@blamejs/core 0.8.17 → 0.8.18

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- **0.8.18** (2026-05-08) — Database query-builder hardening on `b.db.from(...).where|whereRaw` and `b.safeSql`. **`Query.where(field, "LIKE", value)`** — now escapes SQL `%` and `_` wildcard metacharacters in operator-supplied values and emits `LIKE ? ESCAPE '\\'`. Closes the column-disclosure class where `q=%@%` enumerated the entire table. Operators who deliberately want LIKE wildcards bypass via `whereRaw()`. **`Query.where(field, "IN", [...])`** — now expands an array to `IN (?, ?, ?)` and binds each value separately. Pre-v0.8.18 the array bound to a single placeholder and silently matched zero rows (node:sqlite `?` doesn't support array-binding). Refuses non-array / empty-array inputs. **`Query.whereRaw(sql, params)`** — placeholder-counting now skips `?` characters inside SQL string literals (single + double quoted, including `''`-doubled escapes), line comments (`-- ...`), and block comments (`/* ... */`). Pre-v0.8.18 the naive regex counted literal-`?` and either threw on count mismatch OR let through fragments with masked missing real placeholders. **`b.safeSql.BANNED_IDENTIFIERS`** — extended to refuse `pragma` / `attach` / `detach` / `analyze` / `vacuum` / `reindex` as bare identifiers. Closes the SQLite-specific escape-the-parameterized-model surface (PRAGMAs disable security-relevant protections; ATTACH mounts external databases). **`b.db.declareTable`** — refuses any app schema name that begins with the framework's `_blamejs_` prefix (was an exact-match Set; an app schema entry like `_blamejs_audit_log_archive` slipped past the gate and could shadow / look-alike framework tables).
+
 - **0.8.17** (2026-05-08) — Email auth + DANE / TLS-RPT spec-conformance fixes (ARC / DMARC / SPF / A-R / DANE / TLS-RPT). Ten more RFC-cited gaps closed. **ARC (`b.mail.arc`)** — signer's AMS canonicalization now includes the current hop's `ARC-Authentication-Results` per RFC 8617 §5.1.1 (auto-prepends to `h=` unless operator passes `excludeAarFromAms: true`). Microsoft + Google receivers DO include AAR in `h=`; the prior framework default produced chains those receivers couldn't verify. Verifier counterpart: when reconstructing the AMS canonical input, only the CURRENT hop's AAR is kept (prior-hop AARs stripped). Verifier now enforces `t=` (signing time) + `x=` (expiration) time windows per RFC 8617 §5.2 with operator-tunable `clockSkewMs` (default 5 min) — pre-v0.8.17 the verifier parsed but never enforced. **DMARC (`b.mail.dmarc`)** — multiple `v=DMARC1` records on a domain now treated as having no DMARC record per RFC 7489 §6.6.3 (`_fetchDmarcRecord` returns null on multi-match). Subdomain `sp=` fallback wired: when `_dmarc.<from-domain>` returns no record, the verifier walks one label up to the (heuristic) organizational domain and applies its `sp=` (subdomain policy) — falls back to `p=` when `sp=` absent. Result includes `policyOriginDomain` + `orgDomainPolicyApplied: true` so operators can audit which record drove the verdict. (Heuristic only — operators with PSL needs supply their own `dnsLookup` for full Public Suffix List walk.) **SPF (`b.mail.spf`)** — initial query for the sender's SPF record no longer counts toward the 10-lookup limit per RFC 7208 §4.6.4. Pre-v0.8.17 was off-by-one — senders at the spec ceiling got false `permerror`. **A-R (`b.mail.authResults`)** — result vocabulary is now METHOD-SPECIFIC per RFC 8601 §2.7 (per-method `AR_RESULTS_BY_METHOD` map). The flat `AR_VALID_RESULTS` table previously accepted `hardfail` for DKIM (only valid for DMARC §2.7.4) and accepted `temperror` / `permerror` for methods that don't recognize them. **DANE (`b.network.smtp.dane`)** — `daneTlsa()` now REFUSES to return records unless the caller passes `opts.dnssecValidated: true` per RFC 7672 §1.3 (TLSA records that are not DNSSEC-validated MUST NOT be used). Pre-v0.8.17 silently used un-validated records — silent escalation class. `daneVerifyChain` enforces RFC 6698 §2.1.4 + RFC 7672 §3.1.1 chain-order: a DANE-TA match at chain position `i` is accepted only when its DER Subject equals the DER Issuer of cert at position `i-1` (i.e. it's actually the parent in the chain, not a random non-leaf cert that happens to hash-match). Chain-order is best-effort — synthetic test fixtures without ASN.1-parseable DER fall through with `chainOrderUnverified: true` flagged on the match. **TLS-RPT (`b.network.smtp.tlsRpt.fetchPolicy`)** — record without `rua=` now returns `null` (record ignored) per RFC 8460 §3. Pre-v0.8.17 returned `{ version: "TLSRPTv1", rua: [] }` which operators incorrectly treated as a valid record with no destinations. Bug fix only — no new operator-facing primitives.
 
 - **0.8.16** (2026-05-08) — Email auth + transport spec-conformance fixes (DKIM / SPF / MTA-STS / OCSP). Ten RFC-cited gaps closed against shipped primitives. **DKIM (`b.mail.dkim`)** — verifier now refuses any signature whose `h=` tag does not include `from` (RFC 6376 §3.5 cornerstone bypass — without From-coverage the signature does not bind to the visible sender; receivers were treating these as valid); refuses unrecognized `v=` tag values per RFC 6376 §3.5 (only `v=1` accepted); enforces empty `p=` as explicit key revocation per RFC 6376 §3.6.1 (verdict `fail`, not `permerror` — well-formed signature against a withdrawn key); enforces `k=` algorithm-family tag agreement with the signature's `a=` family (e.g. `k=rsa` paired with `a=ed25519-sha256` permerrors per RFC 6376 §3.6.1); selector validator now accepts multi-label selectors per RFC 6376 §3.1 ABNF (`sub-domain *("." sub-domain)` — common for time-rotated keys like `2024.s1`). **SPF (`b.mail.spf`)** — refuses domains that publish multiple `v=spf1` TXT records with `permerror` per RFC 7208 §4.5 (most operators don't realize multi-record SPF was always invalid; this surfaces the misconfig instead of silently picking the first); `include:` mechanism now permerrors when the included domain has no SPF record per RFC 7208 §5.2 (closes the silent-authorization class where `include:gone-domain.example` followed by `+all` would silently allow). **MTA-STS (`b.smtpPolicy.mtaSts.fetch`)** — now requires the `_mta-sts.<domain>` TXT precondition record per RFC 8461 §3.1 before fetching the HTTPS policy (closes the silent-escalation class where the framework would fetch policies for domains that never opted in, AND defeats operator-side rotation when the `id=` in the TXT changes); cache TTL is now bounded by the policy's `max_age` value per RFC 8461 §3.2 (clamped between 1 hour floor and 1 year ceiling) instead of the framework's hardcoded 60-min default. **OCSP (`b.network.tls.ocsp.evaluate`)** — `evaluateOcspResponse` now enforces the `thisUpdate` / `nextUpdate` time window per RFC 6960 §4.2.2.1, rejecting responses whose validity window has expired or hasn't started yet (with operator-tunable `clockSkewMs`, default 5 min). Pre-v0.8.16 a captured "good" response could replay forever even after the cert was revoked; this defeats `requireGood` posture. Bug fix only — no new operator-facing primitives, no surface change beyond the additional refusals.

package/lib/db-query.js

@@ -117,6 +117,33 @@ class Query {
       value = lookup.value;
     }
     cryptoField && _validateField(field);
+    if (op === "IN") {
+      // node:sqlite ? does not support array-binding. Pre-v0.8.18
+      // `where(field, "IN", [1,2,3])` silently bound the entire
+      // array to a single placeholder and matched zero rows.
+      // Expand to (?, ?, ?) and push each value separately.
+      if (!Array.isArray(value) || value.length === 0) {
+        throw new Error("where IN requires a non-empty array of values");
+      }
+      var placeholders = value.map(function () { return "?"; }).join(", ");
+      this._where.push('"' + field + '" IN (' + placeholders + ")");
+      for (var i = 0; i < value.length; i += 1) this._whereParams.push(value[i]);
+      return this;
+    }
+    if (op === "LIKE" && typeof value === "string") {
+      // Escape SQL LIKE metacharacters %  and _ in operator-supplied
+      // input. Without this, a single `%` in untrusted input becomes
+      // a wildcard that matches everything — a column-disclosure
+      // class (`q=%@%` enumerates entire table). Use a backslash as
+      // the escape character (uniform across SQLite + Postgres) and
+      // emit the corresponding ESCAPE clause so the engine treats it
+      // as the escape token. Operators who deliberately want LIKE
+      // wildcards in their value bypass via whereRaw().
+      var escaped = value.replace(/[\\%_]/g, "\\$&");
+      this._where.push('"' + field + '" LIKE ? ESCAPE ' + "'\\\\'");
+      this._whereParams.push(escaped);
+      return this;
+    }
     this._where.push('"' + field + '" ' + op + " ?");
     this._whereParams.push(value);
     return this;
@@ -152,7 +179,14 @@ class Query {
       throw new Error("whereRaw: sql must be a non-empty string");
     }
     var p = Array.isArray(params) ? params : (params == null ? [] : [params]);
-    var holders = (sql.match(/\?/g) || []).length;
+    // Count `?` placeholders, but skip occurrences inside string
+    // literals ('...'  or "..."), line comments (-- to EOL), and
+    // block comments (/* ... */). Pre-v0.8.18 the naive regex
+    // counted `?` inside literals (e.g. `WHERE name = 'a?b' AND id
+    // = ?`) which caused mismatched-count errors OR — worse — let
+    // through fragments where the literal-`?` placebo masked a
+    // missed real placeholder.
+    var holders = _countPlaceholders(sql);
     if (holders !== p.length) {
       throw new Error("whereRaw: " + holders + " placeholder(s) in sql but " +
         p.length + " param(s) supplied");
@@ -392,6 +426,46 @@ class Query {
   }
 }
 
+// Count `?` placeholders outside string literals + comments.
+// Tracks SQL single-quoted, double-quoted, line-comment, and block-
+// comment state to avoid counting `?` characters that are part of
+// literal text the SQL engine never interprets as a binding marker.
+function _countPlaceholders(sql) {
+  var count = 0;
+  var i = 0;
+  var len = sql.length;
+  while (i < len) {
+    var ch = sql.charAt(i);
+    var next = i + 1 < len ? sql.charAt(i + 1) : "";
+    if (ch === "'" || ch === '"') {
+      var quote = ch;
+      i += 1;
+      while (i < len) {
+        if (sql.charAt(i) === quote) {
+          // SQL doubles the quote char to escape it within a literal.
+          if (sql.charAt(i + 1) === quote) { i += 2; continue; }
+          i += 1; break;
+        }
+        i += 1;
+      }
+      continue;
+    }
+    if (ch === "-" && next === "-") {
+      while (i < len && sql.charAt(i) !== "\n") i += 1;
+      continue;
+    }
+    if (ch === "/" && next === "*") {
+      i += 2;
+      while (i < len && !(sql.charAt(i) === "*" && sql.charAt(i + 1) === "/")) i += 1;
+      i += 2;
+      continue;
+    }
+    if (ch === "?") count += 1;
+    i += 1;
+  }
+  return count;
+}
+
 function _validateField(field) {
   if (typeof field !== "string" ||
       field.length === 0 ||

package/lib/db.js

@@ -744,13 +744,20 @@ async function init(opts) {
     }
   }
 
-  // Refuse app schema entries that collide with framework-reserved names
+  // Refuse app schema entries that collide with framework-reserved names.
+  // Pre-v0.8.18 this was an exact-match Set; an app could ship
+  // `_blamejs_audit_log_archive` (or similar prefix-collision) and the
+  // framework would silently provision it next to the reserved
+  // namespace, allowing a row-by-row look-alike attack against audit
+  // archive tooling.
   for (var ri = 0; ri < opts.schema.length; ri++) {
-    if (RESERVED_TABLE_NAMES.has(opts.schema[ri].name)) {
+    var appName = opts.schema[ri].name;
+    if (RESERVED_TABLE_NAMES.has(appName) ||
+        (typeof appName === "string" && appName.indexOf("_blamejs_") === 0)) {
       throw new DbError("db/reserved-table-name",
-        "table name '" + opts.schema[ri].name + "' is reserved by the framework. " +
+        "table name '" + appName + "' is reserved by the framework. " +
         "Pick a different name (the framework provisions audit_log, consent_log, " +
-        "and _blamejs_* tables automatically).");
+        "and any '_blamejs_*'-prefixed tables automatically).");
     }
   }
 

package/lib/safe-sql.js

@@ -58,6 +58,12 @@ var BANNED_IDENTIFIERS = new Set([
   "where", "from", "join", "into", "values", "table", "database",
   "schema", "index", "view", "trigger", "procedure", "function",
   "begin", "commit", "rollback", "savepoint",
+  // SQLite-specific commands that escape the parameterized-query
+  // model. attach/detach mount external databases; pragma changes
+  // PRAGMAs (foreign_keys / cell_size_check / trusted_schema /
+  // journal_mode etc.) which can disable security-relevant
+  // protections; analyze / vacuum drop or rewrite indexes.
+  "pragma", "attach", "detach", "analyze", "vacuum", "reindex",
 ]);
 
 // Default identifier shape — Postgres NAMEDATALEN (63 chars) is the

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.17",
+  "version": "0.8.18",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:d988e730-a00b-4cd0-990a-763f21f74dd3",
+  "serialNumber": "urn:uuid:1751cf74-fcc9-495e-a159-bac5eb2565b3",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T07:32:59.512Z",
+    "timestamp": "2026-05-07T07:40:58.458Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.17",
+      "bom-ref": "@blamejs/core@0.8.18",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.17",
+      "version": "0.8.18",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.17",
+      "purl": "pkg:npm/%40blamejs/core@0.8.18",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.17",
+      "ref": "@blamejs/core@0.8.18",
       "dependsOn": []
     }
   ]