npm - @contrast/agent-bundle - Versions diffs - 5.40.0 → 5.41.0 - Mend

@contrast/agent-bundle 5.40.0 → 5.41.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (258) hide show

package/node_modules/@contrast/reporter/lib/reporters/contrast-ui/endpoints/application-activity/translations.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
-import { ProtectMessage } from '@contrast/common';
+import { RequestStore } from '@contrast/common';
 import { AttackModel } from '../../types';
-export declare function handleProtectMessage(protectMsg: ProtectMessage): {
+export declare function handleProtectMessage(store: RequestStore): {
     userAgent: string | null;
     attackModel: AttackModel | null;
-};
+} | null;
 //# sourceMappingURL=translations.d.ts.map

package/node_modules/@contrast/reporter/lib/reporters/contrast-ui/endpoints/application-activity/translations.js CHANGED Viewed

@@ -166,8 +166,8 @@ const xxeSemanticAnalysisDetailsBuilder = (el) => {
     }, exploitMetadata);
     return exploitMetadata;
 };
-const buildRequestObject = (reqData) => {
-    const searchParams = new URLSearchParams(reqData.queries);
+const buildRequestObject = (sourceInfo) => {
+    const searchParams = new URLSearchParams(sourceInfo.queries);
     const parameters = {};
     for (const [key, value] of searchParams) {
         if (parameters[key]) {
@@ -178,14 +178,14 @@ const buildRequestObject = (reqData) => {
         }
     }
     const headers = {};
-    for (let i = 0; i < reqData.headers.length; i += 2) {
-        headers[reqData.headers[i]] = StringPrototypeSplit.call(reqData.headers[i + 1], /[,;]+/);
+    for (let i = 0; i < sourceInfo.rawHeaders.length; i += 2) {
+        headers[sourceInfo.rawHeaders[i]] = StringPrototypeSplit.call(sourceInfo.rawHeaders[i + 1], /[,;]+/);
     }
     return {
-        version: reqData.httpVersion,
-        method: reqData.method,
-        uri: reqData.uriPath,
-        queryString: reqData.queries,
+        version: sourceInfo.httpVersion,
+        method: sourceInfo.method,
+        uri: sourceInfo.uriPath,
+        queryString: sourceInfo.queries,
         parameters,
         headers,
     };
@@ -247,26 +247,27 @@ const buildProtectionRules = (results, requestPayload, time, isBlockMode, detail
         return;
     return accumulator;
 };
-const buildDefendPayload = (protect) => {
-    const requestPayload = buildRequestObject(protect.reqData);
+const buildDefendPayload = (store) => {
+    const { sourceInfo, protect } = store;
+    const requestPayload = buildRequestObject(store.sourceInfo);
     const time = Date.now();
     let hasAttack = false;
     const defendObject = {
-        source: { ip: protect.reqData.ip },
+        source: { ip: store.sourceInfo.ip },
         protectionRules: {},
     };
-    const sqlInjection = protect.resultsMap[common_1.Rule.SQL_INJECTION];
+    const sqlInjection = store.protect.resultsMap[common_1.Rule.SQL_INJECTION];
     if (sqlInjection) {
-        const isBlockMode = protect.policy[common_1.Rule.SQL_INJECTION] === 'block';
+        const isBlockMode = store.protect.policy[common_1.Rule.SQL_INJECTION] === 'block';
         const protectionRules = buildProtectionRules(sqlInjection, requestPayload, time, isBlockMode, sqlInjectionDetailsBuilder);
         if (protectionRules) {
             defendObject.protectionRules[common_1.Rule.SQL_INJECTION] = protectionRules;
             hasAttack = true;
         }
     }
-    const cmdInjection = protect.resultsMap[common_1.Rule.CMD_INJECTION];
+    const cmdInjection = store.protect.resultsMap[common_1.Rule.CMD_INJECTION];
     if (cmdInjection) {
-        const isBlockMode = protect.policy[common_1.Rule.CMD_INJECTION] === 'block';
+        const isBlockMode = store.protect.policy[common_1.Rule.CMD_INJECTION] === 'block';
         const protectionRules = buildProtectionRules(cmdInjection, requestPayload, time, isBlockMode, cmdInjectionDetailsBuilder);
         if (protectionRules) {
             defendObject.protectionRules[common_1.Rule.CMD_INJECTION] = protectionRules;
@@ -442,10 +443,10 @@ const buildDefendPayload = (protect) => {
     }
     const botBlocker = protect.resultsMap[common_1.Rule.BOT_BLOCKER];
     if (botBlocker) {
-        const uaIdx = protect.reqData.headers.indexOf('user-agent');
+        const uaIdx = sourceInfo.rawHeaders.indexOf('user-agent');
         const protectionRules = buildProtectionRules(botBlocker, requestPayload, time, true, (result) => ({
             bot: result?.idsList?.[0],
-            userAgent: protect.reqData.headers[uaIdx + 1],
+            userAgent: sourceInfo.rawHeaders[uaIdx + 1],
         }));
         if (protectionRules) {
             defendObject.protectionRules[common_1.Rule.BOT_BLOCKER] = protectionRules;
@@ -454,16 +455,18 @@ const buildDefendPayload = (protect) => {
     }
     return hasAttack ? defendObject : null;
 };
-function handleProtectMessage(protectMsg) {
+function handleProtectMessage(store) {
+    if (!store.sourceInfo || !store.protect)
+        return null;
     const attackers = {
         userAgent: null,
         attackModel: null,
     };
-    const userAgentIndex = protectMsg.reqData.headers.findIndex((el) => el === 'user-agent');
+    const userAgentIndex = store.sourceInfo.rawHeaders.findIndex((el) => el === 'user-agent');
     attackers.userAgent = userAgentIndex != -1
-        ? protectMsg.reqData.headers[userAgentIndex + 1]
+        ? store.sourceInfo.rawHeaders[userAgentIndex + 1]
         : null;
-    attackers.attackModel = buildDefendPayload(protectMsg);
+    attackers.attackModel = buildDefendPayload(store);
     return attackers;
 }
 exports.handleProtectMessage = handleProtectMessage;

package/node_modules/@contrast/reporter/lib/reporters/contrast-ui/endpoints/traces/index.js CHANGED Viewed

@@ -125,7 +125,7 @@ class Traces extends ng_endpoint_1.default {
             if (route) {
                 accum.routes = tx.getRoutes(route, this.inProd);
             }
-            if (store?.assess?.reqData) {
+            if (store?.sourceInfo) {
                 accum.request = tx.getRequest(store, this.inProd);
             }
             this.initiateCompletenessCondition(accum);

package/node_modules/@contrast/reporter/lib/reporters/contrast-ui/endpoints/traces/translations.d.ts CHANGED Viewed

@@ -1,4 +1,3 @@
-import { RequestStore } from '@contrast/common';
 import { Signature, TraceEvent } from './types';
 export declare function getTaintRanges(tags: Record<string, number[]>): Record<string, string>[];
 export declare function getEventAction(event: any): string;
@@ -16,7 +15,7 @@ export declare function getRoutes(route: any, prod?: boolean): {
     signature: any;
 }[];
 export declare function maskSensitiveRequestData(req: any): any;
-export declare function getRequest(store: RequestStore, prod?: boolean): any;
+export declare function getRequest(store: any, prod?: boolean): any;
 export declare function maskSensitiveTraceData(event: any): any;
 export declare function getTraceEvents(sinkEvent: any, prod: boolean, eventDetail: string): TraceEvent[];
 //# sourceMappingURL=translations.d.ts.map

package/node_modules/@contrast/reporter/lib/reporters/contrast-ui/endpoints/traces/translations.js CHANGED Viewed

@@ -272,10 +272,16 @@ function maskSensitiveRequestData(req) {
 }
 exports.maskSensitiveRequestData = maskSensitiveRequestData;
 function getRequest(store, prod) {
-    const { assess: { reqData: { method, headers: reqHeaders, httpVersion, queries: queryString, uriPath: uri, } }, route, } = store;
+    const {
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-ignore
-    const headers = Object.entries(reqHeaders).reduce((acc, [key, val]) => Object.assign(acc, { [key]: StringPrototypeSplit.call(val, ';') }), {});
+    sourceInfo: { method, rawHeaders, httpVersion, queries: queryString, uriPath: uri, }, route, } = store;
+    const headers = {};
+    for (let idx = 0; idx < rawHeaders.length - 1; idx += 2) {
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore
+        headers[rawHeaders[idx]] = StringPrototypeSplit.call(rawHeaders[idx + 1], ';');
+    }
     const request = {
         body: undefined,
         headers,

package/node_modules/@contrast/reporter/lib/reporters/security-logger/index.d.ts CHANGED Viewed

@@ -27,8 +27,8 @@ export default class SecurityLogger extends BaseReporter {
     private buildMetadata;
     private handleProtectResult;
     install(): Promise<void>;
-    handleAssessEvent(msg: RequestStore): void;
-    handleProtectEvent(msg: RequestStore): void;
+    handleAssessEvent(store: RequestStore): void;
+    handleProtectEvent(store: RequestStore): void;
 }
 export {};
 //# sourceMappingURL=index.d.ts.map

package/node_modules/@contrast/reporter/lib/reporters/security-logger/index.js CHANGED Viewed

@@ -98,8 +98,8 @@ class SecurityLogger extends base_1.default {
             });
         });
         if (core.config.protect.enable) {
-            this.subscribeWithLock(common_1.Event.PROTECT, (msg) => {
-                this.handleProtectEvent(msg);
+            this.subscribeWithLock(common_1.Event.PROTECT, (store) => {
+                this.handleProtectEvent(store);
             });
         }
     }
@@ -142,25 +142,27 @@ class SecurityLogger extends base_1.default {
             });
         }
     }
-    buildMetadata(reqData, outcome) {
+    buildMetadata(sourceInfo, outcome) {
         return {
-            src: reqData.ip,
+            src: sourceInfo.ip,
             spt: '-', // do we have port data?
-            requestMethod: reqData.method,
-            request: reqData.uriPath,
+            requestMethod: sourceInfo.method,
+            request: sourceInfo.uriPath,
             app: this.appInfo.name,
             outcome,
         };
     }
-    handleProtectResult(protect, rule, result) {
-        const mode = protect.policy[rule] || common_1.ProtectRuleMode.OFF;
+    handleProtectResult(store, rule, result) {
+        if (!store?.protect && !store?.sourceInfo)
+            return;
+        const mode = store.protect?.policy[rule] || common_1.ProtectRuleMode.OFF;
         if (mode === common_1.ProtectRuleMode.OFF)
             return;
         if (rule === common_1.Rule.BOT_BLOCKER) {
             const level = this.loggerConfig.syslog.severity_blocked;
             this.log(level, {
                 bbi: 'Contrast Bot Blocker',
-                ...this.buildMetadata(protect.reqData, 'success'),
+                ...this.buildMetadata(store.sourceInfo, 'success'),
             }, messages.botBlocker(result));
             return;
         }
@@ -193,25 +195,25 @@ class SecurityLogger extends base_1.default {
         }
         this.log(level, {
             pri: result.mappedId,
-            ...this.buildMetadata(protect.reqData, outcome),
+            ...this.buildMetadata(store.sourceInfo, outcome),
         }, message(result));
     }
     async install() { }
     /* c8 ignore next 3 */
-    handleAssessEvent(msg) {
+    handleAssessEvent(store) {
         // Assess NYI
     }
-    handleProtectEvent(msg) {
-        if (!msg.protect)
+    handleProtectEvent(store) {
+        if (!store.protect || !store.sourceInfo)
             return;
-        const { protect } = msg;
+        const { protect, sourceInfo } = store;
         const virtualPatchResults = protect.resultsMap[common_1.Rule.VIRTUAL_PATCH];
         if (virtualPatchResults) {
             virtualPatchResults.forEach((result) => {
                 const level = this.loggerConfig.syslog.severity_blocked;
                 this.log(level, {
                     vpi: result.uuid,
-                    ...this.buildMetadata(protect.reqData, 'success'),
+                    ...this.buildMetadata(sourceInfo, 'success'),
                 }, messages.virtualPatch(result));
             });
         }
@@ -221,24 +223,24 @@ class SecurityLogger extends base_1.default {
                 const level = this.loggerConfig.syslog.severity_blocked;
                 this.log(level, {
                     bli: result.uuid,
-                    ...this.buildMetadata(protect.reqData, 'success'),
-                }, messages.ipDenyList(protect.reqData.ip, result));
+                    ...this.buildMetadata(sourceInfo, 'success'),
+                }, messages.ipDenyList(sourceInfo.ip, result));
             });
         }
         const { commonResultsMap, hardeningResultsMap, semanticResultsMap } = (0, common_1.groupResultsMap)(protect.resultsMap);
         Object.entries(commonResultsMap).forEach(([rule, results]) => {
             results.forEach((result) => {
-                this.handleProtectResult(protect, rule, result);
+                this.handleProtectResult(store, rule, result);
             });
         });
         Object.entries(hardeningResultsMap).forEach(([rule, results]) => {
             results.forEach((result) => {
-                this.handleProtectResult(protect, rule, result);
+                this.handleProtectResult(store, rule, result);
             });
         });
         Object.entries(semanticResultsMap).forEach(([rule, results]) => {
             results.forEach((result) => {
-                this.handleProtectResult(protect, rule, result);
+                this.handleProtectResult(store, rule, result);
             });
         });
     }

package/node_modules/@contrast/reporter/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/reporter",
-  "version": "1.51.2",
+  "version": "1.52.0",
   "description": "Subscribes to agent messages and reports them",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,13 +21,13 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/config": "1.49.2",
-    "@contrast/core": "1.54.2",
-    "@contrast/logger": "1.27.2",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/logger": "1.28.0",
     "@contrast/perf": "1.3.1",
-    "@contrast/scopes": "1.24.2",
-    "axios": "^1.7.4",
+    "@contrast/scopes": "1.25.0",
+    "axios": "^1.11.0",
     "crc-32": "^1.2.2",
     "safe-stable-stringify": "^2.4.1",
     "sonic-boom": "^3.2.0"

package/node_modules/@contrast/rewriter/lib/index.js CHANGED Viewed

@@ -200,9 +200,9 @@ module.exports = function init(core) {
     parseSync('');
   } catch (cause) {
     // @ts-expect-error TS hates errors.
-    throw cause.message === 'Bindings not found.'
+    throw cause.message === 'Failed to load native binding'
       ? new Error(
-        `Contrast cannot detect the correct precompiled dependencies for the current environment: ${platform()}-${arch()}. This typically occurs when deploying an installation from one environment to a different execution environment.`,
+        `Contrast cannot detect the correct precompiled dependencies for the current environment: ${platform()}-${arch()}. This typically occurs when deploying an installation from one environment to a different execution environment or when the \`--omit=optional\` or \`--no-optional\` flags are provided to \`npm install\`.`,
         // @ts-expect-error `cause` requires ts to target es2022 or above, which corresponds to Node 17+, despite being added to Node in 16.9.
         { cause },
       )

package/node_modules/@contrast/rewriter/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/rewriter",
-  "version": "1.30.2",
+  "version": "1.31.0",
   "description": "A transpilation tool mainly used for instrumentation",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,11 +20,11 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agent-swc-plugin": "3.0.0",
-    "@contrast/common": "1.34.2",
-    "@contrast/config": "1.49.2",
-    "@contrast/core": "1.54.2",
-    "@contrast/logger": "1.27.2",
+    "@contrast/agent-swc-plugin": "3.1.0",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/logger": "1.28.0",
     "@swc/core": "1.11.24"
   }
 }

package/node_modules/@contrast/route-coverage/lib/index.js CHANGED Viewed

@@ -16,7 +16,6 @@
 'use strict';
 const { callChildComponentMethodsSync, Event } = require('@contrast/common');
-const NormalizedUrlMapper = require('./normalized-url-mapper');
 /**
  * @param {import('.').Core & {
@@ -36,21 +35,14 @@ module.exports = function init(core) {
   const routeQueue = new Map();
   const routeIdentifier = (method, signature) => `${method}.${signature}`;
-  const routeCoverage = core.routeCoverage = {
-    _normalizedUrlMapper: new NormalizedUrlMapper(),
-    uriPathToNormalizedUrl(uriPath) {
-      return this._normalizedUrlMapper.map(uriPath);
-    },
+  const routeCoverage = core.routeCoverage = {
     discover(info) {
       const id = routeIdentifier(info.method, info.signature);
       if (routeInfo.get(id)) return;
       logger.trace({ info }, 'Discovered new route:');
       routeInfo.set(id, info);
-      this._normalizedUrlMapper.handleDiscover(info);
     },
     discoveryFinished() {

package/node_modules/@contrast/route-coverage/lib/install/express/express5.js CHANGED Viewed

@@ -386,10 +386,14 @@ class ExpressInstrumentation {
         // `value` is a terminal Layer with observable signatures.
         // emit discovery after appending metadata.
         if (value[kMetaKey]) {
-          if (!value[kMetaKey].observables) {
-            value[kMetaKey].observables = {};
+          const observables = this.generateObservables(metas, value.handle);
+          if (observables) {
+            if (!value[kMetaKey].observables) {
+              value[kMetaKey].observables = observables;
+            } else {
+              Object.assign(value[kMetaKey].observables, observables);
+            }
           }
-          Object.assign(value[kMetaKey].observables, this.generateObservables(metas, value.handle));
           self.discover(value[kMetaKey]);
         }
       }
@@ -411,31 +415,28 @@ class ExpressInstrumentation {
         maybeLayer?.constructor?.name == 'Layer' &&
         !maybeLayer?.stack?.length
       ) {
-        //
         let _data = data.get(maybeLayer);
         if (!_data) {
-          _data = { path: [...path] };
+          _data = { paths: [] };
           data.set(maybeLayer, _data);
         }
         // you can mount a router on itself
         // prevent infinitely recursing into self-mounted routers
-        if (path.length > _data.path.length) {
-          let isNested = true;
-          loopPaths: for (let idx = 0; idx < _data.path.length; idx++) {
-            if (path[idx] != _data.path[idx]) {
-              isNested = false;
-              break loopPaths;
-            }
-          }
-          if (isNested) {
-            // todo: we don't support recursive router discovery/observation case atm
-            // stop to avoid infinite traversal
+        for (const visitedPath of _data.paths) {
+          // these conditions indicate recursive nesting at particular path
+          if (
+            path.length > visitedPath.length &&
+            visitedPath.every((el, i) => path[i] == el)
+          ) {
             path.pop();
             continue loopKeys;
           }
         }
+        _data.paths.push([...path]); // copy because path argument mutates
         const halt = cb(path, key, maybeLayer, target) === false;
         if (halt) return;
       }
@@ -500,9 +501,6 @@ class ExpressInstrumentation {
     // build signature lookup based on each template (normalizeUri)
     const map = templates.reduce((acc, routeTemplate) => {
       if (!routeTemplate) routeTemplate = '/';
-      if (routeTemplate?.includes?.('typecheck')) {
-        // console.dir({ info, template });
-      }
       acc[routeTemplate] = `${type}.${method}('${routeTemplate}', ${formattedHandler})`;
       return acc;
     }, {});

package/node_modules/@contrast/route-coverage/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/route-coverage",
-  "version": "1.45.2",
+  "version": "1.46.0",
   "description": "Handles route discovery and observation",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,14 +20,14 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.34.2",
-    "@contrast/config": "1.49.2",
-    "@contrast/core": "1.54.2",
-    "@contrast/dep-hooks": "1.23.2",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/dep-hooks": "1.24.0",
     "@contrast/fn-inspect": "^4.3.0",
-    "@contrast/logger": "1.27.2",
-    "@contrast/patcher": "1.26.2",
-    "@contrast/scopes": "1.24.2",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0",
+    "@contrast/scopes": "1.25.0",
     "semver": "^7.6.0"
   }
 }

package/node_modules/@contrast/scopes/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/scopes",
-  "version": "1.24.2",
+  "version": "1.25.0",
   "description": "Handles AsyncLocalStorage scopes",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,9 +20,9 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/core": "1.54.2",
-    "@contrast/dep-hooks": "1.23.2",
-    "@contrast/logger": "1.27.2",
-    "@contrast/patcher": "1.26.2"
+    "@contrast/core": "1.55.0",
+    "@contrast/dep-hooks": "1.24.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0"
   }
 }

package/node_modules/@contrast/sec-obs/lib/traces/http.js CHANGED Viewed

@@ -16,7 +16,7 @@
 'use strict';
 const patchType = 'observability';
 const onFinished = require('on-finished');
-const { primordials: { StringPrototypeSplit } } = require('@contrast/common');
+const { normalizeURI, primordials: { StringPrototypeSplit } } = require('@contrast/common');
 module.exports = function(core) {
   const {
@@ -48,7 +48,7 @@ module.exports = function(core) {
     if (!method || !url) return next();
     const [path] = StringPrototypeSplit.call(url, '?'); // TODO: NODE-3701 sync discovered route name and trace
-    const name = `${method} ${path}`;
+    const name = `${method} ${normalizeURI(path)}`;
     const rootSpan = tracer.startSpan(name);
     // TODO: Audit other attributes and add as needed
     const headers = getHeaders(req);

package/node_modules/@contrast/sec-obs/lib/traces/http.test.js CHANGED Viewed

@@ -69,6 +69,23 @@ describe('observability root spans', function () {
         expect(span.end).to.have.been.called;
       });
+      it('generates a span with the normalized uri', function() {
+        emit('request', {
+          method: 'GET',
+          url: '/path/b09112a0-a58f-487a-ab4b-3608bd64fb3f/fd4b78312634a236d11da0f9c32526e5b8261afa/42/end'
+        }, resMock);
+        expect(startSpan).to.have.been.calledWith('GET /path/{uuid}/{hash}/{n}/end');
+        const span = startSpan.getCall(0).returnValue;
+        expect(span.setAttributes).to.have.been.calledWith({
+          'network.protocol.name': moduleName,
+          'http.request.method': 'GET',
+        });
+        expect(span.setAttributes).to.have.been.calledWith({
+          'http.response.status_code': 200
+        });
+        expect(span.end).to.have.been.called;
+      });
       it('generates a span with the attributes derived from headers', function() {
         const headersSymbol = Symbol('Headers');
         reqMock[headersSymbol] = {

package/node_modules/@contrast/sec-obs/lib/traces/outbound-service-call.js CHANGED Viewed

@@ -16,7 +16,7 @@
 'use strict';
 const patchType = 'observability';
 const onFinished = require('on-finished');
-const { isString } = require('@contrast/common');
+const { isString, normalizeURI } = require('@contrast/common');
 module.exports = function(core) {
   const {
@@ -37,7 +37,7 @@ module.exports = function(core) {
     protocol = protocol.endsWith(':') ? protocol : `${protocol}:`;
     path = path || pathname;
     port &&= `:${port}`;
-    return `${protocol}//${hostname}${port}${path}`;
+    return `${protocol}//${hostname}${port}${normalizeURI(path)}`;
   }
   return core.secObs.traces.outboundServiceCall = {

package/node_modules/@contrast/sec-obs/lib/traces/outbound-service-call.test.js CHANGED Viewed

@@ -138,4 +138,21 @@ describe('observability outbound-service-call action', function () {
     });
     expect(span.end).to.have.been.called;
   });
+  it('generates a span with normalized path', function() {
+    core.secObs.tracing.getContext.returns({});
+    core.secObs.tracing.runContext.returns({});
+    http.request({
+      protocol: 'http',
+      hostname: 'example.com',
+      path: '/path/b09112a0-a58f-487a-ab4b-3608bd64fb3f/fd4b78312634a236d11da0f9c32526e5b8261afa/42/end'
+    });
+    expect(startSpan).to.have.been.calledWith('outbound-service-call', undefined, {});
+    const span = startSpan.getCall(0).returnValue;
+    expect(span.setAttributes).to.have.been.calledWith({
+      'url.full': 'http://example.com/path/{uuid}/{hash}/{n}/end',
+      'server.address': 'example.com',
+    });
+    expect(span.end).to.have.been.called;
+  });
 });

package/node_modules/@contrast/sec-obs/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/sec-obs",
-  "version": "1.0.0-alpha.8",
+  "version": "1.0.0-alpha.9",
   "description": "Contrast service providing framework-agnostic Observability support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,14 +17,14 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.33.0",
-    "@contrast/config": "1.48.0",
-    "@contrast/core": "1.53.0",
-    "@contrast/dep-hooks": "1.22.0",
-    "@contrast/logger": "1.26.0",
-    "@contrast/patcher": "1.25.0",
-    "@contrast/rewriter": "1.29.0",
-    "@contrast/scopes": "1.23.0",
+    "@contrast/common": "1.35.0",
+    "@contrast/config": "1.50.0",
+    "@contrast/core": "1.55.0",
+    "@contrast/dep-hooks": "1.24.0",
+    "@contrast/logger": "1.28.0",
+    "@contrast/patcher": "1.27.0",
+    "@contrast/rewriter": "1.31.0",
+    "@contrast/scopes": "1.25.0",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/exporter-metrics-otlp-http": "^0.57.1",
     "@opentelemetry/exporter-trace-otlp-http": "^0.57.1",