@blamejs/core 0.9.49 → 0.10.1

package/lib/crypto.js

@@ -49,6 +49,12 @@ var nodeFs = require("node:fs");
 var { pipeline } = require("node:stream/promises");
 var { xchacha20poly1305 } = require("./vendor/noble-ciphers.cjs");
 var C = require("./constants");
+// Circular: audit imports b.crypto for sha3Hash + envelope sign. Lazy-
+// load the audit module so the legacy-envelope decrypt path can emit
+// `system.crypto.decrypt.allow_legacy` events without an inline
+// require() inside setImmediate (top-of-file requires per rule §3).
+var lazyRequire = require("./lazy-require");
+var audit       = lazyRequire(function () { return require("./audit"); });
 
 // Streaming-hash algorithm allowlist. Mirrors the framework's PQC-
 // first crypto policy: SHA3 / SHAKE family is the default surface;
@@ -151,8 +157,50 @@ function hashFile(filePath, algorithm) {
 // parallel. Returns { path, byteLength, <alg>: hex } for every
 // `algorithms` entry. Used by hashFilesParallel below; not exported
 // directly because the common case is the parallel-many shape.
-function _hashFileMulti(filePath, algorithms) {
+//
+// CRYPTO-5 hardening (v0.9.58):
+//   - lstat-then-stat so symlinks are detected before open; refused
+//     unless opts.followSymlinks === true (default false — a symlink-
+//     in-input-list attack lets a write-restricted caller hash files
+//     they can't otherwise reach).
+//   - Refuses non-regular files (FIFOs / sockets / block / char
+//     devices) which read indefinitely or return platform-undefined
+//     bytes. The same path also defeats /dev/zero-as-input DoS.
+//   - opts.maxBytesPerFile (default C.BYTES.gib(1)) caps the bytes
+//     read per file; oversized inputs reject before exhausting heap.
+function _hashFileMulti(filePath, algorithms, opts) {
+  var maxBytes      = opts && opts.maxBytesPerFile;
+  var followSymlink = opts && opts.followSymlinks === true;
   return new Promise(function (resolve, reject) {
+    // Pre-open lstat: detect symlinks + special files before opening the
+    // stream. Open-then-stat is racy under symlink-swap; lstat the path
+    // itself ahead of createReadStream.
+    var st;
+    try { st = nodeFs.lstatSync(filePath); }
+    catch (statErr) {
+      reject(new Error("crypto.hashFilesParallel: stat failed for '" +
+        filePath + "': " + (statErr && statErr.message ? statErr.message : String(statErr))));
+      return;
+    }
+    if (st.isSymbolicLink() && !followSymlink) {
+      reject(new Error("crypto.hashFilesParallel: refusing symlink '" +
+        filePath + "' — pass {followSymlinks: true} to opt in (an attacker " +
+        "with write access to the input list can otherwise direct the hasher " +
+        "to files the caller cannot read directly)"));
+      return;
+    }
+    if (!st.isFile() && !st.isSymbolicLink()) {
+      reject(new Error("crypto.hashFilesParallel: refusing non-regular file '" +
+        filePath + "' (FIFOs / sockets / character / block devices read indefinitely " +
+        "or return platform-undefined bytes; hashing them is meaningless and " +
+        "DoS-prone). Type: " +
+        (st.isFIFO() ? "FIFO" :
+         st.isSocket() ? "socket" :
+         st.isBlockDevice() ? "block-device" :
+         st.isCharacterDevice() ? "char-device" :
+         st.isDirectory() ? "directory" : "unknown")));
+      return;
+    }
     var hashers = new Array(algorithms.length);
     for (var i = 0; i < algorithms.length; i += 1) {
       try { hashers[i] = nodeCrypto.createHash(algorithms[i]); }
@@ -163,13 +211,24 @@ function _hashFileMulti(filePath, algorithms) {
       }
     }
     var byteLength = 0;
+    var aborted = false;
     var stream = nodeFs.createReadStream(filePath);
     stream.on("error", reject);
     stream.on("data", function (chunk) {
+      if (aborted) return;
       byteLength += chunk.length;
+      if (maxBytes && byteLength > maxBytes) {
+        aborted = true;
+        try { stream.destroy(); } catch (_e) { /* best-effort */ }
+        reject(new Error("crypto.hashFilesParallel: file '" + filePath +
+          "' exceeded opts.maxBytesPerFile (" + maxBytes +
+          " bytes); refusing to continue hashing"));
+        return;
+      }
       for (var j = 0; j < hashers.length; j += 1) hashers[j].update(chunk);
     });
     stream.on("end", function () {
+      if (aborted) return;
       var out = { path: filePath, byteLength: byteLength };
       for (var k = 0; k < hashers.length; k += 1) {
         // Field name = algorithm with `-` → `_` so "sha3-512" surfaces
@@ -205,9 +264,11 @@ function _hashFileMulti(filePath, algorithms) {
  * every release.
  *
  * @opts
- *   algorithms?:  string[], // default ["sha256", "sha3-512"]; any node:crypto-known digest
- *   concurrency?: number,   // default min(8, filePaths.length); 1..256
- *   onProgress?:  function (completed, total) // best-effort; thrown errors swallowed
+ *   algorithms?:     string[], // default ["sha256", "sha3-512"]; any node:crypto-known digest
+ *   concurrency?:    number,   // default min(8, filePaths.length); 1..256
+ *   onProgress?:     function (completed, total) // best-effort; thrown errors swallowed
+ *   maxBytesPerFile?: number,  // default C.BYTES.gib(1) — DoS cap; oversized inputs reject
+ *   followSymlinks?: boolean,  // default false — refuse symlinks unless explicitly opted in
  *
  * @example
  *   var rows = await b.crypto.hashFilesParallel(
@@ -262,8 +323,24 @@ function hashFilesParallel(filePaths, opts) {
       "crypto.hashFilesParallel: opts.onProgress must be a function when supplied"
     ));
   }
+  // CRYPTO-5 — DoS cap. Default 1 GiB per file; operators with larger
+  // legitimate hashing workloads (firmware images, vendor packs)
+  // override per-call.
+  var maxBytesPerFile = opts.maxBytesPerFile !== undefined
+    ? opts.maxBytesPerFile : C.BYTES.gib(1);
+  if (typeof maxBytesPerFile !== "number" || !isFinite(maxBytesPerFile) ||
+      maxBytesPerFile <= 0 || Math.floor(maxBytesPerFile) !== maxBytesPerFile) {
+    return Promise.reject(new TypeError(
+      "crypto.hashFilesParallel: opts.maxBytesPerFile must be a positive integer, got " + maxBytesPerFile
+    ));
+  }
+  var followSymlinks = opts.followSymlinks === true;
   if (filePaths.length === 0) return Promise.resolve([]);
 
+  var hashOpts = {
+    maxBytesPerFile: maxBytesPerFile,
+    followSymlinks:  followSymlinks,
+  };
   var results = new Array(filePaths.length);
   var nextIdx = 0;
   var completed = 0;
@@ -273,7 +350,7 @@ function hashFilesParallel(filePaths, opts) {
       var idx = nextIdx;
       nextIdx += 1;
       if (idx >= total) return Promise.resolve();
-      return _hashFileMulti(filePaths[idx], algorithms).then(function (rec) {
+      return _hashFileMulti(filePaths[idx], algorithms, hashOpts).then(function (rec) {
         results[idx] = rec;
         completed += 1;
         if (onProgress) {
@@ -612,7 +689,7 @@ function toBase64Url(buf) {
 
 /**
  * @primitive b.crypto.fromBase64Url
- * @signature b.crypto.fromBase64Url(s)
+ * @signature b.crypto.fromBase64Url(s, opts?)
  * @since     0.9.45
  * @status    stable
  * @related   b.crypto.toBase64Url
@@ -623,15 +700,61 @@ function toBase64Url(buf) {
  * string + provides a single grep-able call site for the round-trip
  * pair.
  *
+ * Strict mode (default) refuses non-canonical input — chars outside
+ * the RFC 4648 §5 alphabet, length-mod-4-of-1, mixed `+/` from
+ * standard base64, trailing garbage. Defends a CVE-2022-0235-class
+ * footgun where Node's permissive decoder silently tolerated
+ * tampered JWT signatures. Operators with a documented lossy legacy
+ * payload opt out per call via `{ strict: false }`.
+ *
+ * @opts
+ *   strict: boolean   // default: true — refuse non-canonical input
+ *
  * @example
  *   var buf = b.crypto.fromBase64Url("aGVsbG8");
  *   buf.toString("utf8");
  *   // → "hello"
  */
-function fromBase64Url(s) {
+// RFC 4648 §5 alphabet for base64url, with optional padding. The
+// canonical form has no padding, the URL-safe alphabet (`-_`), and a
+// length consistent with the byte count (length % 4 ∈ {0, 2, 3}; the
+// `length % 4 === 1` shape is impossible to produce by any conforming
+// encoder and signals truncated / forged input).
+var _BASE64URL_STRICT_RE = /^[A-Za-z0-9_-]*={0,2}$/;
+
+function fromBase64Url(s, opts) {
   if (typeof s !== "string") {
     throw new TypeError("crypto.fromBase64Url: input must be a string");
   }
+  // Crypto callers (JWT signature payloads, JWS / COSE encoded values,
+  // OAuth `state` round-tripping) MUST reject non-canonical / malformed
+  // input. The Node base64url decoder silently tolerates trailing
+  // garbage, mixed `+/` from standard base64, missing padding errors,
+  // and length-mod-4 shapes — CVE-2022-0235-class footgun. Strict mode
+  // (the default) refuses anything outside the RFC 4648 §5 alphabet +
+  // length rules. Operators with a known-lossy legacy payload pass
+  // `{ strict: false }` to opt out per call.
+  var strict = !opts || opts.strict !== false;
+  if (strict) {
+    // Manual trailing-`=` strip — avoids the polynomial-regex shape
+    // `/=+$/` CodeQL flags, where `=+` can backtrack on long input
+    // ending in many `=`. Walking from end is O(n) worst-case.
+    var trimEnd = s.length;
+    while (trimEnd > 0 && s.charCodeAt(trimEnd - 1) === 0x3D) trimEnd -= 1;          // allow:raw-byte-literal — '=' codepoint
+    var unpadded = s.slice(0, trimEnd);
+    if (!_BASE64URL_STRICT_RE.test(s)) {
+      throw new TypeError(
+        "crypto.fromBase64Url: input contains characters outside RFC 4648 §5 " +
+        "base64url alphabet (A-Z a-z 0-9 - _ =) — pass {strict:false} to allow non-canonical input"
+      );
+    }
+    if (unpadded.length % 4 === 1) {                                                                 // allow:raw-byte-literal — base64 group length, not bytes
+      throw new TypeError(
+        "crypto.fromBase64Url: input length %% 4 === 1 is not a valid base64url encoding " +
+        "(every conforming encoder produces 0 / 2 / 3 remainder; got " + unpadded.length + " chars)"
+      );
+    }
+  }
   return Buffer.from(s, "base64url");
 }
 
@@ -867,8 +990,7 @@ function encrypt(plaintext, publicKeys) {
       _hybridDisabledAuditEmitted = true;
       setImmediate(function () {
         try {
-          var auditMod = require("./audit");                                        // allow:inline-require — circular-load defense (audit imports crypto)
-          auditMod.safeEmit({
+          audit().safeEmit({
             action:   "system.crypto.hybrid_disabled",
             outcome:  "success",
             metadata: { reason: "no-ec-public-key", note: "encrypt() received only mlkem; ecPublicKey absent — call encryptMlkemOnly explicitly to silence (audited once per process)" },
@@ -929,7 +1051,7 @@ function encryptMlkemOnly(plaintext, publicKeyPem) {
 // ---- Envelope decrypt (dispatches on envelope IDs, supports both KEM IDs) ----
 /**
  * @primitive b.crypto.decrypt
- * @signature b.crypto.decrypt(ciphertext, privateKeys)
+ * @signature b.crypto.decrypt(ciphertext, privateKeys, opts?)
  * @since     0.1.0
  * @related   b.crypto.encrypt, b.crypto.generateEncryptionKeyPair, b.crypto.decryptMlkem768X25519
  *
@@ -942,6 +1064,28 @@ function encryptMlkemOnly(plaintext, publicKeyPem) {
  * Pass `{ privateKey, ecPrivateKey }` for the default hybrid; the
  * ML-KEM-768 + X25519 KEM ID also requires `x25519PrivateKey`.
  *
+ * ## Legacy 0xE1 envelopes (`opts.allowLegacy: true`)
+ *
+ * The framework's envelope magic byte was bumped from 0xE1 to 0xE2
+ * pre-v1 to enforce a NIST SP 800-56C r2 §4.1 FixedInfo / RFC 9180
+ * §5.1 suite-binding KDF input — SHAKE256 absorbs the suite-id triple
+ * (kemId / cipherId / kdfId) plus the literal "blamejs/v1" label
+ * alongside the shared secret(s), so the same key cannot be reused
+ * across suites without distinct derived material. 0xE1 envelopes
+ * lack this binding.
+ *
+ * By default 0xE1 envelopes are refused with a hard error directing
+ * the operator to re-seal under 0xE2. Operators with at-rest data
+ * sealed pre-bump (rare; the bump landed before any operator started
+ * depending on the framework) pass `opts.allowLegacy: true` to read
+ * the old envelope, then immediately re-seal via `b.crypto.encrypt`
+ * to migrate. Each legacy decrypt emits a `crypto.decrypt.allow_legacy`
+ * audit event so the migration window is visible in the audit log.
+ *
+ * @opts
+ *   allowLegacy:  boolean   // default false — when true, 0xE1 envelopes
+ *                            // decrypt via the pre-FixedInfo KDF path
+ *
  * @example
  *   var pair = b.crypto.generateEncryptionKeyPair();
  *   var sealed = b.crypto.encrypt("session-token=abc123", {
@@ -953,12 +1097,48 @@ function encryptMlkemOnly(plaintext, publicKeyPem) {
  *     ecPrivateKey:  pair.ecPrivateKey,
  *   });
  *   // → "session-token=abc123"
+ *
+ *   // Legacy 0xE1 migration:
+ *   var plaintext = b.crypto.decrypt(legacyBlob, oldKeys, { allowLegacy: true });
+ *   var resealed  = b.crypto.encrypt(plaintext, newKeys);   // now 0xE2
  */
-function decrypt(ciphertext, privateKeys) {
+function decrypt(ciphertext, privateKeys, opts) {
   var packed = Buffer.from(ciphertext, "base64");
   if (packed[0] === 0xE1) {                                                       // allow:raw-byte-literal — legacy envelope magic
-    throw new Error("Invalid envelope: legacy 0xE1 format predates the FixedInfo " +
-      "KDF binding (NIST SP 800-56C r2 §4.1) — re-seal data under the current envelope");
+    if (!opts || !opts.allowLegacy) {
+      throw new Error("Invalid envelope: legacy 0xE1 format predates the FixedInfo " +
+        "KDF binding (NIST SP 800-56C r2 §4.1) — re-seal data under the current envelope, " +
+        "or pass { allowLegacy: true } to opt in to one-shot read for migration");
+    }
+    // Audit-emit every legacy decrypt so the migration window is
+    // visible. Emit success ONLY on actual decrypt success; emit
+    // failure on throw. Codex P2 PR #74 — pre-fix the audit fired
+    // before decryptEnvelope() ran, so corrupted 0xE1 blobs / wrong
+    // private keys / unsupported KEMs got logged as successful legacy
+    // decrypts when the call actually threw, inflating real success
+    // rates during migration windows. Audit module is top-of-file
+    // lazy-loaded (var audit above) so this hot-path emit doesn't
+    // re-resolve the require() cache on every legacy decrypt.
+    function _emitLegacyAudit(outcome, extra) {
+      setImmediate(function () {
+        try {
+          audit().safeEmit({
+            action:   "system.crypto.decrypt.allow_legacy",
+            outcome:  outcome,
+            metadata: Object.assign({ magic: "0xE1", kemId: packed[1] }, extra || {}),
+          });
+        } catch (_e) { /* drop-silent — audit best-effort */ }
+      });
+    }
+    var plaintext;
+    try {
+      plaintext = decryptEnvelope(packed, privateKeys, { omitFixedInfo: true });
+    } catch (e) {
+      _emitLegacyAudit("failure", { reason: (e && e.message) || "decrypt threw" });
+      throw e;
+    }
+    _emitLegacyAudit("success", {});
+    return plaintext;
   }
   if (packed[0] !== C.ENVELOPE_MAGIC) {
     throw new Error("Invalid envelope: unsupported format");
@@ -966,9 +1146,15 @@ function decrypt(ciphertext, privateKeys) {
   return decryptEnvelope(packed, privateKeys);
 }
 
-function decryptEnvelope(packed, privateKeys) {
+function decryptEnvelope(packed, privateKeys, internalOpts) {
   var kemId = packed[1], cipherId = packed[2], kdfId = packed[3], pos = 4;
 
+  // The legacy 0xE1 envelope predates the FixedInfo / suite-binding
+  // KDF input; the same wire format otherwise. The dispatcher passes
+  // omitFixedInfo: true for the 0xE1 path and the KDF input below
+  // skips the _suiteFixedInfo concat.
+  var omitFixedInfo = !!(internalOpts && internalOpts.omitFixedInfo);
+
   if (cipherId !== C.CIPHER_IDS.XCHACHA20_POLY1305) {
     throw new Error("Invalid envelope: unsupported cipher (only XChaCha20-Poly1305 supported)");
   }
@@ -984,6 +1170,7 @@ function decryptEnvelope(packed, privateKeys) {
   );
   var mlkemSs = nodeCrypto.decapsulate(mlkemPriv, kemCt);
   var symmetricKey;
+  var fixedInfo = omitFixedInfo ? Buffer.alloc(0) : _suiteFixedInfo(kemId, cipherId, kdfId);
 
   if (kemId === C.KEM_IDS.ML_KEM_1024_P384) {
     var ecEphLen = packed.readUInt16BE(pos); pos += 2;
@@ -994,11 +1181,9 @@ function decryptEnvelope(packed, privateKeys) {
       privateKey: nodeCrypto.createPrivateKey(ecPrivPem),
       publicKey:  nodeCrypto.createPublicKey({ key: ecEphDer, type: "spki", format: "der" }),
     });
-    symmetricKey = kdf(Buffer.concat([mlkemSs, ecSs,
-      _suiteFixedInfo(kemId, cipherId, kdfId)]), C.BYTES.bytes(32));
+    symmetricKey = kdf(Buffer.concat([mlkemSs, ecSs, fixedInfo]), C.BYTES.bytes(32));
   } else if (kemId === C.KEM_IDS.ML_KEM_1024) {
-    symmetricKey = kdf(Buffer.concat([mlkemSs,
-      _suiteFixedInfo(kemId, cipherId, kdfId)]), C.BYTES.bytes(32));
+    symmetricKey = kdf(Buffer.concat([mlkemSs, fixedInfo]), C.BYTES.bytes(32));
   } else if (kemId === C.KEM_IDS.ML_KEM_768_X25519) {
     // ML-KEM-768 + X25519 hybrid envelope. The mlkemPriv must be an
     // ML-KEM-768 key (not 1024); operators are responsible for passing
@@ -1013,8 +1198,7 @@ function decryptEnvelope(packed, privateKeys) {
       privateKey: nodeCrypto.createPrivateKey(x25519PrivPem),
       publicKey:  nodeCrypto.createPublicKey({ key: x25519EphDer, type: "spki", format: "der" }),
     });
-    symmetricKey = kdf(Buffer.concat([mlkemSs, x25519Ss,
-      _suiteFixedInfo(kemId, cipherId, kdfId)]), C.BYTES.bytes(32));
+    symmetricKey = kdf(Buffer.concat([mlkemSs, x25519Ss, fixedInfo]), C.BYTES.bytes(32));
   } else {
     throw new Error("Invalid envelope: unsupported KEM ID " + kemId);
   }
@@ -1571,6 +1755,18 @@ var SUPPORTED_KEM_ALGORITHMS = Object.freeze([
   { id: "ml-kem-768-x25519",    envelopeId: C.KEM_IDS.ML_KEM_768_X25519,  description: "ML-KEM-768 + X25519 hybrid (IETF / Cloudflare / Chrome TLS 1.3 codepoint 0x11EC)" },
 ]);
 
+// Note: legacy 0xE1 envelope minting (used only by test round-trip
+// coverage) lives at `lib/_test/crypto-fixtures.js` —
+// `mintLegacyEnvelope0xE1`. The function is NOT auto-exported on
+// `b.crypto.*` because (a) operator code has no production use for
+// it (the framework's only contract is READING pre-bump 0xE1 data
+// via `decrypt(..., { allowLegacy: true })`), and (b) exposing a
+// mint helper widens the attack surface of the `allowLegacy: true`
+// decrypt path. Tests require it directly:
+//
+//   var fixtures = require("blamejs/lib/_test/crypto-fixtures");
+//   var blob = fixtures.mintLegacyEnvelope0xE1(plaintext, recipient);
+
 module.exports = {
   sri:                          sri,
   // Hashing

package/lib/db.js

@@ -662,6 +662,7 @@ function loadOrCreateDbKey(dataDirPath, keyPathOverride) {
   }
   // First run — generate, seal, persist (atomic)
   var raw = generateBytes(C.BYTES.bytes(32));
+  // allow:seal-without-aad — whole-file DB encryption key, not a row column
   var sealedKey = vault.seal(raw.toString("base64"));
   atomicFile.writeSync(keyPath, sealedKey, { fileMode: 0o600 });
   log("generated DB encryption key at " + keyPath);