@blamejs/core 0.9.49 → 0.10.2

package/lib/network-tls.js

@@ -3048,6 +3048,51 @@ function _checkServerIdentityStrict(host, cert) {
   return checkServerIdentity9525(host, cert);
 }
 
+// CVE-2026-21637 — Node propagates a synchronous throw from an
+// operator-supplied SNICallback up through the TLS handshake listener;
+// the unhandled throw on an unexpected servername crashes the
+// listener. RFC 6066 §3 expects the server to abort the handshake on a
+// failed callback, NOT crash the process.
+//
+// `wrapSNICallback(operatorCb)` returns a wrapper that:
+//
+//   - Calls the operator callback in a try/catch.
+//   - Surface a synchronous throw via the async (err, null) callback so
+//     the TLS handshake aborts cleanly. Cb is best-effort: an operator
+//     callback that throws AFTER invoking the callback already (double
+//     invoke) gets the throw caught here without double-invoking again.
+//   - Emit an audit event so a burst of crashes-that-weren't surfaces
+//     in operator review.
+//   - Returns the operator's original callback unchanged if it's not a
+//     function (lets the caller pass undefined through without
+//     special-casing).
+//
+// router.js routes its operator-supplied tlsOptions.SNICallback through
+// this helper before handing the options off to https.createServer.
+// Any future framework primitive that takes operator SNICallback
+// values does the same.
+function wrapSNICallback(operatorCb) {
+  if (typeof operatorCb !== "function") return operatorCb;
+  return function _wrappedSNICallback(servername, cb) {
+    try {
+      operatorCb(servername, cb);
+    } catch (err) {
+      try {
+        audit().safeEmit({
+          action:   "network.tls.sni_callback_threw",
+          outcome:  "failure",
+          metadata: {
+            servername: typeof servername === "string" ? servername : null,
+            reason:     (err && err.message) ? err.message : String(err),
+          },
+        });
+      } catch (_auditErr) { /* drop-silent — audit best-effort */ }
+      try { cb(err, null); }
+      catch (_cbErr) { /* cb already invoked or unavailable */ }
+    }
+  };
+}
+
 module.exports = {
   addCa:               addCa,
   addCaBundle:         addCaBundle,
@@ -3073,6 +3118,7 @@ module.exports = {
   parseEchConfigList:  parseEchConfigList,
   connectWithEch:      connectWithEch,
   checkServerIdentity9525: checkServerIdentity9525,
+  wrapSNICallback:     wrapSNICallback,
   TlsTrustError:       TlsTrustError,
   NetworkTlsError:     NetworkTlsError,
   _resetForTest:       _resetForTest,

package/lib/otel-export.js

@@ -50,6 +50,13 @@ var OtelExportError = defineClass("OtelExportError", { alwaysPermanent: false })
 
 var DEFAULT_INTERVAL_MS = C.TIME.seconds(15);
 
+// OTLP collector response is `Empty` (zero protobuf bytes) on success
+// or a short ExportPartialSuccess message on partial accept. A response
+// past this cap is a hostile / misbehaving collector; refusing the
+// body keeps the exporter from buffering megabytes per flush (CVE-2026-
+// 40891 / CVE-2026-40182 OTLP class).
+var MAX_RESPONSE_BYTES = C.BYTES.mib(1);
+
 // OTLP aggregation temporality:
 //   1 = DELTA      — counters report deltas since last export
 //   2 = CUMULATIVE — counters report running totals
@@ -221,10 +228,12 @@ function create(opts) {
     var body = JSON.stringify(payload);
     try {
       var res = await effectiveHttpClient.request({
-        method:  "POST",
-        url:     endpoint,
-        headers: Object.assign({ "Content-Type": "application/json" }, headers),
-        body:    body,
+        method:           "POST",
+        url:              endpoint,
+        headers:          Object.assign({ "Content-Type": "application/json" }, headers),
+        body:             body,
+        maxResponseBytes: MAX_RESPONSE_BYTES,
+        errorClass:       OtelExportError,
       });
       if (res.statusCode < 200 || res.statusCode >= 300) {
         throw new OtelExportError("otel-export/upstream-rejected",

package/lib/outbox.js

@@ -342,27 +342,77 @@ function create(opts) {
   var stopping = false;
   var inFlight = null;
 
+  // SUBSTRATE-23 — `FOR UPDATE SKIP LOCKED` is Postgres / MySQL 8+ only.
+  // SQLite (single-writer at the DB level, but WAL mode lets multiple
+  // processes share the file with concurrent SELECTs) doesn't support
+  // SKIP LOCKED — feeding it Postgres syntax silently double-publishes
+  // every row when two processes poll in parallel. Detect the dialect
+  // at runtime; only emit FOR UPDATE SKIP LOCKED when the backend
+  // declares postgres / mysql.
+  //
+  // Operator-visible: dialect comes from `externalDb.dialect` (set at
+  // `b.externalDb.create({ dialect: "postgres" | "mysql" | "sqlite" }`).
+  // Other backends fall back to the conservative "mark-then-update"
+  // path that works on every SQL dialect at the cost of a tiny race
+  // window between the SELECT + UPDATE (mitigated by status='in-flight'
+  // marker — duplicate publishes still bounded by retry visibility).
+  function _supportsForUpdateSkipLocked() {
+    var d = externalDb.dialect;
+    return d === "postgres" || d === "mysql";
+  }
+
   async function _claimBatch() {
+    var supportsSkipLocked = _supportsForUpdateSkipLocked();
     return await externalDb.transaction(async function (xdb) {
       var nowExpr = _utcNowExpr(externalDb);
-      var rows = await xdb.query(
+      var selectSql =
         "SELECT id, topic, payload, key, headers, attempts" +
         " FROM " + quotedTable +
         " WHERE status = 'pending' AND next_attempt_at <= $1" +
         " ORDER BY next_attempt_at" +
-        " LIMIT $2" +
-        " FOR UPDATE SKIP LOCKED",
-        [nowExpr, batchSize]
-      );
+        " LIMIT $2";
+      if (supportsSkipLocked) {
+        selectSql += " FOR UPDATE SKIP LOCKED";
+      }
+      var rows = await xdb.query(selectSql, [nowExpr, batchSize]);
       if (!rows || !rows.rows || rows.rows.length === 0) return [];
       var ids = rows.rows.map(function (r) { return r.id; });
-      // Mark as 'in-flight' so a parallel publisher won't re-claim them
-      // when the row lock releases (after the SELECT-for-update txn).
-      await xdb.query(
-        "UPDATE " + quotedTable + " SET status = 'in-flight' WHERE id = ANY($1)",
-        [ids]
-      );
-      return rows.rows.map(function (r) {
+      // Atomic claim: when the dialect lacks SKIP LOCKED, the UPDATE
+      // WHERE status='pending' AND id IN (...) ensures only ONE publisher
+      // sees each row transition from 'pending' to 'in-flight' — the
+      // other publisher's UPDATE matches zero rows and its batch shrinks.
+      // We re-select after the UPDATE to know which IDs we actually
+      // claimed (sqlite UPDATE doesn't return affected rows the same
+      // way Postgres does).
+      var actuallyClaimed;
+      if (supportsSkipLocked) {
+        // Postgres/MySQL: row lock held; ANY($1) update is safe.
+        await xdb.query(
+          "UPDATE " + quotedTable + " SET status = 'in-flight' WHERE id = ANY($1)",
+          [ids]
+        );
+        actuallyClaimed = rows.rows;
+      } else {
+        // SQLite (or "other") path: emit a portable UPDATE that
+        // refuses overlap by gating on status='pending'. After the
+        // update we re-read the in-flight rows we own; rows that
+        // another publisher beat us to are skipped.
+        // Use placeholders so the SQL stays parameterized regardless
+        // of dialect array semantics.
+        var placeholders = ids.map(function (_, i) { return "$" + (i + 1); }).join(",");
+        await xdb.query(
+          "UPDATE " + quotedTable +
+          " SET status = 'in-flight' WHERE status = 'pending' AND id IN (" + placeholders + ")",
+          ids
+        );
+        var afterRows = await xdb.query(
+          "SELECT id, topic, payload, key, headers, attempts FROM " + quotedTable +
+          " WHERE status = 'in-flight' AND id IN (" + placeholders + ")",
+          ids
+        );
+        actuallyClaimed = (afterRows && afterRows.rows) || [];
+      }
+      return actuallyClaimed.map(function (r) {
         return {
           id:       r.id,
           topic:    r.topic,

package/lib/pqc-agent.js

@@ -253,13 +253,21 @@ function _getDefaultAgent() {
  *   logger.info("pqc-agent reloaded", res);
  */
 function reload() {
-  var hadAgent = _defaultAgent !== null;
-  if (hadAgent) {
-    try { _defaultAgent.destroy(); }
+  // CRYPTO-9 — null the cached agent BEFORE calling destroy. The
+  // previous order let a concurrent _getDefaultAgent() see the
+  // destroyed-not-null agent and hand it to a caller; the caller
+  // then tries to issue a request through a torn-down keep-alive
+  // pool and surfaces a "socket destroyed" error. Null-first means
+  // every concurrent _getDefaultAgent() either sees the live agent
+  // (request lands on the about-to-be-torn-down pool — natural
+  // graceful drain) or the null sentinel (builds fresh).
+  var prior = _defaultAgent;
+  _defaultAgent = null;
+  if (prior) {
+    try { prior.destroy(); }
     catch (_e) { /* destroy is best-effort */ }
-    _defaultAgent = null;
   }
-  return { destroyed: hadAgent };
+  return { destroyed: prior !== null };
 }
 
 module.exports = {

package/lib/retry.js

@@ -39,7 +39,6 @@
 
 var C = require("./constants");
 var lazyRequire = require("./lazy-require");
-var nodeCrypto = require("node:crypto");
 var numericChecks = require("./numeric-checks");
 // safe-async re-exports withRetry + CircuitBreaker from this module, so a
 // direct top-level require would create a cycle. Lazy-require defers the
@@ -239,10 +238,19 @@ function isRetryable(err) {
  *
  * Compute the backoff in milliseconds for a given (1-based) `attempt`
  * number. Exponential growth `baseDelayMs * 2^(attempt-1)` capped at
- * `maxDelayMs`, then subtract a cryptographic jitter sample scaled by
- * `jitterFactor` so retrying clients do not realign on the same
- * boundary. Throws TypeError when `attempt` is not a positive integer.
- * `opts` defaults to `b.retry.DEFAULT_RETRY` when absent.
+ * `maxDelayMs`, then subtract a Math.random-sourced jitter sample
+ * scaled by `jitterFactor` so retrying clients spread across the
+ * millisecond window instead of realigning on the same boundary
+ * (thundering-herd avoidance). Throws TypeError when `attempt` is
+ * not a positive integer. `opts` defaults to `b.retry.DEFAULT_RETRY`
+ * when absent.
+ *
+ * Jitter is intentionally NOT a CSPRNG sample — the per-request delay
+ * is observable to every peer client by construction (the request
+ * that comes in carries its own arrival timing), so there is no
+ * confidentiality property a stronger random source would protect.
+ * Math.random is the right tool for thundering-herd avoidance and
+ * costs ~50x less than a CSPRNG randomInt() under a retry storm.
  *
  * @opts
  *   baseDelayMs:  number,   // initial backoff (default 100)
@@ -263,10 +271,16 @@ function backoffDelay(attempt, opts) {
   opts = opts || DEFAULT_RETRY;
   var base = opts.baseDelayMs * Math.pow(2, attempt - 1);
   var capped = Math.min(base, opts.maxDelayMs);
-  // Cryptographically-strong jitter so a timing-attack mitigation isn't
-  // undermined by Math.random's predictable PRNG.
-  var jitterDenom = 1_000_000;
-  var jitter = capped * opts.jitterFactor * (nodeCrypto.randomInt(0, jitterDenom) / jitterDenom);
+  // CRYPTO-12 — jitter exists to spread retry storms across the
+  // millisecond window so N peer clients waking from the same
+  // upstream outage don't all hit the recovering service at the same
+  // tick. The value is observable to every client by construction
+  // (the request that comes in carries its own timing); there's no
+  // confidentiality property to protect, so a CSPRNG would burn
+  // 30-50K randomInt/sec under a retry storm without any security
+  // payoff. Math.random's PRNG is the right tool for
+  // thundering-herd avoidance.
+  var jitter = capped * opts.jitterFactor * Math.random();                                           // allow:math-random-noncrypto — jitter for thundering-herd, not a confidentiality primitive
   return Math.floor(capped - jitter);
 }
 

package/lib/router.js

@@ -463,6 +463,14 @@ class Router {
   }
 
   _registerRoute(method, pattern, args) {
+    // CVE-2026-4923 — refuse pattern with more than 3 consecutive `*`
+    // metacharacters. The framework's segment matcher doesn't compile
+    // regex from operator input, but the policy stays crisp at the
+    // registration boundary.
+    if (typeof pattern === "string" && /\*{4,}/.test(pattern)) {
+      throw new Error(method + " " + pattern + ": route pattern refused " +
+        "(CVE-2026-4923) — more than 3 consecutive '*' metacharacters");
+    }
     var split = this._splitArgs(args);
     if (split.spec) _validateRouteSpec(split.spec, method, pattern);
     var handlers = split.handlers;
@@ -656,7 +664,21 @@ class Router {
       allowedProtocols: safeUrl.ALLOW_HTTP_ALL,
     });
     req.pathname = parsed.pathname;
-    req.query = Object.fromEntries(parsed.searchParams);
+    // CVE-2026-21717 V8 HashDoS defense — cap distinct query keys
+    // before forming the dense object. Integer-shaped keys past 1000
+    // entries degrade V8 hidden-class transitions to O(n²).
+    var queryEntries = [];
+    var queryKeyCount = 0;
+    for (var pair of parsed.searchParams) {
+      queryKeyCount += 1;
+      if (queryKeyCount > 1000) {                                                                  // allow:raw-byte-literal — CVE-2026-21717 V8 HashDoS query-key cap
+        res.statusCode = 400;
+        res.end("400 Bad Request: too many query keys");
+        return;
+      }
+      queryEntries.push(pair);
+    }
+    req.query = Object.fromEntries(queryEntries);
 
     // Run middleware
     for (var mw of this.middleware) {