@barrysolomon/mobile-react-native 0.1.1-alpha → 0.2.0-alpha

package/src/instrumentation/unhandledRejection.ts

@@ -7,8 +7,11 @@
  */
 
 import { Dash0Mobile } from '../index';
+import { sanitizeMessage, sanitizeStacktrace } from '../redact';
 
 const DEDUPE_WINDOW_MS = 5 * 60 * 1000;
+/** Cap on the dedupe map so a high-cardinality rejection storm can't leak memory. */
+const DEDUPE_MAX_ENTRIES = 256;
 const SEVERITY_ERROR = 17 as const;
 
 type RejectionEvent = { reason: unknown };
@@ -41,15 +44,21 @@ export function installUnhandledRejectionInstrumentation(): () => void {
     const now = Date.now();
     const lastAt = recentlySeen.get(key);
     if (lastAt !== undefined && now - lastAt < DEDUPE_WINDOW_MS) return;
+    // LRU-style insert + cap so a rejection storm can't grow the map forever.
+    recentlySeen.delete(key);
     recentlySeen.set(key, now);
+    if (recentlySeen.size > DEDUPE_MAX_ENTRIES) {
+      const oldest = recentlySeen.keys().next().value;
+      if (oldest !== undefined) recentlySeen.delete(oldest);
+    }
 
     if (reason instanceof Error) {
       Dash0Mobile.log(
         'app.error',
         {
           'exception.type': reason.name ?? 'Error',
-          'exception.message': reason.message ?? String(reason),
-          'exception.stacktrace': reason.stack ?? '',
+          'exception.message': sanitizeMessage(reason.message ?? String(reason)),
+          'exception.stacktrace': sanitizeStacktrace(reason.stack ?? ''),
           'exception.escaped': true,
         },
         SEVERITY_ERROR,
@@ -59,7 +68,7 @@ export function installUnhandledRejectionInstrumentation(): () => void {
         'app.error',
         {
           'exception.type': 'UnhandledRejection',
-          'exception.message': String(reason),
+          'exception.message': sanitizeMessage(String(reason)),
           'exception.escaped': true,
         },
         SEVERITY_ERROR,

package/src/instrumentation/xhr.ts

@@ -10,6 +10,7 @@
 
 import { Dash0Mobile } from '../index';
 import type { SpanHandle } from '../index';
+import { sanitizeUrl } from '../redact';
 
 export interface XhrInstrumentationConfig {
   ignoredHosts?: readonly string[];
@@ -52,8 +53,12 @@ export function installXhrInstrumentation(
         url: string | URL,
         ...rest: unknown[]
       ) {
-        instance.__dash0_method = method.toUpperCase();
-        instance.__dash0_url = typeof url === 'string' ? url : url.toString();
+        try {
+          instance.__dash0_method = method.toUpperCase();
+          instance.__dash0_url = typeof url === 'string' ? url : url.toString();
+        } catch {
+          // Capturing request metadata must never block the real open().
+        }
         // @ts-expect-error — forwarding variadic
         return originalOpen(method, url, ...rest);
       };
@@ -62,47 +67,58 @@ export function installXhrInstrumentation(
       (instance as unknown as { send: XMLHttpRequest['send'] }).send = function send(
         body?: Document | XMLHttpRequestBodyInit | null,
       ) {
-        const url = instance.__dash0_url ?? '';
-        const host = hostFromUrl(url);
-        if (!host || !ignored.has(host)) {
-          const method = instance.__dash0_method ?? 'GET';
-          instance.__dash0_span = Dash0Mobile.startSpan(
-            `${method} ${host ?? 'unknown'}`,
-            {
-              'http.request.method': method,
-              'url.full': url,
-              ...(host ? { 'server.address': host } : {}),
-            },
-            'CLIENT',
-          );
-
-          const onError = () => {
-            instance.__dash0_failed = true;
-          };
-          const onLoadEnd = () => {
-            const span = instance.__dash0_span;
-            if (!span) return;
-            if (instance.__dash0_failed) {
-              span.setStatus('ERROR', 'network error');
-            } else {
-              const status = instance.status;
-              if (typeof status === 'number' && status > 0) {
-                span.setAttribute('http.response.status_code', status);
-                if (status >= 400) {
-                  span.setStatus('ERROR', `HTTP ${status}`);
+        // ALL telemetry setup is best-effort: a throw here must never stop
+        // the host's real request from going out.
+        try {
+          const url = instance.__dash0_url ?? '';
+          const host = hostFromUrl(url);
+          if (!host || !ignored.has(host)) {
+            const method = instance.__dash0_method ?? 'GET';
+            instance.__dash0_span = Dash0Mobile.startSpan(
+              `${method} ${host ?? 'unknown'}`,
+              {
+                'http.request.method': method,
+                'url.full': sanitizeUrl(url),
+                ...(host ? { 'server.address': host } : {}),
+              },
+              'CLIENT',
+            );
+
+            const onError = () => {
+              instance.__dash0_failed = true;
+            };
+            const onLoadEnd = () => {
+              try {
+                const span = instance.__dash0_span;
+                if (!span) return;
+                if (instance.__dash0_failed) {
+                  span.setStatus('ERROR', 'network error');
                 } else {
-                  span.setStatus('OK');
+                  const status = instance.status;
+                  if (typeof status === 'number' && status > 0) {
+                    span.setAttribute('http.response.status_code', status);
+                    if (status >= 400) {
+                      span.setStatus('ERROR', `HTTP ${status}`);
+                    } else {
+                      span.setStatus('OK');
+                    }
+                  } else {
+                    span.setStatus('OK');
+                  }
                 }
-              } else {
-                span.setStatus('OK');
+                span.end();
+                instance.__dash0_span = undefined;
+              } catch {
+                // Telemetry finalization failure must not surface to the host.
               }
-            }
-            span.end();
-            instance.__dash0_span = undefined;
-          };
-
-          instance.addEventListener('error', onError);
-          instance.addEventListener('loadend', onLoadEnd);
+            };
+
+            instance.addEventListener('error', onError);
+            instance.addEventListener('loadend', onLoadEnd);
+          }
+        } catch (telemetryErr) {
+          // eslint-disable-next-line no-console
+          console.warn?.('[@dash0/mobile] xhr instrumentation setup failed', telemetryErr);
         }
         return originalSend(body);
       };
@@ -111,6 +127,13 @@ export function installXhrInstrumentation(
     },
   });
 
+  // Double-install guard: Fast Refresh / repeated start() would otherwise
+  // stack Proxy wrappers and leak the original constructor.
+  if ((OriginalXHR as { __dash0_installed?: boolean }).__dash0_installed) {
+    return () => {};
+  }
+  (OriginalXHR as { __dash0_installed?: boolean }).__dash0_installed = true;
+
   (globalThis as unknown as { XMLHttpRequest: XhrCtor }).XMLHttpRequest =
     wrapped as XhrCtor;
 
@@ -121,5 +144,7 @@ export function installXhrInstrumentation(
       (globalThis as unknown as { XMLHttpRequest?: XhrCtor }).XMLHttpRequest =
         OriginalXHR;
     }
+    // Clear the guard so a later install() can re-instrument.
+    delete (OriginalXHR as { __dash0_installed?: boolean }).__dash0_installed;
   };
 }

package/src/redact.ts

@@ -0,0 +1,71 @@
+/**
+ * Shared redaction + truncation helpers.
+ *
+ * Telemetry attributes can carry secrets (query-string tokens, bearer
+ * headers echoed into error messages) and unbounded payloads (multi-MB
+ * stack traces). These helpers strip the obvious leaks and cap sizes so a
+ * single pathological event can't exfiltrate credentials or blow the
+ * bridge/export budget.
+ */
+
+/** Max length for a sanitized URL (origin + path). */
+const MAX_URL_LEN = 2048;
+/** Max length for an exception message. */
+export const MAX_MESSAGE_LEN = 1024; // 1KB
+/** Max length for an exception stacktrace. */
+export const MAX_STACKTRACE_LEN = 8192; // 8KB
+
+function truncate(value: string, max: number): string {
+  if (value.length <= max) return value;
+  return `${value.slice(0, max)}…[truncated]`;
+}
+
+/**
+ * Strip query string + fragment from a URL (they routinely carry
+ * `?token=`, `?sig=`, session ids), keeping origin + path, and cap length.
+ * Best-effort: if the input isn't a parseable URL we fall back to a manual
+ * `?`/`#` split so we never leak a query string just because parsing failed.
+ */
+export function sanitizeUrl(url: string): string {
+  if (typeof url !== 'string' || url.length === 0) return '';
+  let cleaned = url;
+  const queryIdx = cleaned.search(/[?#]/);
+  if (queryIdx >= 0) {
+    cleaned = cleaned.slice(0, queryIdx);
+  }
+  return truncate(cleaned, MAX_URL_LEN);
+}
+
+// Obvious secret patterns. Intentionally conservative — false positives are
+// cheaper than leaked credentials, but we don't try to be a full DLP engine.
+const SECRET_PATTERNS: ReadonlyArray<readonly [RegExp, string]> = [
+  // token=... / access_token=... in query-string or body form
+  [/([?&#]|\b)((?:access_|refresh_|id_)?token|api[_-]?key|secret|password|pwd|sig|signature)=[^&\s"']+/gi, '$1$2=[REDACTED]'],
+  // Authorization: Bearer <jwt-ish>
+  [/\bbearer\s+[A-Za-z0-9._\-+/]+=*/gi, 'bearer [REDACTED]'],
+  // long base64-ish runs (≥32 chars) that look like raw credentials
+  [/\b[A-Za-z0-9_\-+/]{32,}={0,2}\b/g, '[REDACTED]'],
+];
+
+/**
+ * Run a light secret scrubber over free-text telemetry (error messages,
+ * stack traces) and cap its length.
+ */
+export function scrubText(value: string, max: number): string {
+  if (typeof value !== 'string' || value.length === 0) return value ?? '';
+  let scrubbed = value;
+  for (const [pattern, replacement] of SECRET_PATTERNS) {
+    scrubbed = scrubbed.replace(pattern, replacement);
+  }
+  return truncate(scrubbed, max);
+}
+
+/** Scrub + cap an exception message (≤1KB). */
+export function sanitizeMessage(message: string): string {
+  return scrubText(message, MAX_MESSAGE_LEN);
+}
+
+/** Scrub + cap an exception stacktrace (≤8KB). */
+export function sanitizeStacktrace(stack: string): string {
+  return scrubText(stack, MAX_STACKTRACE_LEN);
+}