@blamejs/core 0.8.13 → 0.8.16

package/lib/request-helpers.js

@@ -325,6 +325,38 @@ function parseQualityList(headerValue, opts) {
   return out;
 }
 
+// safeHeadersDistinct(req) — defensive accessor for req.headersDistinct.
+//
+// Node CVE-2026-21710: req.headersDistinct is a getter; reading
+// __proto__ on the underlying header bag throws synchronously inside
+// the getter, so a request bearing a __proto__: header escapes any
+// handler-level try/catch (the throw happens at property-access time,
+// not later). This helper computes the same shape (lowercased header-
+// name → array of values) directly from req.rawHeaders, bypassing the
+// faulty getter entirely.
+//
+// Returns a null-prototype object so framework code can iterate its
+// keys without inheriting Object.prototype properties — the same shape
+// Node's headersDistinct produces, minus the throwing getter.
+function safeHeadersDistinct(req) {
+  var out = Object.create(null);
+  if (!req || !Array.isArray(req.rawHeaders)) return out;
+  var raw = req.rawHeaders;
+  for (var i = 0; i + 1 < raw.length; i += 2) {
+    var name  = raw[i];
+    var value = raw[i + 1];
+    if (typeof name !== "string" || typeof value !== "string") continue;
+    var lower = name.toLowerCase();
+    // skip __proto__ / constructor / prototype as keys — they are the
+    // exact strings that triggered the upstream getter throw, and we
+    // refuse to surface them as accessible header names.
+    if (lower === "__proto__" || lower === "constructor" || lower === "prototype") continue;
+    if (out[lower]) out[lower].push(value);
+    else out[lower] = [value];
+  }
+  return out;
+}
+
 module.exports = {
   resolveRoute:              resolveRoute,
   captureResponseStatus:     captureResponseStatus,
@@ -336,5 +368,7 @@ module.exports = {
   clientIp:                  clientIp,
   requestProtocol:           requestProtocol,
   appendVary:                appendVary,
+  // CVE-2026-21710 wrap — safe alternative to req.headersDistinct
+  safeHeadersDistinct:       safeHeadersDistinct,
   HTTP_STATUS:               HTTP_STATUS,
 };

package/lib/router.js

@@ -620,6 +620,34 @@ class Router {
     };
     var server;
     if (tlsOptions) {
+      // CVE-2026-21637 — Node propagates synchronous throws from a
+      // user-supplied SNICallback up through the TLS handshake
+      // listener; an unhandled throw on an unexpected servername
+      // crashes the listener. Wrap the operator's SNICallback so any
+      // synchronous error becomes a clean async (err, null) callback.
+      // RFC 6066 §3 expects the server to abort the handshake on a
+      // failed callback, not crash the process.
+      if (tlsOptions.SNICallback && typeof tlsOptions.SNICallback === "function") {
+        var operatorSniCallback = tlsOptions.SNICallback;
+        tlsOptions = Object.assign({}, tlsOptions, {
+          SNICallback: function (servername, cb) {
+            try {
+              operatorSniCallback(servername, cb);
+            } catch (err) {
+              log.error("SNICallback threw for servername=" +
+                JSON.stringify(servername) + ": " + (err && err.message));
+              try { cb(err, null); } catch (_e) { /* cb already invoked */ }
+            }
+          },
+        });
+      }
+      // TLS 1.3 minimum — operator can override but the framework's
+      // default refuses pre-1.3 negotiation. Without this set the
+      // bare {key, cert} path inherits Node's TLSv1.2 default; the
+      // outbound httpClient already pins TLS 1.3.
+      if (!tlsOptions.minVersion) {
+        tlsOptions = Object.assign({ minVersion: "TLSv1.3" }, tlsOptions);
+      }
       // h2-capable server with h1 fallback via ALPN. ["h2", "http/1.1"]
       // means modern clients negotiate h2 (preferred); legacy clients
       // fall back to h1. allowHTTP1: true is what makes the same server

package/lib/sse.js

@@ -0,0 +1,349 @@
+"use strict";
+/**
+ * Server-Sent Events primitive — text/event-stream transport with
+ * newline-injection refusal in event:/id:/data: fields.
+ *
+ * The SSE wire format is line-oriented (W3C HTML Living Standard
+ * §server-sent-events-spec): each field is a line of the form
+ * "<name>: <value>" terminated by a single LF, and an empty line
+ * separates events. Any LF/CR/NUL inside a value silently splits the
+ * field, letting an attacker forge subsequent events, the event id
+ * (which the client echoes back as Last-Event-ID on reconnect), or
+ * the message data. Three CVEs in one quarter — CVE-2026-33128 (h3),
+ * CVE-2026-29085 (Hono), CVE-2026-44217 (sse-channel) — published in
+ * the same vulnerability class.
+ *
+ * Public API:
+ *
+ *   sse.create(req, res, opts) → channel
+ *     Wires the response stream as text/event-stream, sets the
+ *     SSE-required headers, and returns a channel object. opts:
+ *       heartbeatMs    — interval for `:keepalive` comment frames
+ *                        (default 15 s; pass 0 to disable)
+ *       retryMs        — initial reconnection-time advisory sent on
+ *                        stream open (sets the `retry:` field once;
+ *                        omitted when null/undefined)
+ *       errorClass     — FrameworkError subclass to throw on bad
+ *                        input (default SseError)
+ *       audit          — bool, default true. Emit SSE lifecycle audit
+ *                        events.
+ *
+ *   channel.send({ event, id, data, retry })
+ *     Writes a single SSE event. Each field is validated; LF/CR/NUL
+ *     anywhere in event/id is refused via `errorClass`. data is
+ *     allowed to contain LF — the framework splits it into multiple
+ *     `data:` lines per the spec — but CR and NUL are refused. retry
+ *     must be a non-negative finite integer.
+ *
+ *   channel.comment(text)
+ *     Writes a `:<text>` comment line (used for keepalive). LF/CR/NUL
+ *     in `text` are refused.
+ *
+ *   channel.close()
+ *     Ends the underlying response stream and stops the heartbeat
+ *     timer. Idempotent.
+ *
+ *   channel.lastEventId
+ *     The Last-Event-ID header value from the initial request, or
+ *     null. Sanitized — any LF/CR/NUL renders the header null
+ *     (refuse-on-bad-input rather than passing through to handlers).
+ *
+ *   sse.serializeEvent({ event, id, data, retry })
+ *     Returns the SSE-encoded string for a single event. Same
+ *     validation rules as channel.send. Exposed for operators that
+ *     buffer events through their own queue before writing.
+ *
+ * Error discipline:
+ *   channel.send and serializeEvent THROW errorClass on bad input.
+ *   SSE is not a drop-silent surface — a refused event is a
+ *   programming bug, and silently dropping would mask the injection
+ *   attempt the refusal exists to flag. close() is idempotent and
+ *   never throws.
+ *
+ * Composition:
+ *   - Composes with router via raw req/res — no router-specific
+ *     coupling. Works under h1 and h2 (h2 keeps the stream open
+ *     identically; the response is just chunked-transfer at h1 and
+ *     a long-running DATA-frame stream at h2).
+ *   - Audit emissions go through audit.safeEmit so SSE doesn't
+ *     escape audit-bus failures back to the caller.
+ */
+
+var C = require("./constants");
+var audit = require("./audit");
+var { SseError } = require("./framework-error");
+
+// Per W3C SSE — the wire format uses LF as terminator. A single LF
+// inside any field splits the value at the parser. CR is canonicalized
+// to LF by the parser (CR-only and CRLF terminators are also valid),
+// so CR is equally injection-shaped. NUL is refused universally — it
+// has no place in an event-stream wire-form and any presence is
+// suspicious.
+// eslint-disable-next-line no-control-regex
+var INJECTION_RE = /[\r\n\u0000]/;
+
+// retry: must be a non-negative finite integer. Browsers floor /
+// reject non-integer or negative values; refuse them at the source so
+// downstream behavior is uniform.
+function _validateRetry(retry, errorClass) {
+  if (retry === undefined || retry === null) return null;
+  if (typeof retry !== "number" || !isFinite(retry) || retry < 0 ||
+      Math.floor(retry) !== retry) {
+    throw errorClass.factory("BAD_RETRY",
+      "sse.send: retry must be a non-negative finite integer (got " +
+      JSON.stringify(retry) + ")");
+  }
+  return retry;
+}
+
+function _refuseInjection(field, value, errorClass) {
+  if (typeof value !== "string") {
+    throw errorClass.factory("BAD_FIELD",
+      "sse.send: " + field + " must be a string");
+  }
+  // Length-bound BEFORE the regex test — _capField applies a tighter
+  // cap further along, but the regex itself runs against the full
+  // value so we bound here too.
+  if (value.length > MAX_DATA_BYTES) {
+    throw errorClass.factory("FIELD_TOO_LARGE",
+      "sse.send: " + field + " too large for injection scan");
+  }
+  if (INJECTION_RE.test(value)) {                                                          // allow:regex-no-length-cap — value length capped above
+    audit.safeEmit({
+      action:   "sse.injection_refused",
+      outcome:  "denied",
+      metadata: { field: field, length: value.length },
+    });
+    throw errorClass.factory("INJECTION",
+      "sse.send: " + field + " contains LF/CR/NUL — refused " +
+      "(CVE-2026-33128 / 29085 / 44217 class)");
+  }
+}
+
+// Field caps. Values aren't open-ended — a 100 MiB `id:` is an abuse
+// shape. Operators who need larger bodies use the chunked binary
+// transports (websocket / file-upload). SSE is for text events.
+var MAX_EVENT_BYTES = C.BYTES.kib(8);
+var MAX_ID_BYTES    = C.BYTES.kib(8);
+var MAX_DATA_BYTES  = C.BYTES.mib(1);
+
+function _capField(field, value, capBytes, errorClass) {
+  var len = Buffer.byteLength(value, "utf8");
+  if (len > capBytes) {
+    throw errorClass.factory("FIELD_TOO_LARGE",
+      "sse.send: " + field + " exceeds cap (" + len + " > " +
+      capBytes + " bytes)");
+  }
+}
+
+function serializeEvent(opts, errorClass) {
+  errorClass = errorClass || SseError;
+  if (!opts || typeof opts !== "object") {
+    throw errorClass.factory("BAD_OPTS", "sse.serializeEvent: opts required");
+  }
+  var out = "";
+  // Field order: id, event, retry, data — matches the framework's
+  // historical b.middleware.sse layout. The W3C SSE spec is order-
+  // agnostic, but consumers (incl. the existing wiki test fixtures)
+  // pin this order.
+  if (opts.id !== undefined && opts.id !== null) {
+    _refuseInjection("id", opts.id, errorClass);
+    _capField("id", opts.id, MAX_ID_BYTES, errorClass);
+    out += "id: " + opts.id + "\n";
+  }
+  if (opts.event !== undefined && opts.event !== null) {
+    _refuseInjection("event", opts.event, errorClass);
+    _capField("event", opts.event, MAX_EVENT_BYTES, errorClass);
+    out += "event: " + opts.event + "\n";
+  }
+  var retry = _validateRetry(opts.retry, errorClass);
+  if (retry !== null) {
+    out += "retry: " + retry + "\n";
+  }
+  if (opts.data !== undefined && opts.data !== null) {
+    if (typeof opts.data !== "string") {
+      throw errorClass.factory("BAD_FIELD",
+        "sse.send: data must be a string");
+    }
+    _capField("data", opts.data, MAX_DATA_BYTES, errorClass);
+    // CR / NUL refused; LF allowed (split into multiple data: lines).
+    // eslint-disable-next-line no-control-regex
+    if (/[\r\u0000]/.test(opts.data)) {
+      audit.safeEmit({
+        action:   "sse.injection_refused",
+        outcome:  "denied",
+        metadata: { field: "data", length: opts.data.length, char: "cr-or-nul" },
+      });
+      throw errorClass.factory("INJECTION",
+        "sse.send: data contains CR or NUL — refused");
+    }
+    var lines = opts.data.split("\n");
+    for (var i = 0; i < lines.length; i += 1) {
+      out += "data: " + lines[i] + "\n";
+    }
+  }
+  // Empty line separator.
+  out += "\n";
+  return out;
+}
+
+function _validateComment(text, errorClass) {
+  if (typeof text !== "string") {
+    throw errorClass.factory("BAD_FIELD",
+      "sse.comment: text must be a string");
+  }
+  if (text.length > MAX_DATA_BYTES) {
+    throw errorClass.factory("FIELD_TOO_LARGE",
+      "sse.comment: text too large for injection scan");
+  }
+  if (INJECTION_RE.test(text)) {                                                            // allow:regex-no-length-cap — text length capped above
+    audit.safeEmit({
+      action:   "sse.injection_refused",
+      outcome:  "denied",
+      metadata: { field: "comment", length: text.length },
+    });
+    throw errorClass.factory("INJECTION",
+      "sse.comment: text contains LF/CR/NUL — refused");
+  }
+}
+
+// Sanitize the Last-Event-ID header value the client echoed on
+// reconnect. Per the spec the client SHOULD send the most recent id,
+// but we receive raw header bytes — refuse the value entirely (return
+// null) if it carries any injection-shaped char.
+function _readLastEventId(req) {
+  if (!req || !req.headers) return null;
+  var raw = req.headers["last-event-id"];
+  if (typeof raw !== "string" || raw.length === 0) return null;
+  if (INJECTION_RE.test(raw)) return null;
+  if (Buffer.byteLength(raw, "utf8") > MAX_ID_BYTES) return null;
+  return raw;
+}
+
+function create(req, res, opts) {
+  opts = opts || {};
+  var errorClass = opts.errorClass || SseError;
+  if (!res || typeof res.write !== "function" || typeof res.end !== "function") {
+    throw errorClass.factory("BAD_RES",
+      "sse.create: res must be a writable response stream");
+  }
+  var heartbeatMs = opts.heartbeatMs;
+  if (heartbeatMs === undefined) heartbeatMs = C.TIME.seconds(15);
+  if (typeof heartbeatMs !== "number" || !isFinite(heartbeatMs) ||
+      heartbeatMs < 0 || Math.floor(heartbeatMs) !== heartbeatMs) {
+    throw errorClass.factory("BAD_OPTS",
+      "sse.create: heartbeatMs must be a non-negative integer ms (got " +
+      JSON.stringify(heartbeatMs) + ")");
+  }
+  var auditOn = opts.audit !== false;
+
+  var lastEventId = _readLastEventId(req);
+
+  // Headers. text/event-stream is the contract; Cache-Control: no-cache
+  // and Connection: keep-alive (h1) are the operationally required
+  // pair. X-Accel-Buffering: no defeats nginx-style proxy buffering;
+  // operators behind a proxy that doesn't honor this set proxyBuffer:
+  // false on their LB.
+  if (typeof res.setHeader === "function") {
+    res.setHeader("Content-Type",      "text/event-stream; charset=utf-8");
+    res.setHeader("Cache-Control",     "no-cache, no-transform");
+    res.setHeader("X-Accel-Buffering", "no");
+    // Connection: keep-alive only meaningful on h1; h2 streams stay
+    // open until either side closes. node:http2 surfaces res.stream
+    // (h2 ServerHttp2Stream) where setHeader works the same.
+    if (req && req.httpVersionMajor !== 2) {
+      res.setHeader("Connection", "keep-alive");
+    }
+  }
+  if (typeof res.flushHeaders === "function") {
+    try { res.flushHeaders(); } catch (_e) { /* response may have flushed already */ }
+  }
+
+  var closed = false;
+  var heartbeatTimer = null;
+
+  function _writeRaw(s) {
+    if (closed) {
+      throw errorClass.factory("CLOSED",
+        "sse.send: channel closed");
+    }
+    res.write(s);
+  }
+
+  function send(eventOpts) {
+    var encoded = serializeEvent(eventOpts || {}, errorClass);
+    _writeRaw(encoded);
+  }
+
+  function comment(text) {
+    _validateComment(text, errorClass);
+    _writeRaw(":" + text + "\n\n");
+  }
+
+  function close() {
+    if (closed) return;
+    closed = true;
+    if (heartbeatTimer) {
+      clearInterval(heartbeatTimer);
+      heartbeatTimer = null;
+    }
+    try { res.end(); } catch (_e) { /* already destroyed */ }
+    if (auditOn) {
+      audit.safeEmit({
+        action:   "sse.channel_closed",
+        outcome:  "success",
+        metadata: { lastEventId: lastEventId },
+      });
+    }
+  }
+
+  // Stream-side close detection — when the client disconnects, free
+  // the heartbeat timer.
+  if (typeof res.on === "function") {
+    res.on("close",  close);
+    res.on("error",  function (_e) { close(); });
+    res.on("finish", function () { closed = true; if (heartbeatTimer) { clearInterval(heartbeatTimer); heartbeatTimer = null; } });
+  }
+
+  // Optional retry: advisory on open.
+  if (opts.retryMs !== undefined && opts.retryMs !== null) {
+    var validatedRetry = _validateRetry(opts.retryMs, errorClass);
+    _writeRaw("retry: " + validatedRetry + "\n\n");
+  }
+
+  // Heartbeat keeps intermediaries from idle-timing out the stream and
+  // gives the client a reliable progress signal. Timer is unref'd so a
+  // single live SSE channel doesn't pin the event loop on shutdown.
+  if (heartbeatMs > 0) {
+    heartbeatTimer = setInterval(function () {
+      if (closed) return;
+      try { _writeRaw(":keepalive\n\n"); }
+      catch (_e) { close(); }
+    }, heartbeatMs).unref();
+  }
+
+  if (auditOn) {
+    audit.safeEmit({
+      action:   "sse.channel_opened",
+      outcome:  "success",
+      metadata: { lastEventId: lastEventId, heartbeatMs: heartbeatMs },
+    });
+  }
+
+  return {
+    send:        send,
+    comment:     comment,
+    close:       close,
+    get lastEventId() { return lastEventId; },
+    get closed()      { return closed;      },
+  };
+}
+
+module.exports = {
+  create:          create,
+  serializeEvent:  serializeEvent,
+  // Cap exposure for operators wiring their own framing.
+  MAX_EVENT_BYTES: MAX_EVENT_BYTES,
+  MAX_ID_BYTES:    MAX_ID_BYTES,
+  MAX_DATA_BYTES:  MAX_DATA_BYTES,
+};

package/lib/vault/index.js

@@ -292,6 +292,8 @@ function getMode() {
 
 var vaultAad = require("../vault-aad");
 
+var sealPemFileModule = require("./seal-pem-file");
+
 module.exports = {
   init:                  init,
   seal:                  seal,
@@ -301,6 +303,8 @@ module.exports = {
   getCurrentPassphrase:  getCurrentPassphrase,
   getMode:               getMode,
   VaultError:            VaultError,
+  sealPemFile:           sealPemFileModule.sealPemFile,
+  SealPemFileError:      sealPemFileModule.SealPemFileError,
   // Testing helpers — not part of the public contract
   _resetForTest:         function () {
     if (currentPassphrase) safeBuffer.secureZero(currentPassphrase);