npm - @blamejs/core - Versions diffs - 0.9.46 → 0.10.1 - Mend

@blamejs/core 0.9.46 → 0.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (78) hide show

package/CHANGELOG.md +951 -893
package/index.js +30 -0
package/lib/_test/crypto-fixtures.js +67 -0
package/lib/agent-event-bus.js +52 -6
package/lib/agent-idempotency.js +169 -16
package/lib/agent-orchestrator.js +263 -9
package/lib/agent-posture-chain.js +163 -5
package/lib/agent-saga.js +146 -16
package/lib/agent-snapshot.js +349 -19
package/lib/agent-stream.js +34 -2
package/lib/agent-tenant.js +179 -23
package/lib/agent-trace.js +84 -21
package/lib/auth/aal.js +8 -1
package/lib/auth/ciba.js +6 -1
package/lib/auth/dpop.js +7 -2
package/lib/auth/fal.js +17 -8
package/lib/auth/jwt-external.js +128 -4
package/lib/auth/oauth.js +232 -10
package/lib/auth/oid4vci.js +67 -7
package/lib/auth/openid-federation.js +71 -25
package/lib/auth/passkey.js +140 -6
package/lib/auth/sd-jwt-vc.js +67 -5
package/lib/circuit-breaker.js +10 -2
package/lib/compliance.js +176 -8
package/lib/crypto-field.js +114 -14
package/lib/crypto.js +216 -20
package/lib/db.js +1 -0
package/lib/guard-imap-command.js +335 -0
package/lib/guard-jmap.js +321 -0
package/lib/guard-managesieve-command.js +566 -0
package/lib/guard-pop3-command.js +317 -0
package/lib/guard-smtp-command.js +58 -3
package/lib/mail-agent.js +20 -7
package/lib/mail-arc-sign.js +12 -8
package/lib/mail-auth.js +323 -34
package/lib/mail-crypto-pgp.js +934 -0
package/lib/mail-crypto-smime.js +340 -0
package/lib/mail-crypto.js +108 -0
package/lib/mail-dav.js +1224 -0
package/lib/mail-deploy.js +492 -0
package/lib/mail-dkim.js +431 -26
package/lib/mail-journal.js +435 -0
package/lib/mail-scan.js +502 -0
package/lib/mail-server-imap.js +1102 -0
package/lib/mail-server-jmap.js +488 -0
package/lib/mail-server-managesieve.js +853 -0
package/lib/mail-server-mx.js +164 -34
package/lib/mail-server-pop3.js +836 -0
package/lib/mail-server-rate-limit.js +269 -0
package/lib/mail-server-submission.js +1032 -0
package/lib/mail-server-tls.js +445 -0
package/lib/mail-sieve.js +557 -0
package/lib/mail-spam-score.js +284 -0
package/lib/mail.js +99 -0
package/lib/metrics.js +130 -10
package/lib/middleware/dpop.js +58 -3
package/lib/middleware/idempotency-key.js +255 -42
package/lib/middleware/protected-resource-metadata.js +114 -2
package/lib/network-dns-resolver.js +33 -0
package/lib/network-tls.js +46 -0
package/lib/outbox.js +62 -12
package/lib/pqc-agent.js +13 -5
package/lib/retry.js +23 -9
package/lib/router.js +23 -1
package/lib/safe-ical.js +634 -0
package/lib/safe-icap.js +502 -0
package/lib/safe-mime.js +15 -0
package/lib/safe-sieve.js +684 -0
package/lib/safe-smtp.js +57 -0
package/lib/safe-url.js +37 -0
package/lib/safe-vcard.js +473 -0
package/lib/self-update-standalone-verifier.js +32 -3
package/lib/self-update.js +168 -17
package/lib/vendor/MANIFEST.json +161 -156
package/lib/vendor-data.js +127 -9
package/lib/vex.js +324 -59
package/package.json +1 -1
package/sbom.cdx.json +6 -6

package/lib/mail-server-mx.js CHANGED Viewed

@@ -116,7 +116,6 @@
  */
 var net   = require("node:net");
-var nodeTls   = require("node:tls");
 var lazyRequire = require("./lazy-require");
 var C         = require("./constants");
 var bCrypto   = require("./crypto");
@@ -126,6 +125,9 @@ var safeBuffer = require("./safe-buffer");
 var safeSmtp = require("./safe-smtp");
 var validateOpts = require("./validate-opts");
 var guardSmtpCommand = require("./guard-smtp-command");
+var guardDomain = require("./guard-domain");
+var mailServerRateLimit = require("./mail-server-rate-limit");
+var mailServerTls = require("./mail-server-tls");
 var { defineClass } = require("./framework-error");
 var audit = lazyRequire(function () { return require("./audit"); });
@@ -208,7 +210,10 @@ function create(opts) {
     MailServerMxError, "mail-server-mx/bad-opts");
   if (!opts.tlsContext) {
     throw new MailServerMxError("mail-server-mx/no-tls-context",
-      "mail.server.mx.create: tlsContext is required (no implicit plaintext mode)");
+      "mail.server.mx.create: tlsContext is required (no implicit plaintext mode). " +
+      "Use b.mail.server.tls.context({ certFile, keyFile, watch: true }) to load + " +
+      "auto-reload a cert/key pair from disk, or pass a node:tls.createSecureContext " +
+      "output directly. Cert provisioning lives in b.acme (RFC 8555 + RFC 9773 ARI).");
   }
   numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
     ["maxLineBytes", "maxMessageBytes", "maxRcptsPerMessage", "idleTimeoutMs"],
@@ -232,6 +237,66 @@ function create(opts) {
   var relayAllowedFor   = opts.relayAllowedFor || [];
   var profile           = opts.profile || "strict";
+  // Default-on per-IP rate limit. Operators pass `rateLimit: false` to
+  // disable (only for tests / closed networks), pass a rate-limit
+  // handle from b.mail.server.rateLimit.create({...}) to share one
+  // budget across multiple listeners, or pass an opts object to
+  // override defaults.
+  var rateLimit;
+  if (opts.rateLimit === false) {
+    rateLimit = mailServerRateLimit.create({ disabled: true });
+  } else if (opts.rateLimit && typeof opts.rateLimit.admitConnection === "function") {
+    rateLimit = opts.rateLimit;
+  } else {
+    rateLimit = mailServerRateLimit.create(opts.rateLimit || {});
+  }
+  // Default-on operator-supplied-domain hardening. opts.localDomains
+  // and the HELO / MAIL FROM / RCPT TO domain validations all route
+  // through `b.guardDomain` for IDN homograph defense (CVE-2017-5469
+  // class), special-use-domain refusal (RFC 6761), label-length cap
+  // (RFC 1035 §2.3.4), and bare-IP-as-domain refusal (CVE-2021-22931
+  // class). Operators with a closed-network deployment can pass
+  // `guardDomain: false` to skip; the default keeps the protection on.
+  var guardDomainProfile;
+  if (opts.guardDomain === false) {
+    guardDomainProfile = null;
+  } else {
+    guardDomainProfile = guardDomain.buildProfile({
+      profile: opts.guardDomain && typeof opts.guardDomain === "object"
+        ? (opts.guardDomain.profile || profile)
+        : profile,
+    });
+  }
+  function _validateDomainHardened(d, label) {
+    if (!guardDomainProfile) return { ok: true };
+    var verdict = guardDomain.validate(d, guardDomainProfile);
+    if (!verdict.ok) {
+      _emit("mail.server.mx.domain_refused", {
+        reason: verdict.issues && verdict.issues[0] && verdict.issues[0].kind,
+        domain: d,
+        label:  label,
+      }, "denied");
+    }
+    return verdict;
+  }
+  // Pre-validate operator-supplied localDomains at boot — the same
+  // shape they enforce on RCPT TO must itself pass the validator,
+  // otherwise an operator who typed an IDN homograph (or an IP) into
+  // their allowlist would silently weaken the gate.
+  if (guardDomainProfile) {
+    for (var __ldi = 0; __ldi < localDomains.length; __ldi += 1) {
+      var __ldVerdict = guardDomain.validate(localDomains[__ldi], guardDomainProfile);
+      if (!__ldVerdict.ok) {
+        throw new MailServerMxError("mail-server-mx/bad-local-domain",
+          "mail.server.mx.create: localDomains[" + __ldi + "] '" + localDomains[__ldi] +
+          "' rejected by b.guardDomain (" +
+          (__ldVerdict.issues && __ldVerdict.issues[0] && __ldVerdict.issues[0].kind) + ")");
+      }
+    }
+  }
   var tcpServer    = null;
   var listening    = false;
   var connections  = new Set();
@@ -248,19 +313,35 @@ function create(opts) {
   // ---- Per-connection state machine ---------------------------------------
   function _handleConnection(socket) {
+    var remoteAddress = socket.remoteAddress || "0.0.0.0";
+    var admit = rateLimit.admitConnection(remoteAddress);
+    if (!admit.ok) {
+      // 421 4.7.0 — transient refusal; sender retries elsewhere or later.
+      // RFC 5321 §3.8 + §4.5.4.2 (transient negative completion).
+      _emit("mail.server.mx.rate_limit_refused",
+        { remoteAddress: remoteAddress, reason: admit.reason }, "denied");
+      try {
+        socket.write("421 4.7.0 Too many connections from your IP\r\n");
+      } catch (_e) { /* socket may already be torn down */ }
+      try { socket.destroy(); } catch (_e2) { /* idempotent */ }
+      return;
+    }
+    socket.once("close", function () { rateLimit.releaseConnection(remoteAddress); });
     var connectionId = "mxconn-" + bCrypto.generateToken(8);                                          // allow:raw-byte-literal — connection-id length
     connections.add(socket);
     var state = {
       id:            connectionId,
-      remoteAddress: socket.remoteAddress || null,
-      remotePort:    socket.remotePort    || null,
+      remoteAddress: remoteAddress,
+      remotePort:    socket.remotePort || null,
       tls:           false,
       stage:         "connect",   // connect | ehlo | mail | rcpt | data-body | done
       helo:          null,
       mailFrom:      null,
       rcpts:         [],
       messageBytes:  0,
+      lastDataByteTime: 0,
     };
     var lineBuffer = "";
@@ -431,6 +512,21 @@ function create(opts) {
         _writeReply(socket, REPLY_501_BAD_ARGS, "5.5.4 " + verb + " requires a domain argument");
         return;
       }
+      // Domain hardening for HELO/EHLO greeting (RFC 5321 §4.1.1.1).
+      // Skip when the greeting is an address literal (`[1.2.3.4]` /
+      // `[IPv6:...]`) — those are RFC-5321-legitimate non-domain
+      // forms; the bracket syntax is already constrained by
+      // b.guardSmtpCommand. Bare-IP-as-domain (no brackets) IS
+      // refused — that's the CVE-2021-22931 class guardDomain catches.
+      if (helo[0] !== "[" && guardDomainProfile) {
+        var heloVerdict = _validateDomainHardened(helo, "helo");
+        if (!heloVerdict.ok) {
+          _writeReply(socket, REPLY_501_BAD_ARGS,
+            "5.5.4 " + verb + " domain refused (" +
+            (heloVerdict.issues && heloVerdict.issues[0] && heloVerdict.issues[0].kind) + ")");
+          return;
+        }
+      }
       state.helo  = helo;
       state.stage = "ehlo";
       // Multi-line 250 capabilities advertisement per RFC 5321 §4.1.1.1.
@@ -461,39 +557,46 @@ function create(opts) {
         return;
       }
       _writeReply(socket, REPLY_220_READY, "2.0.0 Ready to start TLS");
-      // STARTTLS-injection defense (CVE-2021-38371 Exim,
-      // CVE-2021-33515 Dovecot): clear the command buffer + body
-      // collector at upgrade time. Any commands pipelined (RFC 2920)
-      // BEFORE the TLS handshake are discarded — only commands sent
-      // on the post-handshake TLS socket are honored.
+      // CVE-2021-38371 (Exim) / CVE-2021-33515 (Dovecot) STARTTLS-
+      // injection defense: clear the pre-handshake command buffer +
+      // body collector AND strip the plain-socket "data" listener
+      // before wrapping in TLSSocket so bytes the peer pipelined
+      // (RFC 2920) pre-handshake cannot reach the post-TLS state
+      // machine. Listener-removal + idle-timeout re-arm live in the
+      // shared upgradeSocket helper (b.mail.server.tls.upgradeSocket).
       lineBuffer    = "";
       bodyCollector = null;
       inDataBody    = false;
-      var tlsSocket = new nodeTls.TLSSocket(socket, {
-        isServer:      true,
+      mailServerTls.upgradeSocket({
+        plainSocket:   socket,
         secureContext: opts.tlsContext,
-      });
-      tlsSocket.on("secure", function () {
-        state.tls   = true;
-        // After the handshake, the state machine restarts at EHLO
-        // (per RFC 3207 §4.2 — client MUST re-issue EHLO).
-        state.stage = "ehlo";
-        state.helo  = null;
-      });
-      tlsSocket.on("error", function (err) {
-        _emit("mail.server.mx.tls_handshake_failed",
-          { connectionId: state.id, code: (err && err.code) || "unknown",
-            message: err && err.message }, "failure");
-        _closeConnection(socket);
-      });
-      tlsSocket.on("data", function (chunk) {
-        try { _ingestBytes(state, tlsSocket, chunk); }
-        catch (err) {
-          _emit("mail.server.mx.handler_threw",
-            { connectionId: state.id, error: (err && err.message) || String(err) },
-            "failure");
+        idleTimeoutMs: idleTimeoutMs,
+        onSecure: function (_tlsSocket) {
+          state.tls   = true;
+          // After the handshake, the state machine restarts at EHLO
+          // (per RFC 3207 §4.2 — client MUST re-issue EHLO).
+          state.stage = "ehlo";
+          state.helo  = null;
+        },
+        onData: function (tlsSocket, chunk) {
+          try { _ingestBytes(state, tlsSocket, chunk); }
+          catch (err) {
+            _emit("mail.server.mx.handler_threw",
+              { connectionId: state.id, error: (err && err.message) || String(err) },
+              "failure");
+            _closeConnection(tlsSocket);
+          }
+        },
+        onError: function (err) {
+          _emit("mail.server.mx.tls_handshake_failed",
+            { connectionId: state.id, code: (err && err.code) || "unknown",
+              message: err && err.message }, "failure");
+          _closeConnection(socket);
+        },
+        onTimeout: function (tlsSocket) {
+          _writeReply(tlsSocket, REPLY_421_SERVICE_NOT_AVAIL, "4.4.2 Idle timeout");
           _closeConnection(tlsSocket);
-        }
+        },
       });
     }
@@ -514,6 +617,20 @@ function create(opts) {
         return;
       }
       var mailFrom = match[1].toLowerCase();
+      // Domain hardening on MAIL FROM domain. Skip address-literal
+      // and empty-reverse-path forms (RFC 5321 §4.5.5 — bounce return
+      // path `<>` is legitimate and has no domain).
+      var __mfAtIdx = mailFrom.lastIndexOf("@");
+      var mailFromDomain = __mfAtIdx === -1 ? "" : mailFrom.slice(__mfAtIdx + 1);
+      if (mailFromDomain && mailFromDomain[0] !== "[" && guardDomainProfile) {
+        var mfVerdict = _validateDomainHardened(mailFromDomain, "mail_from");
+        if (!mfVerdict.ok) {
+          _writeReply(socket, REPLY_501_BAD_ARGS,
+            "5.5.4 MAIL FROM domain refused (" +
+            (mfVerdict.issues && mfVerdict.issues[0] && mfVerdict.issues[0].kind) + ")");
+          return;
+        }
+      }
       var paramStr = match[2] || "";
       var sizeMatch = paramStr.match(RE_SIZE);
       if (sizeMatch) {
@@ -549,11 +666,24 @@ function create(opts) {
         return;
       }
       var rcpt = match[1].toLowerCase();
+      // Domain hardening on RCPT TO domain — skip the address-literal
+      // form per RFC 5321 §4.1.3 (bracket syntax already constrained
+      // by b.guardSmtpCommand). Refuses IDN homograph + special-use
+      // domains + bare-IP-as-domain on the un-bracketed form.
+      var _atIdx = rcpt.lastIndexOf("@");
+      var rcptDomain = _atIdx === -1 ? "" : rcpt.slice(_atIdx + 1);
+      if (rcptDomain && rcptDomain[0] !== "[" && guardDomainProfile) {
+        var rcptVerdict = _validateDomainHardened(rcptDomain, "rcpt_to");
+        if (!rcptVerdict.ok) {
+          _writeReply(socket, REPLY_501_BAD_ARGS,
+            "5.5.4 RCPT TO domain refused (" +
+            (rcptVerdict.issues && rcptVerdict.issues[0] && rcptVerdict.issues[0].kind) + ")");
+          return;
+        }
+      }
       // Local-domain check — refuse non-local recipients unless the
       // operator explicitly allowed relay for this scope.
       if (localDomains.length > 0) {
-        var atIdx = rcpt.lastIndexOf("@");
-        var rcptDomain = atIdx === -1 ? "" : rcpt.slice(atIdx + 1);
         if (localDomains.indexOf(rcptDomain) === -1 &&
             !_isRelayAllowed(state.remoteAddress, rcpt)) {
           _emit("mail.server.mx.relay_refused",