autotel-devtools 7.0.0 → 8.1.0

package/dist/server/index.d.cts

@@ -1,8 +1,8 @@
-import { D as DevtoolsServer, L as LogData, T as TraceData, b as DevtoolsData } from '../exporter-DjLkU621.cjs';
-export { d as DevtoolsServerOptions, a as DevtoolsSpanExporter, E as ErrorGroup, c as ErrorOccurrence, M as MetricData, S as SpanData } from '../exporter-DjLkU621.cjs';
+import { D as DevtoolsServer, L as LogData, T as TraceData, b as DevtoolsData } from '../exporter-De6p4iAD.cjs';
+export { d as DevtoolsServerOptions, a as DevtoolsSpanExporter, E as ErrorGroup, c as ErrorOccurrence, M as MetricData, S as SpanData } from '../exporter-De6p4iAD.cjs';
 export { DevtoolsLogExporter } from './log-exporter.cjs';
 export { DevtoolsRemoteExporter, DevtoolsRemoteExporterOptions } from './remote-exporter.cjs';
-export { E as ErrorAggregator } from '../error-aggregator-CbLiuot4.cjs';
+export { E as ErrorAggregator } from '../error-aggregator-D1Mr221Y.cjs';
 import { Server } from 'node:http';
 import '@opentelemetry/sdk-trace-base';
 import '@opentelemetry/core';
@@ -12,9 +12,34 @@ interface HttpServerOptions {
     port?: number;
     host?: string;
 }
-declare function attachDevtoolsRoutes(httpServer: Server, devtools: DevtoolsServer): void;
+interface DevtoolsRoutesOptions {
+    /** Bound to a loopback host (the default). Enables the DNS-rebinding `Host`
+     *  check on read endpoints; an explicit non-loopback bind opts out. */
+    loopbackOnly?: boolean;
+}
+declare function attachDevtoolsRoutes(httpServer: Server, devtools: DevtoolsServer, options?: DevtoolsRoutesOptions): void;
 declare function createDevtoolsHttpServer(devtools: DevtoolsServer, _options?: HttpServerOptions): Server;
 
+/** True for `localhost`, any `127.x.x.x`, and IPv6 loopback. Case-insensitive. */
+declare function isLoopbackHostname(hostname: string): boolean;
+/** True when the `Host` header names a loopback host. */
+declare function hostHeaderIsLoopback(host: string): boolean;
+/** True when an `Origin` header names a loopback origin. A malformed or opaque
+ *  origin (e.g. the literal `null` from a sandboxed iframe) is treated as
+ *  non-loopback. */
+declare function originIsLoopback(origin: string): boolean;
+interface GuardHeaders {
+    origin?: string;
+    host?: string;
+}
+/**
+ * Decide whether a request to a sensitive (read/mutate) endpoint is allowed.
+ * - A present, non-loopback `Origin` is always rejected (cross-origin read).
+ * - When `loopbackOnly`, a present, non-loopback `Host` is rejected (DNS
+ *   rebinding). Skipped when the receiver is bound to a non-loopback host.
+ */
+declare function allowSensitiveRequest(headers: GuardHeaders, loopbackOnly: boolean): boolean;
+
 declare function parseOtlpTraces(payload: unknown): TraceData[];
 declare function parseOtlpLogs(payload: unknown): LogData[];
 /**
@@ -64,4 +89,4 @@ declare function appendWithLimit<T>(items: T[], item: T, limit: number): T[];
 declare function appendManyWithLimit<T>(items: T[], incoming: T[], limit: number): T[];
 declare function applyTelemetryLimits(data: DevtoolsData, limits: TelemetryLimits): DevtoolsData;
 
-export { DEVTOOLS_IDENTITY, DevtoolsData, DevtoolsServer, type HttpServerOptions, LogData, type PortHolder, type TelemetryLimits, TraceData, appendManyWithLimit, appendWithLimit, applyTelemetryLimits, attachDevtoolsRoutes, createDevtoolsHttpServer, decodeOtlpLogsRequest, decodeOtlpMetricsRequest, decodeOtlpTraceRequest, isProtobufContentType, parseOtlpLogs, parseOtlpTraces, probePortHolder, resolveTelemetryLimits };
+export { DEVTOOLS_IDENTITY, DevtoolsData, type DevtoolsRoutesOptions, DevtoolsServer, type HttpServerOptions, LogData, type PortHolder, type TelemetryLimits, TraceData, allowSensitiveRequest, appendManyWithLimit, appendWithLimit, applyTelemetryLimits, attachDevtoolsRoutes, createDevtoolsHttpServer, decodeOtlpLogsRequest, decodeOtlpMetricsRequest, decodeOtlpTraceRequest, hostHeaderIsLoopback, isLoopbackHostname, isProtobufContentType, originIsLoopback, parseOtlpLogs, parseOtlpTraces, probePortHolder, resolveTelemetryLimits };

package/dist/server/index.d.ts

@@ -1,8 +1,8 @@
-import { D as DevtoolsServer, L as LogData, T as TraceData, b as DevtoolsData } from '../exporter-DjLkU621.js';
-export { d as DevtoolsServerOptions, a as DevtoolsSpanExporter, E as ErrorGroup, c as ErrorOccurrence, M as MetricData, S as SpanData } from '../exporter-DjLkU621.js';
+import { D as DevtoolsServer, L as LogData, T as TraceData, b as DevtoolsData } from '../exporter-De6p4iAD.js';
+export { d as DevtoolsServerOptions, a as DevtoolsSpanExporter, E as ErrorGroup, c as ErrorOccurrence, M as MetricData, S as SpanData } from '../exporter-De6p4iAD.js';
 export { DevtoolsLogExporter } from './log-exporter.js';
 export { DevtoolsRemoteExporter, DevtoolsRemoteExporterOptions } from './remote-exporter.js';
-export { E as ErrorAggregator } from '../error-aggregator-CAk_pt3Z.js';
+export { E as ErrorAggregator } from '../error-aggregator-D0Uu5r38.js';
 import { Server } from 'node:http';
 import '@opentelemetry/sdk-trace-base';
 import '@opentelemetry/core';
@@ -12,9 +12,34 @@ interface HttpServerOptions {
     port?: number;
     host?: string;
 }
-declare function attachDevtoolsRoutes(httpServer: Server, devtools: DevtoolsServer): void;
+interface DevtoolsRoutesOptions {
+    /** Bound to a loopback host (the default). Enables the DNS-rebinding `Host`
+     *  check on read endpoints; an explicit non-loopback bind opts out. */
+    loopbackOnly?: boolean;
+}
+declare function attachDevtoolsRoutes(httpServer: Server, devtools: DevtoolsServer, options?: DevtoolsRoutesOptions): void;
 declare function createDevtoolsHttpServer(devtools: DevtoolsServer, _options?: HttpServerOptions): Server;
 
+/** True for `localhost`, any `127.x.x.x`, and IPv6 loopback. Case-insensitive. */
+declare function isLoopbackHostname(hostname: string): boolean;
+/** True when the `Host` header names a loopback host. */
+declare function hostHeaderIsLoopback(host: string): boolean;
+/** True when an `Origin` header names a loopback origin. A malformed or opaque
+ *  origin (e.g. the literal `null` from a sandboxed iframe) is treated as
+ *  non-loopback. */
+declare function originIsLoopback(origin: string): boolean;
+interface GuardHeaders {
+    origin?: string;
+    host?: string;
+}
+/**
+ * Decide whether a request to a sensitive (read/mutate) endpoint is allowed.
+ * - A present, non-loopback `Origin` is always rejected (cross-origin read).
+ * - When `loopbackOnly`, a present, non-loopback `Host` is rejected (DNS
+ *   rebinding). Skipped when the receiver is bound to a non-loopback host.
+ */
+declare function allowSensitiveRequest(headers: GuardHeaders, loopbackOnly: boolean): boolean;
+
 declare function parseOtlpTraces(payload: unknown): TraceData[];
 declare function parseOtlpLogs(payload: unknown): LogData[];
 /**
@@ -64,4 +89,4 @@ declare function appendWithLimit<T>(items: T[], item: T, limit: number): T[];
 declare function appendManyWithLimit<T>(items: T[], incoming: T[], limit: number): T[];
 declare function applyTelemetryLimits(data: DevtoolsData, limits: TelemetryLimits): DevtoolsData;
 
-export { DEVTOOLS_IDENTITY, DevtoolsData, DevtoolsServer, type HttpServerOptions, LogData, type PortHolder, type TelemetryLimits, TraceData, appendManyWithLimit, appendWithLimit, applyTelemetryLimits, attachDevtoolsRoutes, createDevtoolsHttpServer, decodeOtlpLogsRequest, decodeOtlpMetricsRequest, decodeOtlpTraceRequest, isProtobufContentType, parseOtlpLogs, parseOtlpTraces, probePortHolder, resolveTelemetryLimits };
+export { DEVTOOLS_IDENTITY, DevtoolsData, type DevtoolsRoutesOptions, DevtoolsServer, type HttpServerOptions, LogData, type PortHolder, type TelemetryLimits, TraceData, allowSensitiveRequest, appendManyWithLimit, appendWithLimit, applyTelemetryLimits, attachDevtoolsRoutes, createDevtoolsHttpServer, decodeOtlpLogsRequest, decodeOtlpMetricsRequest, decodeOtlpTraceRequest, hostHeaderIsLoopback, isLoopbackHostname, isProtobufContentType, originIsLoopback, parseOtlpLogs, parseOtlpTraces, probePortHolder, resolveTelemetryLimits };

package/dist/server/index.js

@@ -356,6 +356,40 @@ function applyTelemetryLimits(data, limits) {
   };
 }
 
+// src/server/origin-guard.ts
+var LOOPBACK_IPV6 = /* @__PURE__ */ new Set(["::1", "0:0:0:0:0:0:0:1"]);
+function isLoopbackHostname(hostname) {
+  const h = hostname.toLowerCase().replace(/^\[|\]$/g, "");
+  return h === "localhost" || /^127\./.test(h) || LOOPBACK_IPV6.has(h);
+}
+function hostnameFromHostHeader(host) {
+  const h = host.trim();
+  if (h.startsWith("[")) {
+    const end = h.indexOf("]");
+    return end > 0 ? h.slice(1, end) : h;
+  }
+  const colon = h.indexOf(":");
+  return colon === -1 ? h : h.slice(0, colon);
+}
+function hostHeaderIsLoopback(host) {
+  return isLoopbackHostname(hostnameFromHostHeader(host));
+}
+function originIsLoopback(origin) {
+  try {
+    return isLoopbackHostname(new URL(origin).hostname);
+  } catch {
+    return false;
+  }
+}
+function allowSensitiveRequest(headers, loopbackOnly) {
+  const { origin, host } = headers;
+  if (origin && origin.length > 0 && !originIsLoopback(origin)) return false;
+  if (loopbackOnly && host && host.length > 0 && !hostHeaderIsLoopback(host)) {
+    return false;
+  }
+  return true;
+}
+
 // src/server/server.ts
 var DevtoolsServer = class {
   wss;
@@ -375,7 +409,12 @@ var DevtoolsServer = class {
     this._port = options.port ?? 4318;
     this.onData = options.onData;
     this.httpServer = options.server ?? createServer();
-    this.wss = new WebSocketServer({ server: this.httpServer, path: options.path ?? "/ws" });
+    const loopbackOnly = options.host == null || hostHeaderIsLoopback(options.host);
+    this.wss = new WebSocketServer({
+      server: this.httpServer,
+      path: options.path ?? "/ws",
+      verifyClient: ({ origin, req }) => allowSensitiveRequest({ origin, host: req.headers.host }, loopbackOnly)
+    });
     this.wss.on("error", (err) => {
       if (this.httpServer.listening) throw err;
     });
@@ -1474,7 +1513,8 @@ function getWidgetJs() {
   }
   return cachedWidgetJs;
 }
-function attachDevtoolsRoutes(httpServer, devtools) {
+function attachDevtoolsRoutes(httpServer, devtools, options = {}) {
+  const loopbackOnly = options.loopbackOnly ?? true;
   httpServer.on("request", async (req, res) => {
     res.setHeader("Access-Control-Allow-Origin", "*");
     res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
@@ -1508,11 +1548,19 @@ function attachDevtoolsRoutes(httpServer, devtools) {
       return;
     }
     if (req.method === "GET" && url === "/v1/traces") {
+      if (!allowSensitiveRequest(req.headers, loopbackOnly)) {
+        sendJson(res, 403, { error: "Forbidden" });
+        return;
+      }
       const data = devtools.getCurrentData();
       sendJson(res, 200, { traces: data.traces, count: data.traces.length });
       return;
     }
     if (req.method === "DELETE" && url === "/v1/traces") {
+      if (!allowSensitiveRequest(req.headers, loopbackOnly)) {
+        sendJson(res, 403, { error: "Forbidden" });
+        return;
+      }
       devtools.clearData();
       sendJson(res, 200, { cleared: true });
       return;
@@ -1558,6 +1606,6 @@ function createDevtoolsHttpServer(devtools, _options = {}) {
   return server;
 }
 
-export { DEVTOOLS_IDENTITY, DevtoolsLogExporter, DevtoolsRemoteExporter, DevtoolsServer, DevtoolsSpanExporter, ErrorAggregator, appendManyWithLimit, appendWithLimit, applyTelemetryLimits, attachDevtoolsRoutes, createDevtoolsHttpServer, decodeOtlpLogsRequest, decodeOtlpMetricsRequest, decodeOtlpTraceRequest, isProtobufContentType, parseOtlpLogs, parseOtlpTraces, probePortHolder, resolveTelemetryLimits };
+export { DEVTOOLS_IDENTITY, DevtoolsLogExporter, DevtoolsRemoteExporter, DevtoolsServer, DevtoolsSpanExporter, ErrorAggregator, allowSensitiveRequest, appendManyWithLimit, appendWithLimit, applyTelemetryLimits, attachDevtoolsRoutes, createDevtoolsHttpServer, decodeOtlpLogsRequest, decodeOtlpMetricsRequest, decodeOtlpTraceRequest, hostHeaderIsLoopback, isLoopbackHostname, isProtobufContentType, originIsLoopback, parseOtlpLogs, parseOtlpTraces, probePortHolder, resolveTelemetryLimits };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map