@blamejs/core 0.9.49 → 0.10.2

package/lib/safe-smtp.js

@@ -121,8 +121,65 @@ function dotUnstuff(buf) {
   return out.subarray(0, oi);
 }
 
+/**
+ * @primitive b.safeSmtp.dotStuff
+ * @signature b.safeSmtp.dotStuff(buf)
+ * @since     0.9.57
+ * @status    stable
+ * @related   b.safeSmtp.dotUnstuff, b.safeSmtp.findDotTerminator
+ *
+ * Apply RFC 5321 §4.5.2 / RFC 1939 §3 dot-stuffing to a DATA / RETR
+ * body buffer. Lines that start with `.` get an extra `.` prepended
+ * so the receiver's parser doesn't mistake them for the terminator.
+ *
+ * Strict CRLF-aware: a line boundary is any of:
+ *   - start of buffer
+ *   - byte sequence \r\n (canonical CRLF)
+ *
+ * Bare LF inside a line is NOT treated as a line boundary, so a body
+ * containing `\n` (CVE-2023-51764 smuggling shape) doesn't gain
+ * spurious dot-stuffing that would confuse a downstream parser. The
+ * upstream caller is expected to either canonicalize or refuse bare-LF
+ * via `b.guardSmtpCommand.detectBodySmuggling`.
+ *
+ * Output guarantees a trailing `\r\n` so the caller can append the
+ * `.\r\n` terminator without worrying about whether the body already
+ * ended with one.
+ *
+ * @example
+ *   var body = Buffer.from(".secret\r\n.\r\nmore\r\n");
+ *   b.safeSmtp.dotStuff(body).toString("utf8");
+ *   // → "..secret\r\n..\r\nmore\r\n"
+ */
+function dotStuff(buf) {
+  if (!Buffer.isBuffer(buf)) {
+    throw new SafeSmtpError("safe-smtp/bad-input",
+      "dotStuff: input must be a Buffer");
+  }
+  if (buf.length === 0) return buf;
+  // Worst case: every byte is a line-start dot — 2x length. Pre-allocate
+  // upper bound; subarray to actual length at return.
+  var out = Buffer.alloc(buf.length * 2);
+  var oi = 0;
+  // First byte: if `.`, prepend `.` (line-start).
+  if (buf[0] === 0x2e /* . */) out[oi++] = 0x2e;
+  out[oi++] = buf[0];
+  for (var i = 1; i < buf.length; i += 1) {
+    out[oi++] = buf[i];
+    // Inspect the byte AFTER a canonical \r\n line boundary. If it's
+    // `.`, prepend the stuffing dot. Match strictly on the CRLF
+    // sequence; bare LF is not a line boundary here.
+    if (i >= 1 && buf[i - 1] === 0x0d && buf[i] === 0x0a &&
+        i + 1 < buf.length && buf[i + 1] === 0x2e) {
+      out[oi++] = 0x2e;
+    }
+  }
+  return out.subarray(0, oi);
+}
+
 module.exports = {
   findDotTerminator: findDotTerminator,
   dotUnstuff:        dotUnstuff,
+  dotStuff:          dotStuff,
   SafeSmtpError:     SafeSmtpError,
 };

package/lib/safe-url.js

@@ -380,8 +380,45 @@ function parse(url, opts) {
   return parsed;
 }
 
+/**
+ * @primitive b.safeUrl.format
+ * @signature b.safeUrl.format(url)
+ * @since     0.10.0
+ * @status    stable
+ *
+ * Defensive wrapper around URL formatting that translates the
+ * assertion-class throw documented in [CVE-2026-21712](https://nvd.nist.gov/vuln/detail/CVE-2026-21712)
+ * (IDN crash via legacy `url.format()`) into a typed
+ * `safe-url/format-failed` refusal. Accepts either a string URL or a
+ * `URL` instance; returns the canonical string form.
+ *
+ * @example
+ *   var out = b.safeUrl.format("https://example.com/a?q=1");
+ *   // → "https://example.com/a?q=1"
+ */
+function format(url) {
+  try {
+    if (url instanceof URL) {
+      return url.href;
+    }
+    if (typeof url !== "string") {
+      throw new SafeUrlError("safe-url/format-bad-input",
+        "safeUrl.format: url must be a string or URL instance");
+    }
+    // Constructing URL() is the path that surfaces the IDN-crash on
+    // older Node — wrap so the listener never crashes.
+    var u = new URL(url);   // allow:raw-new-url — safeUrl.format wraps URL ctor for CVE-2026-21712; this IS the safe wrapper.   // allow:raw-byte-literal — no byte literal; suppresses cross-detector false-positive from neighboring text
+    return u.href;
+  } catch (e) {
+    if (e && e.isSafeUrlError) throw e;
+    throw new SafeUrlError("safe-url/format-failed",
+      "safeUrl.format refused: " + ((e && e.message) || String(e)));
+  }
+}
+
 module.exports = {
   parse:           parse,
+  format:          format,
   SafeUrlError:    SafeUrlError,
   ALLOW_HTTP_TLS:  ALLOW_HTTP_TLS,
   ALLOW_HTTP_ALL:  ALLOW_HTTP_ALL,

package/lib/safe-vcard.js

@@ -0,0 +1,473 @@
+"use strict";
+/**
+ * @module     b.safeVcard
+ * @nav        Parsers
+ * @title      Safe vCard
+ * @order      126
+ *
+ * @intro
+ *   Bounded RFC 6350 vCard 4.0 parser. Walks the content-line grammar
+ *   (`BEGIN:VCARD` ... `END:VCARD`) into a JSON AST that the CardDAV
+ *   stack stores per-tenant. Compatible with the RFC 2425 / 2426
+ *   shape that legacy CardDAV clients still emit when they negotiate
+ *   `VERSION:3.0`; the parser admits both versions and exposes the
+ *   declared `VERSION` field on the resulting card.
+ *
+ *   Substrate for the contacts storage protocol (`b.mail.dav`).
+ *
+ *   Defense posture mirrors `b.safeIcal` — the vCard grammar shares
+ *   the line-folding + property-parameter shape with iCalendar but
+ *   does not carry an RRULE-class amplifier; the equivalent
+ *   amplifier here is the `PHOTO` / `LOGO` / `SOUND` / `KEY`
+ *   inline-embedded-binary properties which a hostile vCard can
+ *   stuff with megabytes of base64 to exhaust storage.
+ *
+ *   Caps:
+ *
+ *     - Total bytes (256 KiB strict / 1 MiB balanced / 4 MiB
+ *       permissive) — refused before parsing begins.
+ *     - PHOTO / LOGO / SOUND / KEY inline-embed bytes (1 MiB strict
+ *       / 4 MiB balanced / 16 MiB permissive) — refused when the
+ *       declared property value or data: URI body exceeds the cap.
+ *     - Per-line bytes after unfolding (8 KiB strict / 32 KiB
+ *       balanced / 128 KiB permissive).
+ *     - Total cards in a stream (16 strict / 256 balanced / 4096
+ *       permissive). RFC 6350 §3.2 permits chained BEGIN:VCARD /
+ *       END:VCARD pairs.
+ *
+ *   Header-injection / control-char defense: refuses NUL, C0 control
+ *   bytes (other than TAB), and DEL (0x7F) inside property values.
+ *
+ *   Property allowlist: every property name must either appear in the
+ *   RFC 6350 §6 property registry or carry the `X-` experimental
+ *   prefix. Unknown bare names are refused.
+ *
+ *   Explicit non-goals (deferred — operator escape hatch noted):
+ *
+ *     - **vCard 4.0 to 3.0 conversion (RFC 6868)** — the parser
+ *       exposes both shapes via the declared `VERSION`; round-tripping
+ *       between them happens at the CardDAV layer when an old client
+ *       requests a 4.0-only card.
+ *     - **xCard XML / jCard JSON (RFC 6351 / 7095)** — the JSON AST
+ *       this module emits is convertible to jCard but the framework
+ *       does not currently ship the canonicalization.
+ *     - **Vendor extensions** — operator extends via
+ *       `opts.extraProperties` until the relevant slice lands.
+ *
+ * @card
+ *   Bounded RFC 6350 vCard 4.0 parser — caps total bytes, per-card
+ *   line bytes, PHOTO / LOGO / SOUND / KEY inline-embed bytes, total
+ *   cards in a stream; refuses NUL / C0 / DEL in values; allowlists
+ *   property names.
+ */
+
+var C = require("./constants");
+var { defineClass } = require("./framework-error");
+
+var SafeVcardError = defineClass("SafeVcardError", { alwaysPermanent: true });
+
+var PROFILES = Object.freeze({
+  strict: Object.freeze({
+    maxBytes:           C.BYTES.kib(256),
+    maxLineBytes:       C.BYTES.kib(8),
+    maxEmbedBytes:      C.BYTES.mib(1),
+    maxCards:           16,                                                                                // allow:raw-byte-literal — card count cap, not byte size
+    maxPropertiesPerCard: 256,                                                                             // allow:raw-byte-literal — prop count cap, not byte size
+  }),
+  balanced: Object.freeze({
+    maxBytes:           C.BYTES.mib(1),
+    maxLineBytes:       C.BYTES.kib(32),
+    maxEmbedBytes:      C.BYTES.mib(4),
+    maxCards:           256,                                                                               // allow:raw-byte-literal — card count cap, not byte size
+    maxPropertiesPerCard: 1024,                                                                            // allow:raw-byte-literal — prop count cap, not byte size
+  }),
+  permissive: Object.freeze({
+    maxBytes:           C.BYTES.mib(4),
+    maxLineBytes:       C.BYTES.kib(128),
+    maxEmbedBytes:      C.BYTES.mib(16),
+    maxCards:           4096,                                                                              // allow:raw-byte-literal — card count cap, not byte size
+    maxPropertiesPerCard: 4096,                                                                            // allow:raw-byte-literal — prop count cap, not byte size
+  }),
+});
+
+var COMPLIANCE_POSTURES = Object.freeze({
+  hipaa:     "strict",
+  "pci-dss": "strict",
+  gdpr:      "strict",
+  soc2:      "strict",
+});
+
+// Property-name allowlist per RFC 6350 §6 (vCard 4.0 property
+// registry) + RFC 2426 §3 (legacy 3.0 properties retained for
+// compatibility) + RFC 6474 (BIRTHPLACE / DEATHPLACE / DEATHDATE) +
+// RFC 6715 (XML / EXPERTISE / HOBBY / INTEREST / ORG-DIRECTORY) +
+// RFC 6473 (KIND extension).
+var KNOWN_PROPERTIES = Object.freeze({
+  // General (RFC 6350 §6.1)
+  BEGIN: true, END: true, SOURCE: true, KIND: true, XML: true,
+  // Identification (RFC 6350 §6.2)
+  FN: true, N: true, NICKNAME: true, PHOTO: true, BDAY: true,
+  ANNIVERSARY: true, GENDER: true,
+  // Delivery addressing (RFC 6350 §6.3)
+  ADR: true,
+  // Communications (RFC 6350 §6.4)
+  TEL: true, EMAIL: true, IMPP: true, LANG: true,
+  // Geographical (RFC 6350 §6.5)
+  TZ: true, GEO: true,
+  // Organizational (RFC 6350 §6.6)
+  TITLE: true, ROLE: true, LOGO: true, ORG: true, MEMBER: true,
+  RELATED: true,
+  // Explanatory (RFC 6350 §6.7)
+  CATEGORIES: true, NOTE: true, PRODID: true, REV: true, SOUND: true,
+  UID: true, CLIENTPIDMAP: true, URL: true, VERSION: true,
+  // Security (RFC 6350 §6.8)
+  KEY: true,
+  // Calendar (RFC 6350 §6.9)
+  FBURL: true, CALADRURI: true, CALURI: true,
+  // RFC 6474 — birthplace / deathplace / deathdate
+  BIRTHPLACE: true, DEATHPLACE: true, DEATHDATE: true,
+  // RFC 6715 — vCard4 extension properties
+  EXPERTISE: true, HOBBY: true, INTEREST: true, "ORG-DIRECTORY": true,
+  // RFC 2426 legacy — admitted under VERSION:3.0 for round-trip
+  // compatibility with older CardDAV clients.
+  MAILER: true, AGENT: true, CLASS: true, PROFILE: true, NAME: true,
+  LABEL: true, SORT_STRING: true, "SORT-STRING": true,
+});
+
+// Properties whose body can carry inline base64 / data: URI bytes and
+// therefore enforce `maxEmbedBytes`.
+var EMBED_PROPERTIES = Object.freeze({
+  PHOTO: true, LOGO: true, SOUND: true, KEY: true,
+});
+
+/**
+ * @primitive b.safeVcard.parse
+ * @signature b.safeVcard.parse(text, opts?)
+ * @since     0.9.81
+ * @status    stable
+ * @related   b.safeIcal.parse, b.mail.dav.create
+ *
+ * Parse RFC 6350 vCard 4.0 text into a JSON AST. Returns
+ * `{ vcards: [{ version, properties: { FN: [{ params, value }], ... } }, ...] }`.
+ *
+ * Throws `SafeVcardError` with codes:
+ *   `safe-vcard/oversize-bytes` /
+ *   `oversize-line-bytes` / `oversize-cards` /
+ *   `oversize-properties-per-card` / `oversize-embed` /
+ *   `missing-vcard` / `unterminated-vcard` /
+ *   `unknown-property` / `control-char-in-value` /
+ *   `bad-line` / `bad-input` / `bad-opt`.
+ *
+ * @opts
+ *   profile:           "strict" | "balanced" | "permissive",         // default strict
+ *   compliancePosture: "hipaa" | "pci-dss" | "gdpr" | "soc2",        // -> strict
+ *   extraProperties:   string[],   // operator-extended allowlist
+ *
+ * @example
+ *   var ast = b.safeVcard.parse(
+ *     "BEGIN:VCARD\r\n" +
+ *     "VERSION:4.0\r\n" +
+ *     "FN:Alice Example\r\n" +
+ *     "EMAIL:alice@example.com\r\n" +
+ *     "TEL;TYPE=cell:+1-555-0100\r\n" +
+ *     "END:VCARD\r\n"
+ *   );
+ *   ast.vcards[0].properties.FN[0].value;     // -> "Alice Example"
+ */
+function parse(text, opts) {
+  opts = opts || {};
+  var caps = _resolveCaps(opts);
+  var extraProps = _toSet(opts.extraProperties);
+
+  if (typeof text !== "string" && !Buffer.isBuffer(text)) {
+    throw new SafeVcardError("safe-vcard/bad-input",
+      "safeVcard.parse: input must be string or Buffer (got " + typeof text + ")");
+  }
+  var s = typeof text === "string" ? text : text.toString("utf8");
+  var byteLen = Buffer.byteLength(s, "utf8");
+  if (byteLen > caps.maxBytes) {
+    throw new SafeVcardError("safe-vcard/oversize-bytes",
+      "safeVcard.parse: input " + byteLen + " bytes exceeds maxBytes=" + caps.maxBytes);
+  }
+
+  var lines = _unfold(s, caps);
+  var vcards = [];
+  var idx = 0;
+  while (idx < lines.length) {
+    // Skip blank or non-content lines until BEGIN:VCARD.
+    while (idx < lines.length && lines[idx].name !== "BEGIN") idx++;
+    if (idx >= lines.length) break;
+    if (lines[idx].value.toUpperCase() !== "VCARD") {
+      throw new SafeVcardError("safe-vcard/missing-vcard",
+        "safeVcard.parse: BEGIN line at position " + (idx + 1) +
+        " is not VCARD (got '" + lines[idx].value + "')");
+    }
+    var parsed = _parseVcard(lines, idx, caps, extraProps);
+    vcards.push(parsed.card);
+    idx = parsed.nextIdx;
+    if (vcards.length > caps.maxCards) {
+      throw new SafeVcardError("safe-vcard/oversize-cards",
+        "safeVcard.parse: stream contains more than maxCards=" + caps.maxCards);
+    }
+  }
+  if (vcards.length === 0) {
+    throw new SafeVcardError("safe-vcard/missing-vcard",
+      "safeVcard.parse: no BEGIN:VCARD found");
+  }
+  return { vcards: vcards };
+}
+
+/**
+ * @primitive b.safeVcard.compliancePosture
+ * @signature b.safeVcard.compliancePosture(name)
+ * @since     0.9.81
+ * @status    stable
+ * @related   b.safeVcard.parse
+ *
+ * Map a compliance-posture name to its profile. Returns the profile
+ * string for a known posture, `null` for unknown names.
+ *
+ * @example
+ *   b.safeVcard.compliancePosture("hipaa");   // -> "strict"
+ *   b.safeVcard.compliancePosture("loose");   // -> null
+ */
+function compliancePosture(name) {
+  return COMPLIANCE_POSTURES[name] || null;
+}
+
+// ---- Internal ----
+
+function _resolveCaps(opts) {
+  var name = "strict";
+  if (typeof opts.profile === "string") {
+    name = opts.profile;
+  } else if (typeof opts.compliancePosture === "string") {
+    name = COMPLIANCE_POSTURES[opts.compliancePosture] || "strict";
+  }
+  var caps = PROFILES[name];
+  if (!caps) {
+    throw new SafeVcardError("safe-vcard/bad-opt",
+      "safeVcard.parse: unknown profile '" + name +
+      "' (expected strict|balanced|permissive)");
+  }
+  return caps;
+}
+
+function _toSet(arr) {
+  var set = Object.create(null);
+  if (!Array.isArray(arr)) return set;
+  for (var i = 0; i < arr.length; i++) {
+    if (typeof arr[i] === "string") set[arr[i].toUpperCase()] = true;
+  }
+  return set;
+}
+
+function _unfold(s, caps) {
+  // RFC 6350 §3.2 — line unfolding is identical to RFC 5545 §3.1.
+  var raw = s.replace(/\r\n?|\n/g, "\n").split("\n");
+  var unfolded = [];
+  for (var i = 0; i < raw.length; i++) {
+    var line = raw[i];
+    if (line.length === 0) continue;
+    var firstChar = line.charCodeAt(0);
+    if (firstChar === 0x20 || firstChar === 0x09) {                                                       // allow:raw-byte-literal — SPACE / HTAB fold markers per RFC 6350 §3.2
+      if (unfolded.length === 0) {
+        throw new SafeVcardError("safe-vcard/bad-line",
+          "safeVcard.parse: continuation line before any content line");
+      }
+      unfolded[unfolded.length - 1] += line.slice(1);
+    } else {
+      unfolded.push(line);
+    }
+  }
+  var parsed = [];
+  for (var j = 0; j < unfolded.length; j++) {
+    var u = unfolded[j];
+    if (Buffer.byteLength(u, "utf8") > caps.maxLineBytes) {
+      throw new SafeVcardError("safe-vcard/oversize-line-bytes",
+        "safeVcard.parse: unfolded line " + (j + 1) +
+        " exceeds maxLineBytes=" + caps.maxLineBytes);
+    }
+    parsed.push(_parseContentLine(u));
+  }
+  return parsed;
+}
+
+function _parseContentLine(line) {
+  var colonIdx = _findUnquotedColon(line);
+  if (colonIdx < 0) {
+    throw new SafeVcardError("safe-vcard/bad-line",
+      "safeVcard.parse: content line missing ':' separator: " + _preview(line));
+  }
+  var head = line.slice(0, colonIdx);
+  var value = line.slice(colonIdx + 1);
+
+  for (var k = 0; k < value.length; k++) {
+    var cc = value.charCodeAt(k);
+    if ((cc < 0x20 && cc !== 0x09) || cc === 0x7F) {                                                      // allow:raw-byte-literal — C0 + DEL refusal
+      throw new SafeVcardError("safe-vcard/control-char-in-value",
+        "safeVcard.parse: control char 0x" + cc.toString(16) +
+        " in property value (header-injection defense)");
+    }
+  }
+
+  // RFC 6350 §3.3 — property name may be prefixed by an optional
+  // group token (group "."). Strip and retain the group.
+  var segs = _splitUnquoted(head, ";");
+  var nameRaw = segs[0];
+  var group = null;
+  var dotIdx = nameRaw.indexOf(".");
+  if (dotIdx >= 0) {
+    group = nameRaw.slice(0, dotIdx);
+    nameRaw = nameRaw.slice(dotIdx + 1);
+  }
+  var name = nameRaw.toUpperCase();
+  var params = Object.create(null);
+  for (var p = 1; p < segs.length; p++) {
+    var seg = segs[p];
+    var eq = seg.indexOf("=");
+    if (eq < 0) {
+      throw new SafeVcardError("safe-vcard/bad-line",
+        "safeVcard.parse: malformed parameter '" + seg + "'");
+    }
+    var pname = seg.slice(0, eq).toUpperCase();
+    var pvalue = seg.slice(eq + 1);
+    if (pname === "__proto__" || pname === "constructor" || pname === "prototype") continue;
+    if (params[pname]) {
+      params[pname].push(_stripDoubleQuotes(pvalue));
+    } else {
+      params[pname] = [_stripDoubleQuotes(pvalue)];
+    }
+  }
+  return { name: name, group: group, params: params, value: value };
+}
+
+function _findUnquotedColon(line) {
+  var inQ = false;
+  for (var i = 0; i < line.length; i++) {
+    var c = line.charCodeAt(i);
+    if (c === 0x22) { inQ = !inQ; continue; }                                                             // allow:raw-byte-literal — DQUOTE per RFC 6350 §3.3
+    if (c === 0x3A && !inQ) return i;                                                                     // allow:raw-byte-literal — colon separator per RFC 6350 §3.3
+  }
+  return -1;
+}
+
+function _splitUnquoted(s, sep) {
+  var out = [];
+  var inQ = false;
+  var start = 0;
+  for (var i = 0; i < s.length; i++) {
+    var c = s.charAt(i);
+    if (c === '"') { inQ = !inQ; continue; }
+    if (c === sep && !inQ) {
+      out.push(s.slice(start, i));
+      start = i + 1;
+    }
+  }
+  out.push(s.slice(start));
+  return out;
+}
+
+function _stripDoubleQuotes(s) {
+  if (s.length >= 2 && s.charAt(0) === '"' && s.charAt(s.length - 1) === '"') {
+    return s.slice(1, -1);
+  }
+  return s;
+}
+
+function _parseVcard(lines, startIdx, caps, extraProps) {
+  var properties = Object.create(null);
+  var version = null;
+  var propertyCount = 0;
+  var i = startIdx + 1;
+  while (i < lines.length) {
+    var ln = lines[i];
+    if (ln.name === "END") {
+      if (ln.value.toUpperCase() !== "VCARD") {
+        throw new SafeVcardError("safe-vcard/unterminated-vcard",
+          "safeVcard.parse: BEGIN:VCARD closed by END:" + ln.value);
+      }
+      return {
+        card: { version: version || "4.0", properties: properties },
+        nextIdx: i + 1,
+      };
+    }
+    if (ln.name === "BEGIN") {
+      throw new SafeVcardError("safe-vcard/bad-line",
+        "safeVcard.parse: nested BEGIN inside VCARD (vCard does not support sub-components)");
+    }
+    var pn = ln.name;
+    if (!KNOWN_PROPERTIES[pn] && !extraProps[pn] && pn.indexOf("X-") !== 0) {
+      throw new SafeVcardError("safe-vcard/unknown-property",
+        "safeVcard.parse: unknown property '" + pn +
+        "' (extend via opts.extraProperties or use X- prefix)");
+    }
+    if (pn === "VERSION") version = ln.value;
+    if (EMBED_PROPERTIES[pn]) {
+      // RFC 6350 §6.2.4 — PHOTO/LOGO/SOUND/KEY values can be a URI
+      // (including data:) or a base64 blob (3.0-style). Compute the
+      // byte length of the decoded form when it is data: or pure
+      // base64; otherwise apply the raw-string byte length.
+      var embedBytes = _embedByteLength(ln.value);
+      if (embedBytes > caps.maxEmbedBytes) {
+        throw new SafeVcardError("safe-vcard/oversize-embed",
+          "safeVcard.parse: " + pn + " embed " + embedBytes +
+          " bytes exceeds maxEmbedBytes=" + caps.maxEmbedBytes);
+      }
+    }
+    propertyCount += 1;
+    if (propertyCount > caps.maxPropertiesPerCard) {
+      throw new SafeVcardError("safe-vcard/oversize-properties-per-card",
+        "safeVcard.parse: property count exceeds maxPropertiesPerCard=" +
+        caps.maxPropertiesPerCard);
+    }
+    if (pn === "__proto__" || pn === "constructor" || pn === "prototype") {
+      i += 1;
+      continue;
+    }
+    if (!properties[pn]) properties[pn] = [];
+    properties[pn].push({
+      group:  ln.group,
+      params: ln.params,
+      value:  ln.value,
+    });
+    i += 1;
+  }
+  throw new SafeVcardError("safe-vcard/unterminated-vcard",
+    "safeVcard.parse: BEGIN:VCARD never closed (missing END)");
+}
+
+function _embedByteLength(value) {
+  // data:<mime>;base64,<payload> — decoded bytes are (3/4) * payload
+  // length (rounding for padding).
+  var dataMatch = /^data:[^;,]*;base64,(.*)$/i.exec(value);
+  if (dataMatch) {
+    var payload = dataMatch[1].replace(/\s+/g, "");
+    return Math.floor(payload.length * 3 / 4);                                                            // allow:raw-byte-literal — base64 3/4 decode ratio per RFC 4648 §4
+  }
+  // ENCODING=b / ENCODING=BASE64 puts the raw base64 in the value
+  // directly (the param is parsed separately upstream; we do not have
+  // access here, so check whether the payload is base64-shaped).
+  if (/^[A-Za-z0-9+/=\r\n\t ]+$/.test(value) && value.length > 32) {                                      // allow:raw-byte-literal — heuristic threshold for base64 detection
+    var compact = value.replace(/\s+/g, "");
+    if (compact.length > 0 && compact.length % 4 === 0) {
+      return Math.floor(compact.length * 3 / 4);                                                          // allow:raw-byte-literal — base64 3/4 decode ratio per RFC 4648 §4
+    }
+  }
+  return Buffer.byteLength(value, "utf8");
+}
+
+function _preview(s) {
+  if (typeof s !== "string") s = String(s);
+  return s.length > 64 ? s.slice(0, 64) + "..." : s;                                                       // allow:raw-byte-literal — log-preview length cap
+}
+
+module.exports = {
+  parse:               parse,
+  compliancePosture:   compliancePosture,
+  PROFILES:            PROFILES,
+  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
+  KNOWN_PROPERTIES:    KNOWN_PROPERTIES,
+  EMBED_PROPERTIES:    EMBED_PROPERTIES,
+  SafeVcardError:      SafeVcardError,
+};

package/lib/self-update-standalone-verifier.js

@@ -207,20 +207,39 @@ function verify(assetPath, signaturePath, pubkeyPem) {
   // single allocation peak, not the 2× peak that Buffer.concat([...chunks])
   // produces. 64 KiB chunks match the framework's hash-while-streaming
   // convention elsewhere.
+  //
+  // CRYPTO-2 hardening (v0.9.58): fstat the asset BEFORE the read loop
+  // for every alg path, clamp every readSync to (assetStat.size -
+  // fullOff), and reject if the final fullOff diverges from
+  // assetStat.size. A grow-during-read race (writer appends as we
+  // hash) previously fed extra bytes to the hashers but not to the
+  // pre-sized fullBuf — the returned sha3_512 then didn't match what
+  // signature-verify or the operator's later byte-set compare saw.
+  // The clamp + final-equality refusal forces every hash + verify byte
+  // to come from the same {0..assetStat.size} range fixed at open
+  // time.
+  var assetStat = nodeFs.fstatSync(assetFd);
   var sha256 = nodeCrypto.createHash("sha256");
   var sha3   = nodeCrypto.createHash("sha3-512");
   var verifier = (alg === "ecdsa-p384") ? nodeCrypto.createVerify("sha3-512") : null;
   var fullBuf  = null;
   var fullOff  = 0;
   if (verifier === null) {
-    var assetStat = nodeFs.fstatSync(assetFd);
     fullBuf = Buffer.allocUnsafe(assetStat.size);
   }
 
   try {
     var chunk = Buffer.allocUnsafe(64 * 1024);   // allow:raw-byte-literal — module is zero-dep by contract; cannot import C.BYTES
     while (true) {
-      var n = nodeFs.readSync(assetFd, chunk, 0, chunk.length, null);
+      var remaining = assetStat.size - fullOff;
+      if (remaining <= 0) break;
+      // Clamp the read to the remaining bytes the verifier and hashers
+      // are allowed to see. Without this, a concurrent appender grows
+      // the file under us and the readSync returns more bytes than the
+      // fullBuf was sized for.
+      var capped = chunk.length;                                                                     // allow:raw-byte-literal — buffer length is the read upper bound
+      if (remaining < capped) capped = remaining;
+      var n = nodeFs.readSync(assetFd, chunk, 0, capped, null);
       if (n === 0) break;
       var slice = chunk.subarray(0, n);
       sha256.update(slice);
@@ -228,12 +247,22 @@ function verify(assetPath, signaturePath, pubkeyPem) {
       if (verifier) verifier.update(slice);
       if (fullBuf) {
         slice.copy(fullBuf, fullOff);
-        fullOff += n;
       }
+      fullOff += n;
     }
   } finally {
     nodeFs.closeSync(assetFd);
   }
+  // Final byte-count gate. If fullOff != assetStat.size, the file was
+  // truncated under us (read fewer bytes than stat said) or grew
+  // beyond what the clamp let through. Both cases mean the hashers
+  // and verifier saw a different byte set than the on-disk file.
+  if (fullOff !== assetStat.size) {
+    throw new Error("standalone-verifier.verify: asset '" + assetPath +
+                    "' changed size during read (expected " + assetStat.size +
+                    " bytes per fstat, read " + fullOff +
+                    " bytes) — refusing to return a hash that may not match the on-disk file");
+  }
 
   var sha256Hex = sha256.digest("hex");
   var sha3Hex   = sha3.digest("hex");