DETECTORS = [
     test:        function (v) { return typeof v === "string" && /^\d{3}-?\d{2}-?\d{4}$/.test(v); },
     replacement: "[REDACTED-SSN]",
   },
+  {
+    // Connection-string credential leak — matches `protocol://user:pass@host`
+    // shapes that surface in error messages / metadata.reason fields when
+    // an external-DB driver drops its connect URL into an Error.message.
+    // Replacement preserves the host part for operator triage but redacts
+    // the credentials.
+    name:        "connection-string",
+    test:        function (v) {
+      if (typeof v !== "string" || v.length < C.BYTES.bytes(8)) return false; // bound BEFORE regex test
+      if (v.length > C.BYTES.kib(8)) return false;
+      // user may be empty (e.g. redis://:password@host); password
+      // segment is required to flag this as a credentialed URI.
+      return /\b[a-zA-Z][a-zA-Z0-9+.-]*:\/\/[^\s:/?#]*:[^\s@/?#]+@/.test(v);
+    },
+    replacement: "[REDACTED-CONN-STRING]",
+  },
 ];
 
 var sensitiveFieldsSet = new Set(SENSITIVE_FIELDS);

package/lib/static.js

@@ -208,6 +208,46 @@ function _contentTypeFor(filePath, table) {
   return (table && table[ext]) || DEFAULT_CONTENT_TYPES[ext] || "application/octet-stream";
 }
 
+// Risky MIMEs that the browser executes inline. When safeAttachment is
+// on, the framework forces Content-Disposition: attachment so
+// drive-by uploads can't be executed in the user's browser. Operators
+// serving trusted assets (CSS / JS bundle / SVG icon) opt out by NOT
+// setting safeAttachmentForRiskyMimes — leaving the existing inline
+// default. The defense is per-CVE-2017-15012 (SVG XSS) /
+// CVE-2009-1312 (HTML drive-by) class.
+var RISKY_INLINE_MIMES = {
+  "text/html":              true,
+  "text/xml":               true,
+  "application/xml":        true,
+  "application/xhtml+xml":  true,
+  "image/svg+xml":          true,
+  "application/javascript": true,
+  "text/javascript":        true,
+  "application/x-javascript": true,
+};
+
+function _isRiskyInlineMime(contentType) {
+  if (typeof contentType !== "string" || contentType.length === 0) return false;
+  // Strip parameters like "; charset=utf-8".
+  var semi = contentType.indexOf(";");
+  var bare = (semi === -1 ? contentType : contentType.slice(0, semi)).trim().toLowerCase();
+  return RISKY_INLINE_MIMES[bare] === true;
+}
+
+// Build a safe Content-Disposition value for an attachment. The
+// filename is RFC 5987-encoded so non-ASCII characters survive without
+// allowing CR/LF header injection.
+function _attachmentDisposition(filePath) {
+  var name = path.basename(filePath);
+  // Refuse CR/LF/NUL outright — they're already filtered upstream by
+  // the path-traversal guard, but defense-in-depth here.
+  if (/[\r\n\0]/.test(name)) name = "download";
+  // ASCII-safe filename (replace non-ASCII with _) plus filename* = UTF-8 form.
+  var asciiName = name.replace(/[^\x20-\x7e]/g, "_").replace(/["\\]/g, "_");
+  var encName = encodeURIComponent(name);
+  return 'attachment; filename="' + asciiName + '"; filename*=UTF-8\'\'' + encName;
+}
+
 // _parseRangeHeader — RFC 7233 single-range parser. Returns null when:
 //   - header absent
 //   - syntactically malformed (not `bytes=`, multi-range, suffix syntax
@@ -331,6 +371,8 @@ function _validateCreateOpts(opts) {
   validateOpts.optionalBoolean(opts.acceptRanges, "staticServe.create: acceptRanges", StaticServeError);
   validateOpts.optionalBoolean(opts.auditSuccess, "staticServe.create: auditSuccess", StaticServeError);
   validateOpts.optionalBoolean(opts.auditFailures, "staticServe.create: auditFailures", StaticServeError);
+  validateOpts.optionalBoolean(opts.safeAttachmentForRiskyMimes,
+    "staticServe.create: safeAttachmentForRiskyMimes", StaticServeError);
   numericBounds.requireNonNegativeFiniteIntIfPresent(opts.maxBytesPerActorPerWindowMs,
     "staticServe.create: maxBytesPerActorPerWindowMs", StaticServeError, "BAD_OPT");
   numericBounds.requireNonNegativeFiniteIntIfPresent(opts.maxBytesAllActorsPerWindowMs,
@@ -507,6 +549,7 @@ function create(opts) {
   var auditSuccess    = cfg.auditSuccess;
   var auditFailures   = cfg.auditFailures;
   var acceptRanges    = cfg.acceptRanges;
+  var safeAttachment  = !!cfg.safeAttachmentForRiskyMimes;
   var perActorCap     = cfg.maxBytesPerActorPerWindowMs;
   var globalCap       = cfg.maxBytesAllActorsPerWindowMs;
   var bandwidthWindowMs = cfg.bandwidthWindowMs;
@@ -851,6 +894,13 @@ function create(opts) {
       "Last-Modified":  meta.lastModified,
       "X-Integrity":    meta.integrity,
     };
+    // Drive-by-execution defense — when safeAttachmentForRiskyMimes is
+    // on, force Content-Disposition: attachment for HTML / JS / SVG /
+    // XML so the browser downloads instead of rendering. Operator's
+    // onServe hook can override.
+    if (safeAttachment && _isRiskyInlineMime(headers["Content-Type"])) {
+      headers["Content-Disposition"] = _attachmentDisposition(absPath);
+    }
     if (acceptRanges) headers["Accept-Ranges"] = "bytes";
     if (range) headers["Content-Range"] = "bytes " + range.start + "-" + range.end + "/" + meta.size;
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.74",
+  "version": "0.7.76",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:a82c1893-13c0-448e-a951-71bc3d182da3",
+  "serialNumber": "urn:uuid:16490b30-e9d2-4135-a820-485954fc745f",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T03:56:40.534Z",
+    "timestamp": "2026-05-06T04:28:11.034Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.74",
+      "bom-ref": "@blamejs/core@0.7.76",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.74",
+      "version": "0.7.76",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.74",
+      "purl": "pkg:npm/%40blamejs/core@0.7.76",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.74",
+      "ref": "@blamejs/core@0.7.76",
       "dependsOn": []
     }
   ]