davaux 0.8.0 → 0.8.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "davaux",
-  "version": "0.8.0",
+  "version": "0.8.1",
   "description": "SSR-first JSX framework with file-based routing and signals",
   "type": "module",
   "author": "David L Dyess II",
@@ -13,6 +13,10 @@
     "url": "https://codeberg.org/davaux/davaux/issues"
   },
   "homepage": "https://codeberg.org/davaux/davaux#readme",
+  "files": [
+    "dist",
+    "src/env.d.ts"
+  ],
   "exports": {
     ".": {
       "import": "./dist/index.js",
@@ -100,4 +104,4 @@
     "tsx": "^4.19.2",
     "typescript": "^6.0.3"
   }
-}
+}

package/BASELINE.md

@@ -1,169 +0,0 @@
-# Davaux — Security Review
-
-Findings from a full audit of the framework and all `@davaux/*` packages. Grouped by severity. Each entry tracks the file, the issue, the fix, and current status.
-
----
-
-## High
-
-### H1 — Rate Limiter: Unconditional Trust of `X-Forwarded-For` ✅ fixed
-
-**File:** `packages/rate-limit/src/index.ts`
-
-The default key function reads `X-Forwarded-For` without any trust model. Any client can set this header to an arbitrary value — including `127.0.0.1` or a legitimate user's IP — bypassing rate limiting entirely.
-
-**Fix:** Default to `req.socket.remoteAddress`. Add a `trustProxy?: boolean | number` option that, when enabled, extracts the correct leftmost-untrusted IP from the `X-Forwarded-For` chain. Document that `trustProxy` should only be enabled when the app runs behind a trusted reverse proxy.
-
----
-
-### H2 — CSRF: `multipart/form-data` Token Not Read from Form Fields ✅ fixed
-
-**File:** `packages/csrf/src/index.ts`
-
-`resolveSubmitted()` only reads the CSRF token from `application/x-www-form-urlencoded` body fields. For `multipart/form-data` requests, it falls back to the `X-CSRF-Token` header only — which browsers cannot set on a standard form submit. A developer building a file-upload form who embeds the token as a hidden field will find it silently not enforced, and may remove the middleware believing it is broken.
-
-**Fix:** Add a `multipart/form-data` branch in `resolveSubmitted()` that calls `ctx.multipart()` and reads `fields[field]`.
-
----
-
-## Medium
-
-### M1 — Island Serialization: `<` and `>` Not Escaped in `data-props` ✅ fixed
-
-**File:** `packages/davaux/src/island.ts`
-
-```ts
-const serialized = JSON.stringify(props).replace(/'/g, '&#39;')
-return `<div data-island="${id}" data-props='${serialized}'>${rendered}</div>`
-```
-
-`JSON.stringify` does not escape `<`, `>`, or `&`. A prop value containing `</div>` produces unescaped angle brackets inside the HTML attribute. Single-quote breakout is prevented, but the unescaped characters break HTML parsers and become exploitable if the context ever changes (e.g., inside a `<script>` or `<template>` element).
-
-**Fix:** Use Unicode escapes to keep the JSON parseable while making it safe in any HTML context:
-
-```ts
-const serialized = JSON.stringify(props)
-  .replace(/&/g, '\\u0026')
-  .replace(/</g, '\\u003c')
-  .replace(/>/g, '\\u003e')
-  .replace(/'/g, '\\u0027')
-```
-
----
-
-### M2 — Swagger CDN Assets Served Without Subresource Integrity ✅ fixed
-
-**File:** `packages/swagger/src/index.ts`
-
-The Swagger UI CSS and JS bundle are loaded from `cdn.jsdelivr.net/npm/swagger-ui-dist@5` with no `integrity` or `crossorigin` attributes. A CDN compromise or supply-chain attack on the `swagger-ui-dist` package would serve malicious JavaScript to anyone visiting `/docs`. The `@5` semver range means any `5.x` release is automatically served.
-
-**Fix:** Pin to a specific version and add SRI `integrity` hashes. Regenerate hashes on upgrade.
-
----
-
-### M3 — Session: No Minimum Secret Length Enforcement ✅ fixed
-
-**File:** `packages/session/src/index.ts`
-
-Only empty strings are rejected. A single-character secret like `"x"` passes through silently. Short secrets dramatically reduce the brute-force search space for forging signed session cookies.
-
-**Fix:** Emit a `console.warn` when any secret is shorter than 32 characters. A throw is acceptable during development (`NODE_ENV !== 'production'`).
-
----
-
-### M4 — Static File Serving: No Explicit Path Traversal Guard in `runStart` and Dev Server ✅ fixed
-
-**Files:** `packages/davaux/src/cli.ts` (`runStart`), `packages/davaux/src/dev/watch.ts` (`serveStatic`)
-
-Both rely solely on `new URL(req.url, 'http://x').pathname` to normalize request paths before `join(dir, pathname)`. This is correct in current Node.js, but is a single point of failure — no belt-and-suspenders check exists. `runPreview` already has the correct explicit guard:
-
-```ts
-if (!safePath.startsWith(`${outDir}/`) && safePath !== outDir) {
-  res.writeHead(403, ...); return
-}
-```
-
-**Fix:** Apply the same `startsWith` guard to the public-directory handler in `runStart` and to `serveStatic` in `watch.ts`.
-
----
-
-## Low
-
-### L1 — Swagger: HTML `<title>` Inserted Without Escaping ✅ fixed
-
-**File:** `packages/swagger/src/index.ts`
-
-`options.info?.title` is inserted directly into `<title>${title}</title>` with no HTML escaping. If the title originates from a database or environment variable, a value like `</title><script>alert(1)</script>` produces reflected XSS on the `/docs` page.
-
-**Fix:** HTML-escape the title before insertion. `specPath` is already handled correctly via `JSON.stringify`.
-
----
-
-### L2 — `CookieJar`: `path` and `domain` Options Not Sanitized ✅ fixed
-
-**File:** `packages/davaux/src/types.ts`
-
-`name` and `value` are correctly URI-encoded, but `path` and `domain` are inserted into the `Set-Cookie` header without sanitization. Node.js rejects CRLF characters (blocking header splitting), but a semicolon in `path` or `domain` injects additional cookie attributes:
-
-```ts
-ctx.cookies.set('session', value, { path: '/; SameSite=None' })
-// → Set-Cookie: session=value; Path=/; SameSite=None
-```
-
-Values come from developer configuration rather than user input directly, but the API makes it easy to pass user-controlled values through accidentally.
-
-**Fix:** Strip semicolons, carriage returns, and newlines from `path` and `domain` before constructing the header value.
-
----
-
-## Informational
-
-### I1 — CORS: No Error on `credentials: true` + `origin: '*'` ✅ fixed
-
-**File:** `packages/cors/src/index.ts`
-
-Browsers reject credentialed responses with a wildcard origin by spec, so no credentials actually leak. However, the middleware silently accepts this misconfiguration rather than throwing, leading to hard-to-debug CORS failures.
-
-**Fix:** Throw at middleware creation time:
-```ts
-if (options.credentials && options.origin === '*') {
-  throw new Error('@davaux/cors: credentials:true requires a specific origin, not "*"')
-}
-```
-
----
-
-### I2 — Body Cache: First-Read `maxBytes` Applies to All Subsequent Reads ℹ️ by design
-
-**File:** `packages/davaux/src/types.ts`
-
-The body is read and cached on the first call to `ctx.form()`, `ctx.json()`, or `ctx.multipart()`. The `maxBytes` limit from the first call is the effective limit for all subsequent calls, regardless of what later callers specify. A middleware reading the body at the global default could allow more data than a per-route limit intended — or less.
-
-This is a documented tradeoff (the body stream can only be read once), not a bug. Worth noting in the API docs.
-
----
-
-### I3 — `redirect()`: No Guard Against Open Redirects ℹ️ doc needed
-
-**File:** `packages/davaux/src/types.ts`
-
-`redirect(url)` passes the URL directly to the `Location` header with no validation. If a developer passes unvalidated user input (e.g., `redirect(ctx.query.get('next'))`), this is an open redirect. The framework cannot prevent this without breaking legitimate uses.
-
-**Fix:** Add a JSDoc warning that user-supplied URLs must be validated before passing to `redirect()`.
-
----
-
-## What Was Reviewed and Found Correct
-
-- **JSX runtime `escapeHtml`** — escapes `&`, `<`, `>`, `"`, `'`. Applied to all string children and attribute values. `dangerouslySetInnerHTML` correctly bypasses escaping as intended.
-- **Session HMAC signing** — `createHmac('sha256')`, `timingSafeEqual` for verification, `base64url` encoding, `lastIndexOf('.')` split. Correct and complete.
-- **CSRF token generation** — `randomBytes(32).toString('hex')`, 256 bits of entropy.
-- **CSRF timing-safe comparison** — `timingSafeEqual` used after length check.
-- **Session cookie flags** — `httpOnly: true`, `sameSite: 'Lax'` by default.
-- **Path traversal in `runPreview`** — explicit `startsWith` guard present and correct.
-- **URL normalization** — `new URL(req.url, 'http://x').pathname` correctly resolves `..` sequences. `/%2e%2e/` is resolved before `join`.
-- **CORS origin reflection** — no unintended origin reflection when origin is not in allowlist.
-- **SSE injection** — `JSON.stringify` escapes newlines, preventing event injection via error payloads.
-- **Scanner dynamic imports** — no user input flows into import targets.
-- **Prototype pollution** — `Object.assign(ctx.params, result.params)` assigns string values only; `JSON.parse` does not pollute `Object.prototype` in this usage.
-- **Multipart parser** — boundary used as a literal buffer, not a regex. Body size limit enforced before parsing.