@blamejs/core 0.8.36 → 0.8.38

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- v0.8.38 (2026-05-07) — multipart parser refuses obsolete line folding (RFC 9112 §5.2 obs-fold) and CR/LF/NUL bytes in part-header values (RFC 9110 §5.5). Adds RFC 5987 / 8187 `filename*=UTF-8''…` extended-parameter support; the decoded value takes precedence over a legacy `filename=` companion.
+
+- **0.8.37** (2026-05-08) — D-L family SQL/schema hygiene. **`_blamejs_audit_purge_anchor.scope` CHECK constraint** — `scope IN ('audit', 'consent')`. Pre-v0.8.37 a typo silently created a parallel anchor; the chain verifier walked the wrong anchor and missed tampering. **`personalDataCategories` vocabulary validation** — operator-supplied categories validated against the GDPR Article 9 special-category vocabulary + the framework's general categories at `db.init`. Unknown categories don't refuse (operators have legitimate custom labels) but emit a `db.personal_data_category_unknown` audit row so typos surface in regulator reviews. Allowed: `name`, `email`, `phone`, `address`, `ip`, `id-document`, `biometric`, `health`, `genetic`, `sexual-orientation`, `racial-or-ethnic-origin`, `political-opinion`, `religious-belief`, `trade-union-membership`, `criminal-record`, `financial`, `location`, `behavioral`, `device-id`, `child-data`, `education`, `employment`, `operator-defined`.
+
 - **0.8.36** (2026-05-08) — HTTP/web G-class LOW cleanup + scope-aware bearer challenge. **WS handshake (RFC 6455 §4.1)** — `Sec-WebSocket-Key` validated as base64 of 16 random bytes (`/^[A-Za-z0-9+/]{22}==$/`). Pre-v0.8.36 only the presence was checked; truncated / arbitrary-token values flowed through. **Permissions-Policy default** — `fullscreen` flipped to `()` (deny) instead of `(self)`; operators wanting fullscreen pass an explicit override. **`b.middleware.bearerAuth` insufficient_scope (RFC 6750 §3)** — new `requiredScopes: ["scope1", "scope2"]` opt enforces operator-declared scopes. Token's `user.scope` (string, space-separated) or `user.scopes` (array) is checked; missing scopes refuse with HTTP 403 + `WWW-Authenticate: Bearer error="insufficient_scope", scope="..."`. **`b.requestHelpers.parseListHeader({strictToken: true})`** — RFC 9110 §5.6.2 token-grammar enforcement. Refuses non-token entries (anything outside `!#$%&'*+-.^_\\`|~` + alnum). **Multipart boundary validation (RFC 2046 §5.1.1)** — `_parseMultipart` refuses boundaries longer than 70 chars OR violating the `bcharsnospace` grammar. Closes the quadratic-match risk on pathological boundaries.
 
 - **0.8.35** (2026-05-08) — `b.tcpa10dlc` + `b.iabMspa` primitives. **`b.tcpa10dlc`** — TCPA 10DLC consent-record audit. 47 USC §227 + 47 CFR §64.1200 + FCC 1:1 disclosure rule (effective 2025-01-27, vacated 11th Circuit IMC v. FCC 2025 but TCPA standard still applies). $500-$1,500/violation exposure. `recordConsent({phoneE164, brand, disclosureText, disclosurePartyKind, formUrl, ip, userAgent})` writes a tamper-evident audit row with the carrier-required fields; `lookup(phoneE164)` for the carrier "produce-on-demand" workflow; `revoke(phoneE164, reason)` records consumer-initiated opt-out with audit trail. **`b.iabMspa`** — IAB Multi-State Privacy Agreement / Global Privacy Platform (GPP) universal opt-out signal codec. `parseGpp(gppString)` decodes the framing (header + per-section payloads, section-id mapping for usnat / usca / usva / usco / usct / usut / usnv / usia / usde / usnj / ustx / usor / usmt / usnh). `checkOptOut(parsed, {dataUse, state})` returns `{ mustHonor, signals }` against operator-decoded section opt-outs (sale / sharing / targeted-ads / sensitive / child-data). `refuseProcessing(parsed, opts)` throws `IabMspaError` to halt the operator's data-flow at the same point a CCPA "do-not-sell" header would. `gpcFromHeaders(req)` reads the W3C `Sec-GPC: 1` browser signal — universal opt-out per CCPA / CPRA §1798.135(b)(1) and similar state laws.

package/lib/db.js

@@ -245,7 +245,12 @@ var FRAMEWORK_SCHEMA = [
   {
     name: "_blamejs_audit_purge_anchor",
     columns: {
-      scope:             "TEXT PRIMARY KEY",
+      // CHECK constraint: scope is one of the framework's audit-
+      // chain anchor scopes (`audit` / `consent`). Pre-v0.8.37 a
+      // typo silently created a parallel anchor; the chain verifier
+      // walked the wrong anchor and missed tampering. The CHECK
+      // refuses unknown scope strings at INSERT time.
+      scope:             "TEXT PRIMARY KEY CHECK (scope IN ('audit', 'consent'))",
       lastPurgedCounter: "INTEGER NOT NULL",
       lastPurgedRowHash: "TEXT NOT NULL",
       archiveBundleId:   "TEXT NOT NULL",
@@ -780,6 +785,56 @@ async function init(opts) {
   for (var si = 0; si < opts.schema.length; si++) {
     var st = opts.schema[si];
     if (st.subjectField) {
+      // Validate personalDataCategories shape + audit-emit on
+      // unknown vocabulary. Pre-v0.8.37 this was a free-form JSON
+      // blob; a typo silently dropped the column from subject-export
+      // / erase walks. The framework checks the value is a string
+      // (catches null / number / object typos) and emits a warning
+      // audit when the category is outside the GDPR Art 9 + general
+      // vocabulary so operators can audit-trail their custom labels.
+      if (st.personalDataCategories) {
+        if (typeof st.personalDataCategories !== "object" || Array.isArray(st.personalDataCategories)) {
+          throw new DbError("db/bad-personal-data-categories",
+            "table '" + st.name + "': personalDataCategories must be an object mapping field name → category");
+        }
+        var FRAMEWORK_CATEGORY_VOCAB = [
+          "name", "email", "phone", "address", "ip", "id-document",
+          "biometric", "health", "genetic", "sexual-orientation",
+          "racial-or-ethnic-origin", "political-opinion", "religious-belief",
+          "trade-union-membership", "criminal-record",
+          "financial", "location", "behavioral", "device-id",
+          "child-data", "education", "employment", "operator-defined",
+        ];
+        Object.keys(st.personalDataCategories).forEach(function (field) {
+          var cat = st.personalDataCategories[field];
+          if (typeof cat !== "string" || cat.length === 0) {
+            throw new DbError("db/bad-personal-data-category",
+              "table '" + st.name + "' field '" + field +
+              "': category must be a non-empty string");
+          }
+          if (FRAMEWORK_CATEGORY_VOCAB.indexOf(cat) === -1) {
+            // Unknown — emit a one-time audit per (table,field,category)
+            // tuple so operators see typos in their categorical
+            // taxonomy. Lazy require to avoid circular load (audit
+            // imports db for chain hashing).
+            try {
+              var auditMod = require("./audit");                                              // allow:inline-require — circular-load defense (audit imports db)
+              auditMod.safeEmit({
+                action:   "db.personal_data_category_unknown",
+                outcome:  "success",
+                metadata: {
+                  severity: "warning",
+                  table:    st.name,
+                  field:    field,
+                  category: cat,
+                  vocabHint: "use one of: " + FRAMEWORK_CATEGORY_VOCAB.join(", ") +
+                             " (or operator-defined for genuinely-custom)",
+                },
+              });
+            } catch (_e) { /* drop-silent */ }
+          }
+        });
+      }
       subjectTables.push({
         name:                   st.name,
         subjectField:           st.subjectField,

package/lib/middleware/body-parser.js

@@ -526,27 +526,75 @@ function _sanitizeFilename(name) {
 function _parseMultipartHeaders(rawHeaders) {
   // Each line is `Header-Name: value`. Common headers: Content-Disposition,
   // Content-Type, Content-Transfer-Encoding. Unknown headers are ignored.
+  // RFC 9112 §5.2 — line folding (obs-fold) is OBSOLETE in HTTP messages;
+  // a continuation line beginning with SP/HTAB MUST be refused. RFC 9110
+  // §5.5 — header field values MUST NOT contain CR, LF, or NUL bytes.
+  // We refuse the part outright (caller surfaces the throw as 400 + drop).
   var lines = rawHeaders.split("\r\n");
   var out = {};
   for (var i = 0; i < lines.length; i++) {
     var line = lines[i];
     if (!line) continue;
+    var first = line.charCodeAt(0);
+    if (first === 32 || first === 9) {                                            // allow:raw-byte-literal — SP/HTAB obs-fold sentinels
+      throw new BodyParserError(
+        "body-parser/multipart-obs-fold",
+        "multipart part header uses obsolete line folding (RFC 9112 §5.2)",
+        true, HTTP_STATUS.BAD_REQUEST
+      );
+    }
     var idx = line.indexOf(":");
     if (idx === -1) continue;
     var k = line.slice(0, idx).trim().toLowerCase();
     var v = line.slice(idx + 1).trim();
+    for (var j = 0; j < v.length; j++) {
+      var c = v.charCodeAt(j);
+      if (c === 0 || c === 10 || c === 13) {                                      // allow:raw-byte-literal — NUL/LF/CR forbidden in field-value (RFC 9110 §5.5)
+        throw new BodyParserError(
+          "body-parser/multipart-bad-header-value",
+          "multipart part header `" + k + "` contains CR/LF/NUL (RFC 9110 §5.5)",
+          true, HTTP_STATUS.BAD_REQUEST
+        );
+      }
+    }
     out[k] = v;
   }
   return out;
 }
 
+// RFC 5987 / 8187 — `filename*=UTF-8''percent%20encoded.txt` extended
+// parameter form for non-ASCII filenames. Charset MUST be `UTF-8`
+// (case-insensitive); we refuse other charsets to keep the decode
+// path single-encoding. Language tag (between the two `'`s) is
+// permitted but ignored.
+function _decodeRfc5987(raw) {
+  if (typeof raw !== "string") return null;
+  var firstTick  = raw.indexOf("'");
+  if (firstTick === -1) return null;
+  var secondTick = raw.indexOf("'", firstTick + 1);
+  if (secondTick === -1) return null;
+  var charset = raw.slice(0, firstTick).toLowerCase();
+  if (charset !== "utf-8") return null;       // RFC 5987 mandated charset; refuse anything else
+  var encoded = raw.slice(secondTick + 1);
+  try {
+    return decodeURIComponent(encoded);
+  } catch (_e) {
+    return null;
+  }
+}
+
 function _parseHeaderParams(headerValue) {
   // Content-Disposition: form-data; name="field"; filename="x.txt"
   // Returns { _value: "form-data", name: "field", filename: "x.txt" }
+  // RFC 5987 / 8187 — when a `filename*=UTF-8''...` extended parameter
+  // is present, it takes precedence over the legacy `filename=`
+  // companion (RFC 6266 §4.3). We surface the decoded value at
+  // `filename` so downstream consumers don't need parser-aware code.
   var out = { _value: "" };
   if (!headerValue) return out;
   var parts = headerValue.split(";");
   out._value = parts[0].trim().toLowerCase();
+  var extName = null;
   for (var i = 1; i < parts.length; i++) {
     var p = parts[i].trim();
     var eq = p.indexOf("=");
@@ -554,8 +602,18 @@ function _parseHeaderParams(headerValue) {
     var k = p.slice(0, eq).trim().toLowerCase();
     var v = p.slice(eq + 1).trim();
     if (v.length >= 2 && v[0] === '"' && v[v.length - 1] === '"') v = v.slice(1, -1);
+    if (k.charAt(k.length - 1) === "*") {
+      var decoded = _decodeRfc5987(v);
+      if (decoded !== null) {
+        var bareKey = k.slice(0, -1);
+        if (bareKey === "filename") extName = decoded;
+        out[bareKey] = decoded;
+      }
+      continue;
+    }
     out[k] = v;
   }
+  if (extName !== null) out.filename = extName;
   return out;
 }
 
@@ -751,7 +809,12 @@ async function _parseMultipart(req, opts, ctParams) {
                 true, HTTP_STATUS.PAYLOAD_TOO_LARGE));
               return;
             }
-            currentHeaders = _parseMultipartHeaders(pending.slice(0, headEnd).toString("utf8"));
+            try {
+              currentHeaders = _parseMultipartHeaders(pending.slice(0, headEnd).toString("utf8"));
+            } catch (parseErr) {
+              done(parseErr);
+              return;
+            }
             pending = pending.slice(headEnd + 4);
             // Decode Content-Disposition.
             var cd = _parseHeaderParams(currentHeaders["content-disposition"]);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.36",
+  "version": "0.8.38",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:bc456840-498c-445d-b9a6-d087f3ab5715",
+  "serialNumber": "urn:uuid:33e4b58d-3cab-4ba0-b54a-4fd4a9b62e38",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T15:39:09.436Z",
+    "timestamp": "2026-05-07T16:03:53.948Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.36",
+      "bom-ref": "@blamejs/core@0.8.38",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.36",
+      "version": "0.8.38",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.36",
+      "purl": "pkg:npm/%40blamejs/core@0.8.38",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.36",
+      "ref": "@blamejs/core@0.8.38",
       "dependsOn": []
     }
   ]