@blamejs/blamejs-shop 0.4.30 → 0.4.32

package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js

@@ -214,6 +214,11 @@ function create(config) {
   var timeoutMs = config.timeoutMs;
   var allowedProtocols = config.allowedProtocols || safeUrl.ALLOW_HTTP_TLS;
   var allowInternal = config.allowInternal != null ? config.allowInternal : null;
+  // Account placement — see azure-blob.js create(). Default host-based; opt
+  // into path-style (Azurite / Azure Stack / private) with config.pathStyle:
+  // true. Default false keeps the host-based wire shape unchanged.
+  var pathStyle = config.pathStyle === true;
+  var pathPrefix = pathStyle ? ("/" + config.accountName) : "";
 
   function _sign(method, url, headers) {
     return azureBlob.signRequest({
@@ -260,7 +265,7 @@ function create(config) {
   async function createContainer(name, opts) {
     _validateContainerName(name);
     opts = opts || {};
-    var url = _internalUrl(endpoint + "/" + name + "?restype=container", allowedProtocols);
+    var url = _internalUrl(endpoint + pathPrefix + "/" + name + "?restype=container", allowedProtocols);
     var headers = { "Content-Length": "0" };
     if (opts.publicAccess) {
       if (opts.publicAccess !== "blob" && opts.publicAccess !== "container") {
@@ -282,7 +287,7 @@ function create(config) {
 
   async function deleteContainer(name) {
     _validateContainerName(name);
-    var url = _internalUrl(endpoint + "/" + name + "?restype=container", allowedProtocols);
+    var url = _internalUrl(endpoint + pathPrefix + "/" + name + "?restype=container", allowedProtocols);
     var signed = _sign("DELETE", url, {});
     var res = await _request("DELETE", url, signed, null, [HTTP_ACCEPTED, HTTP_NOT_FOUND]);
     return res.statusCode === HTTP_ACCEPTED;
@@ -290,7 +295,7 @@ function create(config) {
 
   async function listContainers(opts) {
     opts = opts || {};
-    var url = _internalUrl(endpoint + "/?comp=list", allowedProtocols);
+    var url = _internalUrl(endpoint + pathPrefix + "/?comp=list", allowedProtocols);
     if (opts.prefix)  url.searchParams.set("prefix", opts.prefix);
     if (opts.maxResults != null) url.searchParams.set("maxresults", String(opts.maxResults));
     var signed = _sign("GET", url, {});
@@ -319,7 +324,7 @@ function create(config) {
     rules.forEach(_validateCorsRule);
     var xml = _buildCorsXml(rules);
     var bodyBuf = Buffer.from(xml, "utf8");
-    var url = _internalUrl(endpoint + "/?restype=service&comp=properties", allowedProtocols);
+    var url = _internalUrl(endpoint + pathPrefix + "/?restype=service&comp=properties", allowedProtocols);
     var headers = {
       "Content-Type":   "application/xml",
       "Content-Length": String(bodyBuf.length),

package/lib/vendor/blamejs/lib/object-store/azure-blob.js

@@ -15,6 +15,11 @@
  *     accountKey:   '<base64 storage key>'    // required (REST shared key)
  *     container:    'my-container'            // required
  *     endpoint:     'https://...'             // optional override
+ *     pathStyle:    true                       // optional; account as the first
+ *                                              // URL path segment (Azurite / Azure
+ *                                              // Stack / private endpoints).
+ *                                              // Default false = host-based
+ *                                              // (<account>.blob.core.windows.net).
  *     apiVersion:   '2024-08-04'              // x-ms-version header
  *     timeoutMs:    C.TIME.seconds(30)
  *   }
@@ -35,6 +40,7 @@ var { URL } = require("node:url");
 var { Readable } = require("node:stream");
 var safeXml = require("../parsers/safe-xml");
 var sharedRequest = require("./http-request");
+var sigv4 = require("./sigv4");
 var C = require("../constants");
 var requestHelpers = require("../request-helpers");
 var { ObjectStoreError } = require("../framework-error");
@@ -65,6 +71,26 @@ function _arrayify(value) {
   return Array.isArray(value) ? value : [value];
 }
 
+// Percent-encode a hierarchical blob name for use in a URL path. Azure
+// blob names are `/`-delimited virtual directories, so each segment is
+// RFC 3986 percent-encoded (via the family-shared encoder used by the
+// S3 / GCS backends) while the `/` separators are preserved. Without
+// this, a key containing `?`, `#`, a space, or other reserved chars is
+// interpolated raw into the request URL — `?`/`#` start the query /
+// fragment (so the blob path is truncated, hitting the wrong object or
+// the container root), and spaces / control bytes corrupt the request
+// line (CWE-20 improper input → request-smuggling-adjacent). A null
+// byte is refused outright (it can't appear in a valid blob name and
+// indicates a malformed / hostile key), matching the S3 / GCS guards.
+function _encodeBlobKey(key) {
+  if (key.indexOf("\0") !== -1) {
+    throw _err("INVALID_KEY", "null byte in blob key", true);
+  }
+  return key.split("/").map(function (s) {
+    return sigv4.awsUriEncode(s, true);
+  }).join("/");
+}
+
 var DEFAULT_API_VERSION = "2024-08-04";
 
 // Service SAS expiry bounds. Azure doesn't enforce a hard max, but
@@ -120,6 +146,17 @@ function buildStringToSign(opts) {
   var canonicalResource = (function () {
     // /<account>/<rest of path>
     // Plus sorted query params, each "name:value\n"
+    // Canonicalized resource per the Shared Key spec: "/" + account + the
+    // request's absolute path + sorted query. Host-based endpoints
+    // (production <account>.blob.core.windows.net) have url.pathname
+    // "/<container>/<blob>", giving "/<account>/<container>/<blob>".
+    // Path-style endpoints (Azurite / Azure Stack / private) already carry
+    // "/<account>" as the first path segment, so the account appears twice
+    // ("/<account>/<account>/<container>/<blob>") — which is exactly what a
+    // path-style server expects: it prepends the account to the full request
+    // path it received. Verified against Azurite — the doubled form is the
+    // one that authenticates; the URL itself must carry the account in its
+    // path (see pathPrefix in create()).
     var resourcePath = "/" + opts.accountName + url.pathname;
     var paramPairs = [];
     url.searchParams.forEach(function (v, k) {
@@ -204,11 +241,24 @@ function create(config) {
   var allowedProtocols = config.allowedProtocols || safeUrl.ALLOW_HTTP_TLS;
   var allowInternal    = config.allowInternal != null ? config.allowInternal : null;
   safeUrl.parse(endpoint, { allowedProtocols: allowedProtocols, errorClass: ObjectStoreError });
+  // Account placement. Default host-based — production Azure is
+  // https://<account>.blob.core.windows.net/<container>/<blob> (account in the
+  // host). Path-style endpoints (Azurite / Azure Stack / private) carry the
+  // account as the first PATH segment instead —
+  // https://<host>/<account>/<container>/<blob> — opt in with
+  // config.pathStyle:true. Default false keeps the host-based wire shape
+  // unchanged for existing deployments (no silent breaking change). The signed
+  // canonicalized resource is always "/" + account + url.pathname, so for a
+  // path-style URL the account appears twice — which is exactly what a
+  // path-style server expects (see buildStringToSign).
+  var pathStyle = config.pathStyle === true;
+  var pathPrefix = pathStyle ? ("/" + config.accountName) : "";
   var reqOpts = { timeoutMs: timeoutMs, allowedProtocols: allowedProtocols };
   if (allowInternal !== null) reqOpts.allowInternal = allowInternal;
 
   function _blobUrl(key, params) {
-    var u = _internalUrl(endpoint + "/" + config.container + "/" + key, allowedProtocols);
+    var u = _internalUrl(endpoint + pathPrefix + "/" + config.container + "/" + _encodeBlobKey(key),
+                         allowedProtocols);
     if (params) {
       Object.keys(params).forEach(function (k) { u.searchParams.set(k, params[k]); });
     }
@@ -216,7 +266,7 @@ function create(config) {
   }
 
   function _containerUrl(params) {
-    var u = _internalUrl(endpoint + "/" + config.container, allowedProtocols);
+    var u = _internalUrl(endpoint + pathPrefix + "/" + config.container, allowedProtocols);
     if (params) {
       Object.keys(params).forEach(function (k) { u.searchParams.set(k, params[k]); });
     }
@@ -425,8 +475,12 @@ function create(config) {
       throw _err("INVALID_KEY", "null byte in key", true);
     }
 
+    // _buildSasToken signs the canonicalized resource with the RAW
+    // (decoded) blob name per the Azure SAS spec; the URL PATH carries the
+    // percent-encoded key so a key with reserved chars (`?` / `#` / space)
+    // doesn't truncate the path or corrupt the request line.
     var token = _buildSasToken(permissions, opts);
-    var url = _internalUrl(endpoint + "/" + config.container + "/" + opts.key + "?" + token.sas, allowedProtocols);
+    var url = _internalUrl(endpoint + pathPrefix + "/" + config.container + "/" + _encodeBlobKey(opts.key) + "?" + token.sas, allowedProtocols);
 
     var clientHeaders = {};
     if (opts.contentType) clientHeaders["Content-Type"] = opts.contentType;

package/lib/vendor/blamejs/lib/object-store/gcs.js

@@ -364,7 +364,10 @@ function create(config) {
     // Build the canonical request — identical shape to SigV4. The
     // sigv4 export gives us the formatter so this stays in lockstep
     // with the AWS implementation.
-    var canon = sigv4.canonicalRequest(method, url, headers, "UNSIGNED-PAYLOAD");
+    // GCS's V4 signature, like S3, URI-encodes the canonical path ONCE; the key
+    // is already single-encoded into url.pathname above, so pass doubleEncodePath
+    // = false (a second encode would 403 any key with a space/+/&/unicode).
+    var canon = sigv4.canonicalRequest(method, url, headers, "UNSIGNED-PAYLOAD", false);
     var stringToSign = [
       GCS_V4_ALGORITHM,
       amzDate,

package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js

@@ -514,8 +514,11 @@ function create(config) {
   function _objectUrl(name, key, query) {
     // Each key segment is encoded individually so that legitimate "/"
     // separators in the key are preserved (S3 treats keys with slashes
-    // as flat names, not directories).
-    var encKey = key.split("/").map(encodeURIComponent).join("/");
+    // as flat names, not directories). Use sigv4.awsUriEncode (not
+    // encodeURIComponent, which leaves !*'() unescaped) so the wire path
+    // matches the bytes S3 canonicalizes the signature over — same encoder
+    // _keyToUrl uses for the put/get path.
+    var encKey = key.split("/").map(function (s) { return sigv4.awsUriEncode(s, true); }).join("/");
     var uo = _internalUrl(endpoint, allowedProtocols);
     if (pathStyle) {
       uo.pathname = "/" + name + "/" + encKey;

package/lib/vendor/blamejs/lib/object-store/sigv4.js

@@ -86,9 +86,16 @@ function hmacSha256(key, data) {
 // AWS-style URI encoding: same as RFC 3986 except path '/' may be preserved.
 function awsUriEncode(str, encodeSlash) {
   var out = "";
-  for (var i = 0; i < str.length; i++) {
-    var c = str.charCodeAt(i);
-    var ch = str.charAt(i);
+  // Iterate by Unicode code point, not UTF-16 code unit. Array.from() keeps a
+  // non-BMP character's surrogate pair together (one element), so a key like
+  // "photo-<U+1F600>.jpg" encodes as a single UTF-8 sequence. Iterating by
+  // index would hand encodeURIComponent a lone surrogate, which throws
+  // "URIError: URI malformed". Output is byte-for-byte identical for the
+  // BMP/ASCII keys that are the overwhelming common case.
+  var cps = Array.from(str);
+  for (var i = 0; i < cps.length; i++) {
+    var ch = cps[i];
+    var c = ch.codePointAt(0);
     if ((c >= 0x41 && c <= 0x5A) || (c >= 0x61 && c <= 0x7A) ||
         (c >= 0x30 && c <= 0x39) ||
         ch === "-" || ch === "_" || ch === "." || ch === "~") {
@@ -137,13 +144,24 @@ function canonicalHeaders(headers) {
   return { canonical: canon, signed: signed.join(";") };
 }
 
-function canonicalRequest(method, urlObj, headers, payloadHash) {
+// AWS SigV4 canonical URI. Per the SigV4 spec, S3 (and S3-compatible stores +
+// GCS's V4) URI-encode the path EXACTLY ONCE; every other AWS service (sqs,
+// logs, sns, ...) encodes it TWICE. Callers build urlObj through the WHATWG URL
+// parser, so urlObj.pathname is ALREADY the single-encoded wire form (a key
+// "a b.txt" is "/a%20b.txt") and the request sends that pathname verbatim. So
+// for S3/GCS the canonical path MUST equal the pathname as-is: a second
+// awsUriEncode would sign "/a%2520b.txt", a path the wire never carries, giving
+// SignatureDoesNotMatch (403) for any key with a space/+/&/unicode. For the
+// double-encode services the second pass is the spec requirement. signRequest
+// derives doubleEncodePath from the service; GCS's V4 signer passes false.
+function canonicalRequest(method, urlObj, headers, payloadHash, doubleEncodePath) {
   var canonHeaders = canonicalHeaders(headers);
   var path = urlObj.pathname;
   if (!path) path = "/";
+  var canonicalPath = doubleEncodePath ? awsUriEncode(path, false) : path;
   return [
     method.toUpperCase(),
-    awsUriEncode(path, false),
+    canonicalPath,
     canonicalQueryString(urlObj.searchParams),
     canonHeaders.canonical,
     canonHeaders.signed,
@@ -204,7 +222,11 @@ function signRequest(opts) {
     headers["x-amz-security-token"] = opts.sessionToken;
   }
 
-  var canon = canonicalRequest(opts.method, url, headers, opts.payloadHash);
+  // S3 single-encodes the canonical path; every other AWS service double-encodes
+  // it (see canonicalRequest). The path itself is "/" for the non-S3 callers
+  // (cloudwatch/sqs put params in the query or body), so this only changes the
+  // wire result for S3, where it fixes the long-standing double-encode 403.
+  var canon = canonicalRequest(opts.method, url, headers, opts.payloadHash, service !== "s3");
   var credentialScope = dateStamp + "/" + opts.region + "/" + service + "/aws4_request";
   var sts = stringToSign(amzDate, credentialScope, canon);
   var signingKey = deriveSigningKey(opts.secretAccessKey, dateStamp, opts.region, service);
@@ -661,6 +683,16 @@ function create(config) {
         etag:         res.headers.etag,
         lastModified: res.headers["last-modified"] ? Date.parse(res.headers["last-modified"]) : null,
       };
+    }, function (e) {
+      // A missing key surfaces as the framework NOT_FOUND code — the same
+      // contract local.js head() exposes and that deleteKey already maps 404
+      // to — so existence probes via head() (e.g. the backup objectStore
+      // adapter's hasKey / statKey) get the uniform missing-key signal instead
+      // of a raw HTTP 404 they don't recognize.
+      if (e && e.statusCode === 404) {
+        throw _err("NOT_FOUND", "key not found: " + key, true);
+      }
+      throw e;
     });
   }
 

package/lib/vendor/blamejs/lib/observability-otlp-exporter.js

@@ -98,6 +98,11 @@ var KIND_TO_OTLP = Object.freeze({
 function _attrToOtlp(attrs) {
   // OTLP attribute shape: [{ key, value: { stringValue | intValue |
   // doubleValue | boolValue | arrayValue: { values: [...] } } }, ...]
+  // Telemetry is a first-class EGRESS sink — scrub every value through the
+  // active redactor BEFORE serialization so a secret/PII attribute never
+  // reaches the collector (CWE-532). Redaction is baked into the encoder, not
+  // the call site, so no span/event/resource path can forget it.
+  attrs = observability().redactAttrs(attrs);
   var out = [];
   if (!attrs || typeof attrs !== "object") return out;
   var keys = Object.keys(attrs);
@@ -316,7 +321,10 @@ function _keyValueToProto(kvObj) {
 function _attrsToProto(attrs) {
   // attrs is the raw `{ key: value }` operator attribute object; OTLP
   // KeyValue gets emitted per entry with field 9 (attributes) on Span,
-  // field 1 (attributes) on Resource, etc.
+  // field 1 (attributes) on Resource, etc. Scrub every value through the
+  // active redactor BEFORE building the wire intermediate — the protobuf path
+  // is the same EGRESS sink as the JSON path and must not leak (CWE-532).
+  attrs = observability().redactAttrs(attrs);
   if (!attrs || typeof attrs !== "object") return [];
   var keys = Object.keys(attrs);
   var out = new Array(keys.length);

package/lib/vendor/blamejs/lib/observability.js

@@ -55,6 +55,14 @@ var safeBuffer = lazyRequire(function () { return require("./safe-buffer"); });
 var tracing = lazyRequire(function () { return require("./tracing"); });
 var metrics = lazyRequire(function () { return require("./metrics"); });
 
+// redact is the framework's central PII/secret scrubber. Lazy-loaded so
+// the require graph stays acyclic at boot (redact lazy-pulls audit, which
+// pulls observability back). Composed by the default telemetry redactor
+// below so span/metric attribute VALUES are scrubbed before the OTLP
+// exporter serializes them — CWE-532 (insertion of sensitive information
+// into a telemetry/log egress sink).
+var redact = lazyRequire(function () { return require("./redact"); });
+
 // Operator-installed tap handler — wired via setTap(). When non-null,
 // every observability event/tap dispatch routes here in addition to
 // the framework's metrics module. Used by b.otelExport.create() so an
@@ -62,6 +70,26 @@ var metrics = lazyRequire(function () { return require("./metrics"); });
 // emits internally.
 var _externalTap = null;
 
+// Telemetry-attribute redactor seam. Span / metric attribute VALUES are
+// a first-class egress surface: a span attribute holding a user email,
+// bearer token, or vault-sealed ciphertext is shipped verbatim to the
+// OTLP collector unless it is scrubbed at the assembly boundary, the same
+// way log-stream redacts every record before any sink sees it. Defaults
+// ON — the default redactor composes b.redact.redact, passing the
+// attribute key as the parent-key context so both field-name rules
+// (authorization / token / session / password) and value-shape detectors
+// (JWT / PEM / credit-card / SSN / connection-string) fire. CWE-532.
+//
+// The redactor is (value, key) → redactedValue. The exporter calls it for
+// every attribute value; a thrown redactor drops the attribute rather
+// than leaking it (the exporter enforces fail-toward-dropping), so a
+// misbehaving custom redactor can never widen the egress surface.
+function _defaultTelemetryRedactor(value, key) {
+  return redact().redact(value, { parentKey: typeof key === "string" ? key : null });
+}
+
+var _telemetryRedactor = _defaultTelemetryRedactor;
+
 function _safeMetricsTap(name, value, labels) {
   try { metrics().tap(name, value, labels); }
   catch (_e) { /* boot-order tolerance — metrics may not be loaded */ }
@@ -106,6 +134,99 @@ function setTap(handler) {
   _externalTap = handler;
 }
 
+/**
+ * @primitive b.observability.setRedactor
+ * @signature b.observability.setRedactor(redactor)
+ * @since     0.14.27
+ * @related   b.observability.getRedactor, b.redact.redact
+ *
+ * Override the redactor applied to every span / metric attribute VALUE
+ * before the OTLP exporter serializes it onto the wire. Telemetry is a
+ * first-class egress sink: an attribute holding a user email, bearer
+ * token, or secret would otherwise reach the collector in plaintext
+ * (CWE-532). Redaction is ON by default — the default redactor composes
+ * `b.redact.redact` and fires both field-name and value-shape rules; this
+ * setter only lets an operator swap in a stricter or domain-specific
+ * scrubber.
+ *
+ * The redactor is `redactor(value, key)` and returns the value to export.
+ * It runs on the export hot path, so a throw is caught and the attribute
+ * is dropped (never exported raw) — a redactor that throws can only
+ * shrink the egress surface, never widen it. Pass `null` to restore the
+ * default `b.redact.redact`-backed redactor.
+ *
+ * @example
+ *   b.observability.setRedactor(function (value, key) {
+ *     if (key === "enduser.id") return "[REDACTED]";
+ *     return b.redact.redact(value, { parentKey: key });
+ *   });
+ *   b.observability.setRedactor(null);   // restore the default
+ */
+function setRedactor(redactor) {
+  if (redactor !== null && typeof redactor !== "function") {
+    throw new TypeError("observability.setRedactor: redactor must be a function or null, got " +
+      typeof redactor);
+  }
+  _telemetryRedactor = redactor === null ? _defaultTelemetryRedactor : redactor;
+}
+
+/**
+ * @primitive b.observability.getRedactor
+ * @signature b.observability.getRedactor()
+ * @since     0.14.27
+ * @related   b.observability.setRedactor, b.redact.redact
+ *
+ * Return the redactor currently applied to span / metric attribute
+ * values on the OTLP egress path. The OTLP exporter calls this to scrub
+ * every attribute value before serialization; operators rarely need it
+ * directly. When no override has been installed it returns the default
+ * `b.redact.redact`-backed redactor.
+ *
+ * @example
+ *   var redactor = b.observability.getRedactor();
+ *   redactor("Bearer eyJabc.eyJdef.sig", "authorization");
+ *   // → "[REDACTED]"   (field-name rule on the "authorization" key)
+ */
+function getRedactor() {
+  return _telemetryRedactor;
+}
+
+/**
+ * @primitive b.observability.redactAttrs
+ * @signature b.observability.redactAttrs(attrs)
+ * @since     0.15.4
+ * @related   b.observability.getRedactor, b.observability.setRedactor
+ *
+ * Run every value of a telemetry attribute map through the active redactor and
+ * return a NEW `{ key: redactedValue }` object. The OTLP exporters call this on
+ * span, span-event, metric, and resource attributes before serialization so no
+ * attribute value crosses the egress boundary unscrubbed (CWE-532: insertion of
+ * sensitive information into an externally-shipped sink). A key whose redactor
+ * throws is DROPPED — failing toward dropping, never exporting the raw value;
+ * `null` / `undefined` values pass through for the type-encoder to handle.
+ *
+ * @example
+ *   b.observability.redactAttrs({ "http.method": "GET", authorization: "Bearer x" });
+ *   // → { "http.method": "GET", authorization: "[REDACTED]" }
+ */
+function redactAttrs(attrs) {
+  var out = {};
+  if (!attrs || typeof attrs !== "object") return out;
+  var redactor = getRedactor();
+  var keys = Object.keys(attrs);
+  for (var i = 0; i < keys.length; i++) {
+    var k = keys[i];
+    try {
+      out[k] = redactor(attrs[k], k);
+    } catch (_e) {
+      // redactor threw on the export hot path — drop the attribute rather than
+      // fall through to the raw value. A throwing redactor must never widen the
+      // egress surface, and must never crash the request that produced the span.
+    }
+  }
+  return out;
+}
+
 /**
  * @primitive b.observability.tap
  * @signature b.observability.tap(name, attrs, fn)
@@ -750,6 +871,9 @@ module.exports = {
   safeEvent:     safeEvent,
   timed:         timed,
   setTap:        setTap,
+  setRedactor:   setRedactor,
+  getRedactor:   getRedactor,
+  redactAttrs:   redactAttrs,
   SEMCONV:       SEMCONV,
   traceContext:  traceContext,
   baggage:       baggage,

package/lib/vendor/blamejs/lib/otel-export.js

@@ -42,6 +42,7 @@
 var C = require("./constants");
 var canonicalJson = require("./canonical-json");
 var httpClient = require("./http-client");
+var observability = require("./observability");
 var safeAsync = require("./safe-async");
 var validateOpts = require("./validate-opts");
 var { defineClass } = require("./framework-error");
@@ -67,11 +68,19 @@ var TEMPORALITY_DELTA = 1;
 // ---- attribute encoding ----
 // OTLP attributes are KeyValue with typed `value` fields:
 //   { key, value: { stringValue | intValue | doubleValue | boolValue } }
+// Telemetry is a first-class EGRESS sink — an attribute value holding a user
+// email, bearer token, or vault-sealed ciphertext would otherwise be serialized
+// verbatim onto the OTLP wire (CWE-532). observability.redactAttrs scrubs every
+// value through the active redactor (operator overrides via setRedactor take
+// effect without re-creating the exporter) and drops any key whose redactor
+// throws — failing toward dropping, never leaking, on the export hot path.
 function _attrsToOtlp(attrs) {
-  if (!attrs || typeof attrs !== "object") return [];
+  attrs = observability.redactAttrs(attrs);
   var out = [];
-  for (var k in attrs) {
-    if (!Object.prototype.hasOwnProperty.call(attrs, k)) continue;
+  if (!attrs || typeof attrs !== "object") return out;
+  var keys = Object.keys(attrs);
+  for (var i = 0; i < keys.length; i++) {
+    var k = keys[i];
     var v = attrs[k];
     var kv;
     if (typeof v === "string")  kv = { stringValue: v };