@blamejs/core 0.8.32 → 0.8.34

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- **0.8.34** (2026-05-08) — `lib/middleware/body-parser.js` BiDi-strip regex uses Unicode-escape form (`\\u202A`-style) instead of literal codepoints to satisfy ESLint's `no-irregular-whitespace`. v0.8.33 publish workflow blocked on this; v0.8.33 tag exists on git but never reached npm — v0.8.34 cumulative includes the v0.8.33 G-class MEDIUM fixes.
+
+- **0.8.33** (2026-05-08) — HTTP/web G-class MEDIUM cleanup. Six RFC-cited refinements against shipped WebSocket / Permissions-Policy / JWT / body-parser / OAuth surfaces. **WS close-frame validation (RFC 6455 §5.5.1 + §7.4.2)** — `_handleClose` now refuses 1-byte close-frame payloads (malformed; pre-v0.8.33 silently accepted as clean close, evading anomaly detection) and validates the close-code against the §7.4.2 vocabulary (1000-1011 + 3000-4999 valid; 1004/1005/1006/1015 reserved/forbidden; everything else refused). **Permissions-Policy default expansion** — `b.middleware.securityHeaders` deny-by-default now covers `interest-cohort`, `attribution-reporting`, `bluetooth`, `hid`, `serial`, `idle-detection`, `local-fonts`, `compute-pressure`, `window-management`, `private-state-token-issuance`, `private-state-token-redemption`. **JWT typ assertion (RFC 8725 §3.11)** — `b.auth.jwt.verify({expectedTyp})` refuses tokens whose header.typ doesn't match (typ-confusion class). Case-insensitive match per RFC 8725. Unset `expectedTyp` skips the check (legacy token compatibility). **Multipart filename BiDi/RTL strip** — `_sanitizeFilename` now drops Trojan Source (CVE-2021-42574) BiDi formatting + zero-width codepoints from uploaded filenames before the basename hits the filesystem. **OAuth redirect_uri localhost exception (RFC 9700 §4.1.1)** — `b.auth.oauth.create({redirectUri})` now accepts `http://localhost` / `http://127.0.0.1` / `http://[::1]` without requiring `allowHttp: true` (which would loosen ALL operator-supplied URLs). HTTPS still required for non-loopback hosts.
+
 - **0.8.32** (2026-05-08) — Email/DNS MEDIUM impl-vs-spec cleanup. Eight RFC-cited refinements against shipped DKIM / SPF / DMARC / A-R / TLS-RPT / DoH primitives. **DKIM (`b.mail.dkim`)** — verifier enforces `x=` signature expiration (permerrors past expiry per RFC 6376 §3.5) and `t=` future-date sanity (refuses signatures more than 24h ahead of `now`); rejects `x= < t=` malformation. Operator-tunable `clockSkewMs` (default 5 min). **SPF (`b.mail.spf`)** — `_parseSpfRecord` now distinguishes mechanisms from modifiers (RFC 7208 §4.6 — `redirect=` / `exp=` are modifiers, not mechanisms). Pre-v0.8.32 `redirect=` triggered the generic "out of scope" permerror; surfaced separately via `mechanisms.modifiers`. SPF IPv6 CIDR matching now uses a real bitwise CIDR check (`_ipv6Expand` + group-by-group + bit-mask) instead of the prior string-prefix heuristic that mishandled `::` shorthand. **DMARC (`b.mail.dmarc`)** — `recommendedAction` now consults `pct=` per RFC 7489 §6.6.4. When `pct < 100` the receiver applies one-step-less-strict disposition (reject → quarantine; quarantine → none) on the sampled fraction. **A-R (`b.mail.authResults`)** — `reason=` quoted-string now uses RFC 8601 §2.2 `\"` escape (lossless round-trip) instead of the prior `"`-to-`'` collapse. **TLS-RPT (`b.network.smtp.tlsRpt.submit`)** — `mailto:` rua entries are now RFC 5322 addr-spec-validated before forwarding to `b.mail`. Pre-v0.8.32 invalid mailto targets crashed at submit-time with opaque transport errors. **DoH (`b.network.dns.resolveSecure`)** — host now validated label-by-label per RFC 1035 §2.3.4 LDH rule (letters/digits/hyphen, no leading/trailing hyphen, label length 1..63). Pre-v0.8.32 only the total length was checked; underscore / colon / space hosts flowed through to opaque DoH errors. (MTA-STS HTTPS cert validation against `mta-sts.<domain>` is already covered by Node's TLS handshake; no code change needed.)
 
 - **0.8.31** (2026-05-08) — `b.fdx` CFPB §1033 / Financial Data Exchange (FDX) consumer-financial-data sharing wrapper. CFPB §1033 (12 CFR §1033.121-461, final rule 2024-10-22) gives US consumers the right to authorize a third party to access their financial data through the data provider's developer interface. Compliance deadline ⏰ 2026-04-01 already past for $250B+ asset-size banks. **`b.fdx.bind({authServer, resources})`** binds the operator's authorization server config to the FAPI 2.0 profile (the §1033.351 security requirements ≈ FAPI 2.0); refuses if PKCE/DPoP/PAR are misconfigured per `b.fapi2.assertOAuthConfig`. **`b.fdx.validateResponse(resourceType, body)`** validates a response shape against the FDX 6.0 minimum schema for accounts / transactions / statements / payment-networks / rewards / tax-forms — refuses missing-required fields. **`b.fdx.consentReceipt(opts)`** generates the §1033.401(b) consent receipt the authorization server gives the consumer at authorization time (data provider, consumer, third-party recipient, scopes, revocation URL, issued+expires timestamps).

package/lib/auth/jwt.js

@@ -269,6 +269,22 @@ async function verify(token, opts) {
       "token declares critical extensions which this verifier does not support");
   }
 
+  // RFC 8725 §3.11 — typ-confusion class. When opts.expectedTyp is
+  // supplied (e.g. "JWT", "at+jwt", "logout+jwt"), refuse tokens
+  // whose header.typ doesn't match. Caller-side check; the framework
+  // doesn't impose a default typ to remain compatible with legacy
+  // tokens that omit it. Match is case-insensitive per RFC 8725.
+  if (opts.expectedTyp !== undefined) {
+    validateOpts.requireNonEmptyString(opts.expectedTyp,
+      "verify: opts.expectedTyp", AuthError, "auth-jwt/bad-expected-typ");
+    var got = decoded.header.typ;
+    if (typeof got !== "string" || got.toLowerCase() !== opts.expectedTyp.toLowerCase()) {
+      throw new AuthError("auth-jwt/typ-mismatch",
+        "token header.typ='" + got + "' does not match expectedTyp='" +
+        opts.expectedTyp + "' (RFC 8725 §3.11 typ-confusion class)");
+    }
+  }
+
   // Algorithm must be in the allowed list AND match what we know how
   // to verify (i.e. one of SUPPORTED_ALGORITHMS).
   if (allowed.indexOf(decoded.header.alg) === -1) {

package/lib/auth/oauth.js

@@ -111,6 +111,7 @@ var { generateBytes } = require("../crypto");
 var httpClient = require("../http-client");
 var safeJson = require("../safe-json");
 var safeUrl = require("../safe-url");
+var { URL } = require("url");
 var { defineClass } = require("../framework-error");
 
 // Cap on responses parsed from upstream OAuth providers. Token /
@@ -235,6 +236,26 @@ function _validateUrl(url, allowHttp, label) {
   if (typeof url !== "string" || url.length === 0) {
     throw new OAuthError("auth-oauth/bad-url", label + ": URL is required");
   }
+  // RFC 9700 §4.1.1 — redirect URIs MUST be HTTPS, with an exception
+  // for `http://localhost` and `http://127.0.0.1[:port]` to enable
+  // local development. Pre-v0.8.33 operators developing on localhost
+  // had to set `allowHttp: true` globally, which loosens the gate
+  // for ALL operator-supplied URLs (issuer, discovery, token, etc.).
+  // Now: when the URL is loopback, accept HTTP without flipping the
+  // global flag.
+  var isLocalhostHttp = false;
+  try {
+    var parsed = new URL(url);                                                                  // allow:raw-new-url — RFC 9700 §4.1.1 localhost-exception lookup; safeUrl re-validates below for non-localhost paths
+    if (parsed.protocol === "http:" &&
+        (parsed.hostname === "localhost" ||
+         parsed.hostname === "127.0.0.1" ||
+         parsed.hostname === "[::1]" ||
+         parsed.hostname === "::1")) {
+      isLocalhostHttp = true;
+    }
+  } catch (_e) { /* malformed; let safeUrl surface the canonical error below */ }
+  if (isLocalhostHttp) return url;
+
   // Operator-supplied OAuth issuer / endpoint URL — route through
   // safeUrl so the scheme allowlist is consistent with the rest of the
   // framework's outbound gates. Map safe-url's error codes to the
@@ -246,7 +267,7 @@ function _validateUrl(url, allowHttp, label) {
   } catch (e) {
     if (e && e.code === "safe-url/protocol-disallowed") {
       throw new OAuthError("auth-oauth/insecure-url",
-        label + ": must be https" + (allowHttp ? " or http" : "") +
+        label + ": must be https" + (allowHttp ? " or http" : " (or http://localhost for dev)") +
         " (got '" + url + "')");
     }
     throw new OAuthError("auth-oauth/bad-url",

package/lib/middleware/body-parser.js

@@ -505,6 +505,16 @@ function _sanitizeFilename(name) {
   if (idx !== -1) s = s.slice(idx + 1);
   // Drop control characters, NUL, leading/trailing dots.
   s = s.replace(/\p{Cc}/gu, "");
+  // Trojan Source CVE-2021-42574 class — strip BiDi formatting +
+  // zero-width codepoints from the filename. An attacker uploading
+  // `Photo01By‮gpj.SCR` displays as `Photo01By.jpg` in audit
+  // logs while the OS opens `.SCR`. Universal-refuse on these
+  // codepoints; operators with legitimate need pass the raw filename
+  // through `b.guardFilename` with explicit BiDi opt-in.
+  // BiDi formatting (U+202A..U+202E, U+2066..U+2069), zero-width
+  // (U+200B..U+200D, U+2060), BOM (U+FEFF) — Unicode escapes so the
+  // regex itself contains no irregular whitespace.
+  s = s.replace(/[\u202A-\u202E\u2066-\u2069\u200B-\u200D\u2060\uFEFF]/g, "");
   s = s.replace(/^\.+/, "").replace(/\.+$/, "");
   if (s.length === 0) return null;
   if (s.length > 255) s = s.slice(0, 255);

package/lib/middleware/security-headers.js

@@ -44,6 +44,19 @@ var DEFAULT_PERMISSIONS = [
   "geolocation=()", "gyroscope=()", "magnetometer=()", "microphone=()",
   "midi=()", "payment=()", "picture-in-picture=()", "publickey-credentials-get=()",
   "screen-wake-lock=()", "sync-xhr=()", "usb=()", "web-share=()", "xr-spatial-tracking=()",
+  // v0.8.33 expansion — newer Permissions-Policy feature names that
+  // weren't deny-by-default before. interest-cohort (FLoC, deprecated
+  // but still recognized), attribution-reporting (Privacy Sandbox),
+  // bluetooth / hid / serial (Web USB-shaped APIs), idle-detection,
+  // local-fonts (system-font fingerprinting), compute-pressure
+  // (CPU-load-side-channel), window-management (multi-screen probe),
+  // and the private-state-token-* family (Privacy-Pass-style anti-
+  // fraud tokens). Operators wanting any of these explicitly opt in
+  // by passing their own permissionsPolicy.
+  "interest-cohort=()", "attribution-reporting=()",
+  "bluetooth=()", "hid=()", "serial=()", "idle-detection=()",
+  "local-fonts=()", "compute-pressure=()", "window-management=()",
+  "private-state-token-issuance=()", "private-state-token-redemption=()",
 ];
 
 // Strict CSP — no 'unsafe-inline' on script-src OR style-src.

package/lib/websocket.js

@@ -187,6 +187,19 @@ var DEFAULT_PING_INTERVAL_MS  = C.TIME.seconds(30);
 var DEFAULT_PONG_TIMEOUT_MS   = C.TIME.seconds(35);
 var CLOSE_GRACE_MS            = C.TIME.seconds(2);
 
+// RFC 6455 §7.4.2 close-code validity gate. Codes 0..999 MUST NOT
+// appear on the wire. 1004 / 1005 / 1006 / 1015 are reserved
+// (1005/1006 are local-only sentinels; 1004/1015 are reserved for
+// future use). Codes 1000..1011 are spec-allocated. 3000..3999 are
+// IANA-registered. 4000..4999 are private-use. Anything else is
+// invalid.
+function _isValidCloseCode(code) {
+  if (code === 1004 || code === 1005 || code === 1006 || code === 1015) return false;        // allow:raw-byte-literal — RFC 6455 §7.4.2 reserved codes
+  if (code >= 1000 && code <= 1011) return true;                                              // allow:raw-byte-literal — RFC 6455 §7.4.2 spec range / allow:raw-time-literal — code is a numeric, not seconds
+  if (code >= 3000 && code <= 4999) return true;                                              // allow:raw-byte-literal — RFC 6455 §7.4.2 IANA / private range / allow:raw-time-literal — code is a numeric, not seconds
+  return false;
+}
+
 // Connection lifecycle states — mirrors the browser WebSocket API +
 // the npm `ws` library. Single-source-of-truth field; every state
 // transition goes through _transitionToClosed (or set in the
@@ -817,8 +830,25 @@ class WebSocketConnection extends EventEmitter {
 
   _handleClose(frame) {
     var code = CLOSE_NORMAL, reason = "";
+    // RFC 6455 §5.5.1 — close-frame body is either empty or 2+
+    // bytes (2-byte close code + optional UTF-8 reason). A 1-byte
+    // body is malformed; pre-v0.8.33 the framework silently
+    // accepted it as a clean close, evading anomaly detection
+    // that would have classified the malformation.
+    if (frame.payload.length === 1) {
+      return this._abort(CLOSE_PROTOCOL_ERROR,
+        "close frame payload must be 0 or >=2 bytes (RFC 6455 §5.5.1)");
+    }
     if (frame.payload.length >= 2) {
       code = frame.payload.readUInt16BE(0);
+      // RFC 6455 §7.4.2 — codes 0..999 MUST NOT be used. 1004 /
+      // 1005 / 1006 / 1015 are reserved (1005/1006 are local-only
+      // sentinels; 1004/1015 are reserved for future use).
+      // 1000-1011 + 3000-4999 are valid; everything else is invalid.
+      if (!_isValidCloseCode(code)) {
+        return this._abort(CLOSE_PROTOCOL_ERROR,
+          "close code " + code + " is reserved or invalid (RFC 6455 §7.4.2)");
+      }
       if (frame.payload.length > 2) {
         try { reason = new TextDecoder("utf-8", { fatal: true }).decode(frame.payload.subarray(2)); }
         catch (_e) { return this._abort(CLOSE_INVALID_PAYLOAD, "close reason is not valid UTF-8"); }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.32",
+  "version": "0.8.34",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:359da00f-648c-4902-9bc9-42d47f0fe0d0",
+  "serialNumber": "urn:uuid:3be80324-29fb-478d-819e-0b32ffd604d7",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T15:01:43.286Z",
+    "timestamp": "2026-05-07T15:22:30.612Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.32",
+      "bom-ref": "@blamejs/core@0.8.34",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.32",
+      "version": "0.8.34",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.32",
+      "purl": "pkg:npm/%40blamejs/core@0.8.34",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.32",
+      "ref": "@blamejs/core@0.8.34",
       "dependsOn": []
     }
   ]