@blamejs/core 0.9.49 → 0.10.2

package/lib/guard-xml.js

@@ -91,6 +91,16 @@ var PROCESSING_INSTR_RE = /<\?[A-Za-z][\w:-]*/;
 var CDATA_RE = /<!\[CDATA\[/;
 var XMLDSIG_RE = /<\w*:?Signature\b[^>]*xmldsig/i;
 
+// Numeric character reference (NCR) detector. Per XML 1.0 §4.1 every
+// `&#<digits>;` / `&#x<hex>;` is a character reference; a hostile input
+// fanning these out in the hundreds of thousands bypasses entity-
+// expansion caps that count only `&name;` general entities (CVE-2026-
+// 26278 / CVE-2026-33036 .NET XmlReader class). Per-document NCR count
+// is gated by `maxNumericCharRefs` independent of the entity-policy
+// branch so the operator can't disable the cap by setting
+// `entityPolicy: "allow"` for a downstream signed-XML case.
+var NUMERIC_CHAR_REF_RE = /&#(?:[0-9]+|x[0-9a-fA-F]+);/g;                            // allow:regex-no-length-cap — input bounded by maxBytes above
+
 // ---- Profile presets ----
 
 var PROFILES = Object.freeze({
@@ -112,6 +122,7 @@ var PROFILES = Object.freeze({
     maxElements:            8192,                                                // allow:raw-byte-literal — element count cap, not byte size
     maxAttrsPerElement:     64,                                                  // allow:raw-byte-literal — attr count, not byte size
     maxAttrValueBytes:      C.BYTES.kib(8),
+    maxNumericCharRefs:     1024,                                                // allow:raw-byte-literal — NCR fan-out cap (CVE-2026-26278)
   },
   "balanced": {
     doctypePolicy:          "reject",                // DOCTYPE is XXE vector regardless
@@ -131,6 +142,7 @@ var PROFILES = Object.freeze({
     maxElements:            65536,                                               // allow:raw-byte-literal — element count cap, not byte size
     maxAttrsPerElement:     128,                                                 // allow:raw-byte-literal — attr count, not byte size
     maxAttrValueBytes:      C.BYTES.kib(32),
+    maxNumericCharRefs:     16384,                                               // allow:raw-byte-literal — NCR fan-out cap (CVE-2026-26278)
   },
   "permissive": {
     doctypePolicy:          "reject",                // billion-laughs class always
@@ -150,6 +162,7 @@ var PROFILES = Object.freeze({
     maxElements:            262144,                                              // allow:raw-byte-literal — element count cap, not byte size
     maxAttrsPerElement:     256,                                                 // allow:raw-byte-literal — attr count, not byte size
     maxAttrValueBytes:      C.BYTES.kib(64),
+    maxNumericCharRefs:     262144,                                              // allow:raw-byte-literal — NCR fan-out cap (CVE-2026-26278)
   },
 });
 
@@ -282,6 +295,30 @@ function _detectIssues(input, opts) {
     });
   }
 
+  // 8a. Numeric character reference fan-out — `&#NNNN;` / `&#xHHHH;`.
+  // Bypasses the `<!ENTITY>`-counting expansion caps because NCRs are
+  // parser-resolved, not document-level entities (CVE-2026-26278 /
+  // CVE-2026-33036 .NET XmlReader class). Counted regardless of
+  // entityPolicy so signed-XML paths that need entities-allowed don't
+  // get the NCR cap disabled with them. The `maxNumericCharRefs` opt
+  // is validated by `numericBounds.requireAllPositiveFiniteIntIfPresent`
+  // at the public-surface boundary above.
+  var ncrCap = opts.maxNumericCharRefs;                                          // allow:numeric-opt-no-bounds-check — validated at public boundary
+  if (ncrCap !== undefined && ncrCap !== null) {
+    var ncrMatches = input.match(NUMERIC_CHAR_REF_RE);                           // allow:regex-no-length-cap — input bounded by maxBytes above
+    var ncrCount = ncrMatches === null ? 0 : ncrMatches.length;
+    if (ncrCount > ncrCap) {
+      issues.push({
+        kind: "numeric-char-ref-cap", severity: "critical",
+        ruleId: "xml.numeric-char-ref-cap",
+        snippet: "numeric character reference count " + ncrCount +
+                 " exceeds maxNumericCharRefs " + ncrCap +
+                 " — NCR fan-out bypasses entity-expansion caps " +
+                 "(CVE-2026-26278 / CVE-2026-33036)",
+      });
+    }
+  }
+
   // 9. Codepoint-class threats.
   issues.push.apply(issues, codepointClass.detectCharThreats(input, opts, "xml"));
 
@@ -369,6 +406,7 @@ function _detectIssues(input, opts) {
  *   maxElements:           number,    // total open-tag count cap
  *   maxAttrsPerElement:    number,    // attribute count cap per element
  *   maxAttrValueBytes:     number,    // per-attr-value length cap
+ *   maxNumericCharRefs:    number,    // numeric character reference cap
  *
  * @example
  *   var hostile = '<?xml version="1.0"?>\n' +
@@ -381,7 +419,7 @@ function validate(input, opts) {
   opts = _resolveOpts(opts);
   numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
     ["maxBytes", "maxDepth", "maxElements", "maxAttrsPerElement",
-     "maxAttrValueBytes"],
+     "maxAttrValueBytes", "maxNumericCharRefs"],
     "guardXml.validate", GuardXmlError, "xml.bad-opt");
   if (typeof input !== "string") {
     return {

package/lib/mail-agent.js

@@ -485,17 +485,30 @@ async function _delete(ctx, args) {
 }
 
 async function _sievePut(ctx, args) {
-  // Pre-parse shape-only validation lands today; full b.safeSieve
-  // parse lands v0.9.26 and will be invoked from the throw-stub at
-  // that slice. The agent-level guard lets operators wire RBAC + name
-  // shape today.
+  // Two-stage validation: agent-level shape guard for RBAC + name +
+  // size, then the full RFC 5228 grammar parse via b.safeSieve. The
+  // grammar parse refuses unknown / not-yet-implemented capabilities
+  // at `require` time (RFC 5228 §3.2) so the operator's persistence
+  // step never gets a script the framework can't actually execute.
   _entry(ctx, "sieve.put", args);
   guardMailSieve.validate({
     kind: "put", actor: args.actor, name: args.name, script: args.script,
   }, { profile: _profileFor(ctx), posture: ctx.posture, ownedNames: args.ownedNames });
-  throw new MailAgentError("mail-agent/not-implemented",
-    "agent.sieve.put: full Sieve parser lands at v0.9.26 (b.safeSieve); " +
-    "shape-only validation passed — wire the persistence step in the operator handler");
+  var safeSieve = require("./safe-sieve");                                                            // allow:inline-require — lazy-load until first sieve.put call
+  var rv = safeSieve.validate(args.script, {
+    profile:           _profileFor(ctx),
+    compliancePosture: ctx.posture,
+  });
+  if (!rv.ok) {
+    throw new MailAgentError("mail-agent/sieve-parse-error",
+      "agent.sieve.put: Sieve script refused — " +
+      (rv.issues[0] && rv.issues[0].snippet ? rv.issues[0].snippet : "parse failed"));
+  }
+  ctx.auditEmit("mail.agent.sieve.put", args && args.actor, {
+    name:         args.name,
+    requiredCaps: rv.requiredCaps,
+  });
+  return { ok: true, requiredCaps: rv.requiredCaps };
 }
 
 function _notImplemented(ctx, method, args) {

package/lib/mail-arc-sign.js

@@ -52,6 +52,7 @@ var nodeCrypto = require("node:crypto");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
 var safeBuffer = require("./safe-buffer");
+var dkim = require("./mail-dkim");
 var { defineClass } = require("./framework-error");
 
 var MailAuthError = defineClass("MailAuthError", { alwaysPermanent: true });
@@ -107,20 +108,23 @@ function _canonRelaxedHeader(name, value) {
   return name.toLowerCase() + ":" + trimmed + "\r\n";
 }
 
+// RFC 8617 §5.1.1 references RFC 6376 §3.4.4 for body canonicalization.
+// The DKIM verifier and signer share `_canonBodyRelaxed`; ARC MUST
+// produce a byte-identical canon so a downstream ARC-verifier (which
+// composes the DKIM verifier per §5.1.1) reaches the same body hash.
+// Earlier inline shape collapsed `[ \t]+` across newlines (the regex
+// is global and not bound per-line), which diverged from DKIM's
+// per-line `safeBuffer.stripTrailingHspace` on a line whose only WSP
+// run sat at the end. Compose the DKIM canon directly.
 function _canonRelaxedBody(body) {
-  // Relaxed body canon: collapse runs of WSP within lines, strip
-  // trailing WSP, remove all trailing empty lines, append single CRLF
-  // unless body is empty.
-  if (body.length === 0) return "";
-  var normalized = body.replace(/\r?\n/g, "\r\n");
-  var collapsed = normalized.replace(/[ \t]+/g, " ").replace(/[ \t]+\r\n/g, "\r\n");
-  collapsed = collapsed.replace(/(\r\n)+$/, "");
-  return collapsed + "\r\n";
+  return dkim._canonBodyRelaxedForTest(body || "");
 }
 
 function _bodyHashB64(body, algorithm) {
   var hashAlgo = algorithm.indexOf("sha256") !== -1 ? "sha256" : "sha512";
   var canonical = _canonRelaxedBody(body);
+  // RFC 6376 §3.4.4 — empty body canon is `\r\n` (one CRLF). Hash
+  // includes that CRLF.
   return nodeCrypto.createHash(hashAlgo).update(canonical).digest("base64");
 }