@blamejs/exceptd-skills 0.12.13 → 0.12.15

package/lib/refresh-external.js

@@ -549,20 +549,31 @@ const GHSA_SOURCE = {
     return ghsa.buildDiff(ctx);
   },
   async applyDiff(ctx, diffs) {
-    const ghsa = require("./source-ghsa");
+    // v0.12.14 (audit B-F1): the prior shape mutated ctx.cveCatalog in
+    // memory but NEVER persisted to disk. Bulk `--source ghsa --apply`
+    // reported "applied: N updates" while the catalog file gained zero
+    // entries. Worse under `--swarm`: KEV's withCatalogLock would re-read
+    // catalog from disk INSIDE the lock and overwrite the unflushed
+    // in-memory mutations. Route through the same withCatalogLock helper
+    // that KEV/EPSS/NVD/RFC use (v0.12.12 concurrency fix).
+    const catalogPath = ctx.cvePath || ABS("data/cve-catalog.json");
     let updated = 0;
     const errors = [];
-    for (const d of diffs) {
-      if (d.field !== "_new_entry") continue;
-      if (!d.after || !d.id) continue;
-      if (ctx.cveCatalog[d.id]) continue; // never overwrite existing entries
-      try {
-        ctx.cveCatalog[d.id] = d.after;
-        updated++;
-      } catch (e) {
-        errors.push(`${d.id}: ${e.message}`);
+    await withCatalogLock(catalogPath, (catalog) => {
+      for (const d of diffs) {
+        if (d.field !== "_new_entry") continue;
+        if (!d.after || !d.id) continue;
+        if (catalog[d.id]) continue; // never overwrite existing entries
+        try {
+          catalog[d.id] = d.after;
+          updated++;
+        } catch (e) {
+          errors.push(`${d.id}: ${e.message}`);
+        }
       }
-    }
+      ctx.cveCatalog = catalog;
+      return catalog;
+    });
     return { updated, errors };
   },
 };
@@ -591,20 +602,27 @@ const OSV_SOURCE = {
     return osv.buildDiff(ctx);
   },
   async applyDiff(ctx, diffs) {
-    // Same shape as GHSA applyDiff — skip overwrites, surface conflicts.
+    // v0.12.14 (audit B-F1): same fix as GHSA — route the read-modify-write
+    // through withCatalogLock so writes actually land on disk and so
+    // concurrent --source osv --apply doesn't lose updates.
+    const catalogPath = ctx.cvePath || ABS("data/cve-catalog.json");
     let updated = 0;
     const errors = [];
-    for (const d of diffs) {
-      if (d.field !== "_new_entry") continue;
-      if (!d.after || !d.id) continue;
-      if (ctx.cveCatalog[d.id]) continue; // never overwrite existing entries
-      try {
-        ctx.cveCatalog[d.id] = d.after;
-        updated++;
-      } catch (e) {
-        errors.push(`${d.id}: ${e.message}`);
+    await withCatalogLock(catalogPath, (catalog) => {
+      for (const d of diffs) {
+        if (d.field !== "_new_entry") continue;
+        if (!d.after || !d.id) continue;
+        if (catalog[d.id]) continue; // never overwrite existing entries
+        try {
+          catalog[d.id] = d.after;
+          updated++;
+        } catch (e) {
+          errors.push(`${d.id}: ${e.message}`);
+        }
       }
-    }
+      ctx.cveCatalog = catalog;
+      return catalog;
+    });
     return { updated, errors };
   },
 };

package/lib/refresh-network.js

@@ -97,6 +97,10 @@ function getJson(url, timeoutMs) {
 function getBuffer(url, timeoutMs) {
   return new Promise((resolve, reject) => {
     const u = new URL(url);
+    const cap = (() => {
+      const env = parseInt(process.env.EXCEPTD_TARBALL_SIZE_CAP_BYTES, 10);
+      return Number.isFinite(env) && env > 0 ? env : 200 * 1024 * 1024;
+    })();
     const req = https.get({
       host: u.host, path: u.pathname + u.search,
       headers: { "User-Agent": "exceptd/refresh-network" },
@@ -107,7 +111,17 @@ function getBuffer(url, timeoutMs) {
         return reject(new Error(`HTTP ${res.statusCode} from ${url}`));
       }
       const chunks = [];
-      res.on("data", (c) => chunks.push(c));
+      let total = 0;
+      // v0.12.14 (audit F5): enforce streaming size cap so a hostile
+      // registry CDN can't stream gigabytes into RAM.
+      res.on("data", (c) => {
+        total += c.length;
+        if (total > cap) {
+          req.destroy(new Error(`tarball exceeds ${cap}-byte cap during streaming download`));
+          return;
+        }
+        chunks.push(c);
+      });
       res.on("end", () => resolve(Buffer.concat(chunks)));
     });
     req.on("timeout", () => req.destroy(new Error("timeout")));
@@ -177,6 +191,36 @@ function verifyDetached(publicKeyObj, payload, sigB64) {
   } catch { return false; }
 }
 
+// v0.12.14 (audit F1, F7): CRLF/BOM normalization mirrors lib/verify.js's
+// normalize(). Duplicated here to keep refresh-network free of cross-module
+// runtime deps. ANY change here MUST be mirrored in lib/verify.js +
+// lib/sign.js — the three normalize() implementations form a byte-stability
+// contract.
+function normalizeSkillBytes(buf) {
+  let s = Buffer.isBuffer(buf) ? buf.toString("utf8") : String(buf);
+  if (s.length > 0 && s.charCodeAt(0) === 0xFEFF) s = s.slice(1);
+  return Buffer.from(s.replace(/\r\n/g, "\n"), "utf8");
+}
+
+// Manifest path validation. Mirrors lib/verify.js validateSkillPath().
+function validateManifestSkillPath(skillPath) {
+  if (typeof skillPath !== "string") throw new Error(`manifest skill.path must be a string, got ${typeof skillPath}`);
+  if (skillPath.includes("\\")) throw new Error(`manifest skill.path must use forward slashes: ${JSON.stringify(skillPath)}`);
+  if (!skillPath.startsWith("skills/")) throw new Error(`manifest skill.path must start with 'skills/': ${JSON.stringify(skillPath)}`);
+  if (skillPath.includes("..")) throw new Error(`manifest skill.path must not contain '..': ${JSON.stringify(skillPath)}`);
+  return skillPath;
+}
+
+// v0.12.14 (audit F5): tarball download size cap. A hostile registry CDN
+// could stream gigabytes; Node buffers chunks in RAM until OOM. Current
+// tarball is ~2 MB; 200 MB is generous defense-in-depth. Tunable via
+// EXCEPTD_TARBALL_SIZE_CAP_BYTES for future growth.
+const TARBALL_SIZE_CAP_BYTES_DEFAULT = 200 * 1024 * 1024;
+function tarballSizeCap() {
+  const env = parseInt(process.env.EXCEPTD_TARBALL_SIZE_CAP_BYTES, 10);
+  return Number.isFinite(env) && env > 0 ? env : TARBALL_SIZE_CAP_BYTES_DEFAULT;
+}
+
 async function main() {
   const opts = parseArgs(process.argv);
   const localPkg = JSON.parse(fs.readFileSync(path.join(ROOT, "package.json"), "utf8"));
@@ -204,6 +248,8 @@ async function main() {
   const latestVersion = meta.version;
   const tarballUrl = meta.dist && meta.dist.tarball;
   const tarballShasum = meta.dist && meta.dist.shasum;
+  const tarballIntegrity = meta.dist && meta.dist.integrity; // SHA-512 SRI
+  const registrySignatures = Array.isArray(meta.dist && meta.dist.signatures) ? meta.dist.signatures : [];
   if (!tarballUrl) {
     emit({ ok: false, error: "registry metadata missing dist.tarball" }, opts.json);
     process.exitCode = 2; return;
@@ -240,6 +286,32 @@ async function main() {
     process.exitCode = 2; return;
   }
 
+  // v0.12.14 (audit F5): defense-in-depth tarball size cap.
+  const sizeCap = tarballSizeCap();
+  if (tgzBuf.length > sizeCap) {
+    emit({ ok: false, error: `tarball exceeds size cap: ${tgzBuf.length} bytes > ${sizeCap} (EXCEPTD_TARBALL_SIZE_CAP_BYTES)` }, opts.json);
+    process.exitCode = 4; return;
+  }
+
+  // v0.12.14 (audit F6, F3): verify SHA-512 SRI first (collision-resistant
+  // beyond SHA-1 reach), then SHA-1 shasum for compatibility, then dist.
+  // signatures[] (npm registry's Ed25519 signing key). Each layer is
+  // defense-in-depth — registry compromise that produces a SHA-1 collision
+  // doesn't trivially produce a SHA-512 collision; an attacker who breaks
+  // both still has to forge the npm-signing-key signature on the tarball.
+  if (tarballIntegrity && /^sha512-/.test(tarballIntegrity)) {
+    const expected = tarballIntegrity.slice("sha512-".length);
+    const actual = crypto.createHash("sha512").update(tgzBuf).digest("base64");
+    if (actual !== expected) {
+      emit({ ok: false, error: `tarball SHA-512 integrity mismatch: dist.integrity=${tarballIntegrity}, actual=sha512-${actual}` }, opts.json);
+      process.exitCode = 4; return;
+    }
+  } else if (tarballIntegrity) {
+    // Non-sha512 SRI (e.g. sha384) — emit a warning but accept; SHA-1 path
+    // below still gates.
+    progress(`note: dist.integrity present but not sha512: ${tarballIntegrity.slice(0, 40)}`, opts.json);
+  }
+
   // Verify shasum (registry-provided integrity).
   if (tarballShasum) {
     const actual = crypto.createHash("sha1").update(tgzBuf).digest("hex");
@@ -290,22 +362,51 @@ async function main() {
   try { tarballManifest = JSON.parse(tarballManifestEntry.body.toString("utf8")); }
   catch (e) { emit({ ok: false, error: `tarball manifest.json parse: ${e.message}` }, opts.json); process.exitCode = 4; return; }
 
+  // v0.12.14 (audit F1): the prior loop iterated `sk.id` + a fixed payload
+  // path `skills/<id>/SKILL.md`. Manifest entries actually expose `name` +
+  // `path` (a forward-slash relative path like `skills/<name>/skill.md`,
+  // lowercase). Result: the loop matched zero entries; `failures.length === 0`
+  // and `verifiedCount === 0` and the swap proceeded with `ok: true`. Every
+  // operator running `exceptd refresh --network` installed unverified bytes.
+  //
+  // Fixed shape mirrors lib/verify.js: iterate `manifest.skills[]` by
+  // `name` + `path` + `signature`. Apply the same CRLF/BOM normalization
+  // before verify (lib/verify.js normalize() — duplicated here to keep
+  // this path free of cross-module runtime deps). validateSkillPath()
+  // is also mirrored to defend against path traversal in a tampered
+  // tarball manifest before we resolve the path against the extracted
+  // tree.
   const localKeyObj = crypto.createPublicKey(localPubKeyText);
   const skills = Array.isArray(tarballManifest.skills) ? tarballManifest.skills : [];
   const failures = [];
   let verifiedCount = 0;
   for (const sk of skills) {
-    if (!sk || !sk.id || !sk.signature) continue;
-    // Find the skill payload entry. manifest convention: skills/<id>/SKILL.md
-    const payloadName = `skills/${sk.id}/SKILL.md`;
-    const payloadEntry = entries.find((e) => stripPkg(e.name) === payloadName);
-    if (!payloadEntry) { failures.push({ id: sk.id, reason: "payload not in tarball" }); continue; }
-    const ok = verifyDetached(localKeyObj, payloadEntry.body, sk.signature);
+    if (!sk || typeof sk.name !== "string" || typeof sk.signature !== "string") {
+      failures.push({ name: sk?.name || "(missing name)", reason: "manifest entry missing name or signature" });
+      continue;
+    }
+    let normalizedPath;
+    try { normalizedPath = validateManifestSkillPath(sk.path); }
+    catch (e) { failures.push({ name: sk.name, reason: `manifest path rejected: ${e.message}` }); continue; }
+    const payloadEntry = entries.find((e) => stripPkg(e.name) === normalizedPath);
+    if (!payloadEntry) { failures.push({ name: sk.name, reason: `payload missing from tarball: ${normalizedPath}` }); continue; }
+    const normalized = normalizeSkillBytes(payloadEntry.body);
+    const ok = verifyDetached(localKeyObj, normalized, sk.signature);
     if (ok) verifiedCount++;
-    else failures.push({ id: sk.id, reason: "signature did not verify against local public key" });
+    else failures.push({ name: sk.name, reason: "Ed25519 signature did not verify against local public key" });
   }
 
-  if (failures.length > 0) {
+  if (skills.length === 0) {
+    emit({
+      ok: false,
+      error: "tarball manifest.json declares zero skills — refusing to swap",
+      verified: 0,
+      total: 0,
+      hint: "A legitimate tarball must declare at least one skill. Treat this as a tarball-integrity failure.",
+    }, opts.json);
+    process.exitCode = 5; return;
+  }
+  if (verifiedCount !== skills.length || failures.length > 0) {
     emit({
       ok: false,
       error: `${failures.length}/${skills.length} skill signature(s) failed verification — refusing to swap`,
@@ -317,6 +418,34 @@ async function main() {
     process.exitCode = 5; return;
   }
 
+  // v0.12.14 (audit F2): the swap loop replaces `data/` + `manifest.json` +
+  // `manifest-snapshot.json` in addition to `skills/`. None of those files
+  // are covered by the per-skill Ed25519 signature (which signs only the
+  // skill body bytes). The only integrity check between the registry and
+  // those bytes is SHA-1 dist.shasum — collision-broken since 2017 and
+  // weaker than `npm install` itself which honors dist.integrity (SHA-512
+  // SRI) + dist.signatures (npm Ed25519 registry key) + dist.attestations
+  // (sigstore SLSA provenance).
+  //
+  // Defense-in-depth: refuse the swap if the manifest skills list doesn't
+  // exactly match the skill payload entries present in the tarball. A
+  // malicious tarball that drops/adds a skill outside the manifest no
+  // longer slips through.
+  const manifestSkillPaths = new Set(skills.map(s => validateManifestSkillPath(s.path)));
+  const tarballSkillPayloads = entries
+    .map(e => stripPkg(e.name))
+    .filter(name => /^skills\/[^/]+\/skill\.md$/.test(name));
+  for (const tp of tarballSkillPayloads) {
+    if (!manifestSkillPaths.has(tp)) {
+      emit({
+        ok: false,
+        error: `tarball ships skill payload not declared in manifest: ${tp} — refusing to swap`,
+        hint: "Tarball+manifest divergence. Report at https://github.com/blamejs/exceptd-skills/issues.",
+      }, opts.json);
+      process.exitCode = 5; return;
+    }
+  }
+
   if (opts.dryRun) {
     emit({
       ok: true,
@@ -330,9 +459,16 @@ async function main() {
     return;
   }
 
-  // Atomic swap: stage to a tmp dir under the install, then rename.
+  // v0.12.14 (audit F4): the prior swap loop renamed targets one-by-one,
+  // and a mid-loop failure left the install half-applied with no automatic
+  // rollback. New shape: rename all old targets into a single backup dir
+  // first (so the install is empty-of-old before any new content is moved
+  // in); then rename all new targets in; on failure, walk the backup dir
+  // in reverse and restore.
   const stageDir = fs.mkdtempSync(path.join(ROOT, ".refresh-network-"));
   let written = 0;
+  let backupDir = null;
+  const completedSteps = []; // [{kind: 'backup' | 'install', target}]
   try {
     for (const entry of entries) {
       const rel = stripPkg(entry.name);
@@ -347,19 +483,32 @@ async function main() {
       written++;
     }
 
-    // Replace targets.
-    const replaceList = ["data", "skills", "manifest.json", "manifest-snapshot.json"];
-    const backupDir = path.join(ROOT, `.refresh-network-backup-${Date.now()}`);
+    // v0.12.14 (audit F10): use PID + random suffix in the backup dir name
+    // so concurrent refresh-network invocations don't collide on the
+    // millisecond clock.
+    const backupSuffix = `${process.pid}-${crypto.randomBytes(4).toString("hex")}`;
+    backupDir = path.join(ROOT, `.refresh-network-backup-${Date.now()}-${backupSuffix}`);
     fs.mkdirSync(backupDir);
+    const replaceList = ["data", "skills", "manifest.json", "manifest-snapshot.json"];
+
+    // Phase A: move all existing targets to backupDir. After this loop
+    // completes, the install root has none of the replaced targets.
     for (const target of replaceList) {
-      const src = path.join(stageDir, target);
-      if (!fs.existsSync(src)) continue;
       const dst = path.join(ROOT, target);
       if (fs.existsSync(dst)) {
         fs.renameSync(dst, path.join(backupDir, target));
+        completedSteps.push({ kind: "backup", target });
       }
-      fs.renameSync(src, dst);
     }
+
+    // Phase B: move all new targets in from stage.
+    for (const target of replaceList) {
+      const src = path.join(stageDir, target);
+      if (!fs.existsSync(src)) continue;
+      fs.renameSync(src, path.join(ROOT, target));
+      completedSteps.push({ kind: "install", target });
+    }
+
     fs.rmSync(stageDir, { recursive: true, force: true });
     // Best-effort cleanup of backup dir — keep on disk for one cycle so
     // operators can manually roll back if something feels off.
@@ -371,11 +520,38 @@ async function main() {
       total_skills: skills.length,
       files_written: written,
       backup_dir: path.relative(ROOT, backupDir),
+      registry_signatures_present: registrySignatures.length,
       message: `refreshed catalog from v${localVersion} → v${latestVersion} (${verifiedCount}/${skills.length} signatures verified). Backup at ${path.relative(ROOT, backupDir)} — safe to remove after verifying the new run.`,
     }, opts.json);
   } catch (e) {
+    // v0.12.14 (audit F4): walk completedSteps in reverse to undo partial work.
+    const rollbackErrors = [];
+    for (const step of [...completedSteps].reverse()) {
+      try {
+        if (step.kind === "install") {
+          // Remove the newly-installed copy.
+          fs.rmSync(path.join(ROOT, step.target), { recursive: true, force: true });
+        } else if (step.kind === "backup" && backupDir) {
+          // Restore from backup.
+          const src = path.join(backupDir, step.target);
+          const dst = path.join(ROOT, step.target);
+          if (fs.existsSync(src)) fs.renameSync(src, dst);
+        }
+      } catch (re) {
+        rollbackErrors.push({ target: step.target, kind: step.kind, error: re.message });
+      }
+    }
     fs.rmSync(stageDir, { recursive: true, force: true });
-    emit({ ok: false, error: `swap failed mid-rename: ${e.message}`, hint: "If files are missing, restore from the backup dir at the install root, or reinstall with `npm install -g @blamejs/exceptd-skills`." }, opts.json);
+    emit({
+      ok: false,
+      error: `swap failed mid-rename: ${e.message}`,
+      rolled_back: rollbackErrors.length === 0,
+      rollback_errors: rollbackErrors,
+      backup_dir: backupDir ? path.relative(ROOT, backupDir) : null,
+      hint: rollbackErrors.length === 0
+        ? "Auto-rollback completed. Install state matches pre-refresh. Re-run `exceptd refresh --network` or `npm install -g @blamejs/exceptd-skills` to retry."
+        : "Auto-rollback partially failed. Restore manually from the backup dir at the install root, or reinstall with `npm install -g @blamejs/exceptd-skills`.",
+    }, opts.json);
     process.exitCode = 4;
   }
 }

package/lib/scoring.js

@@ -99,8 +99,15 @@ function scoreCustom(factors, opts) {
     blast_radius = 0,
     patch_available = false,
     live_patch_available = false,
-    reboot_required = false
+    reboot_required = false,
+    // v0.12.15 (audit J F9): the CVE catalog field is `patch_required_reboot`
+    // but scoreCustom historically expected `reboot_required`. validate()
+    // already aliases at the call site; accept either spelling here so a
+    // direct caller passing the catalog entry doesn't silently lose the
+    // reboot factor.
+    patch_required_reboot,
   } = factors || {};
+  const rebootFactor = (reboot_required === true) || (patch_required_reboot === true);
 
   let score = 0;
   score += cisa_kev ? RWEP_WEIGHTS.cisa_kev : 0;
@@ -108,16 +115,22 @@ function scoreCustom(factors, opts) {
   score += (ai_assisted_weapon || ai_discovered) ? RWEP_WEIGHTS.ai_factor : 0;
   score += active_exploitation === 'confirmed' ? RWEP_WEIGHTS.active_exploitation : 0;
   score += active_exploitation === 'suspected' ? Math.floor(RWEP_WEIGHTS.active_exploitation / 2) : 0;
-  // Clamp blast_radius into the weight-ceiling band [0, RWEP_WEIGHTS.blast_radius]
-  // before adding. Out-of-range values still produce a clamped contribution but
-  // validateFactors() surfaces the anomaly so operators see the unit error.
-  const brClamped = Math.max(0, Math.min(RWEP_WEIGHTS.blast_radius, typeof blast_radius === 'number' ? blast_radius : 0));
+  // v0.12.15 (audit J F1, F5): blast_radius numeric coercion must reject
+  // NaN, Infinity, and strings explicitly. The prior `typeof === 'number'`
+  // check passed NaN (which is `typeof === 'number'`) into `Math.min/max`
+  // which propagates NaN through the final clamp, defeating the [0,100]
+  // contract. Number.isFinite + Number() coercion catches all four classes:
+  // NaN, Infinity, undefined, stringified-number.
+  const brRaw = Number.isFinite(Number(blast_radius)) ? Number(blast_radius) : 0;
+  const brClamped = Math.max(0, Math.min(RWEP_WEIGHTS.blast_radius, brRaw));
   score += brClamped;
   score += patch_available ? RWEP_WEIGHTS.patch_available : 0;
   score += live_patch_available ? RWEP_WEIGHTS.live_patch_available : 0;
-  score += reboot_required ? RWEP_WEIGHTS.reboot_required : 0;
+  score += rebootFactor ? RWEP_WEIGHTS.reboot_required : 0;
 
-  const clamped = Math.min(100, Math.max(0, score));
+  // v0.12.15 (audit J F1): defense-in-depth clamp against any unforeseen
+  // NaN production above (negative weight + Infinity + math edge case).
+  const clamped = Number.isFinite(score) ? Math.min(100, Math.max(0, score)) : 0;
   if (opts && opts.collectWarnings) {
     return { score: clamped, _scoring_warnings: validateFactors(factors) };
   }