npm - postman-runtime - Versions diffs - 7.32.3 → 7.34.0 - Mend

postman-runtime 7.32.3 → 7.34.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.yaml +20 -0
package/dist/index.js +1 -1
package/lib/authorizer/asap.js +253 -0
package/lib/authorizer/index.js +1 -0
package/lib/requester/core-body-builder.js +3 -8
package/lib/requester/core.js +34 -5
package/lib/runner/request-helpers-presend.js +14 -0
package/package.json +9 -8

package/lib/authorizer/asap.js ADDED Viewed

@@ -0,0 +1,253 @@
+var jose = require('jose'),
+    uuid = require('uuid'),
+    nodeForge = require('node-forge'),
+    AUTHORIZATION = 'Authorization',
+    AUTHORIZATION_PREFIX = 'Bearer ',
+    ASAP_PARAMETERS = [
+        'alg',
+        'kid',
+        'iss',
+        'exp',
+        'aud',
+        'sub',
+        'privateKey',
+        'claims'
+    ],
+    DEFAULT_EXPIRY = 3600,
+    DEFAULT_ALGORITHM = 'RS256',
+    // No synchronous algorithms supported in ASAP, Ref:
+    // https://s2sauth.bitbucket.io/spec/#overview
+    ALGORITHMS_SUPPORTED = {
+        RS256: 'RS256',
+        RS384: 'RS384',
+        RS512: 'RS512',
+        PS256: 'PS256',
+        PS384: 'PS384',
+        PS512: 'PS512',
+        ES256: 'ES256',
+        ES384: 'ES384',
+        ES512: 'ES512'
+    },
+    // eslint-disable-next-line no-useless-escape
+    DATA_URI_PATTERN = /^data:application\/pkcs8;kid=([\w.\-\+/]+);base64,([a-zA-Z0-9+/=]+)$/;
+function removeNewlines (str) {
+    return str.replace(/\n/g, '');
+}
+function trimStringDoubleQuotes (str) {
+    return str.replace(/^"(.*)"$/, '$1');
+}
+function parsePrivateKey (keyId, privateKey) {
+    privateKey = trimStringDoubleQuotes(privateKey);
+    var uriDecodedPrivateKey = decodeURIComponent(privateKey),
+        match,
+        privateKeyDerBuffer,
+        privateKeyAsn1,
+        privateKeyInfo,
+        pkcs1pem,
+        base64pkcs1,
+        privateKeyInfoPKCS1,
+        privateKeyInfoPKCS8,
+        asn1pkcs1privateKey,
+        pkcs8pem;
+    if (!uriDecodedPrivateKey.startsWith('data:')) {
+        return uriDecodedPrivateKey;
+    }
+    match = DATA_URI_PATTERN.exec(uriDecodedPrivateKey);
+    if (!match) {
+        throw new Error('Malformed Data URI');
+    }
+    if (keyId !== match[1]) {
+        throw new Error('Supplied key id does not match the one included in data uri.');
+    }
+    // Convert DER to PEM if needed
+    // Create a private key from the DER buffer
+    privateKeyDerBuffer = nodeForge.util.decode64(match[2]);
+    privateKeyAsn1 = nodeForge.asn1.fromDer(privateKeyDerBuffer);
+    privateKeyInfo = nodeForge.pki.privateKeyFromAsn1(privateKeyAsn1);
+    pkcs1pem = nodeForge.pki.privateKeyToPem(privateKeyInfo);
+    base64pkcs1 = pkcs1pem.toString('base64').trim();
+    // convert the PKCS#1 key generated to PKCS#8 format
+    privateKeyInfoPKCS1 = nodeForge.pki.privateKeyFromPem(base64pkcs1);
+    asn1pkcs1privateKey = nodeForge.pki.privateKeyToAsn1(privateKeyInfoPKCS1);
+    privateKeyInfoPKCS8 = nodeForge.pki.wrapRsaPrivateKey(asn1pkcs1privateKey);
+    pkcs8pem = nodeForge.pki.privateKeyInfoToPem(privateKeyInfoPKCS8);
+    return pkcs8pem.toString('base64').trim();
+}
+/**
+ * @implements {AuthHandlerInterface}
+ */
+module.exports = {
+    /**
+     * @property {AuthHandlerInterface~AuthManifest}
+     */
+    manifest: {
+        info: {
+            name: 'asap',
+            version: '1.0.0'
+        },
+        updates: [
+            {
+                property: AUTHORIZATION,
+                type: 'header'
+            }
+        ]
+    },
+    /**
+     * Initializes an item (extracts parameters from intermediate requests if any, etc)
+     * before the actual authorization step.
+     *
+     * @param {AuthInterface} auth -
+     * @param {Response} response -
+     * @param {AuthHandlerInterface~authInitHookCallback} done -
+     */
+    init: function (auth, response, done) {
+        done(null);
+    },
+    /**
+     * Verifies whether the request has valid basic auth credentials (which is always).
+     * Sanitizes the auth parameters if needed.
+     *
+     * @param {AuthInterface} auth -
+     * @param {AuthHandlerInterface~authPreHookCallback} done -
+     */
+    pre: function (auth, done) {
+        done(null, true);
+    },
+    /**
+     * Verifies whether the basic auth succeeded.
+     *
+     * @param {AuthInterface} auth -
+     * @param {Response} response -
+     * @param {AuthHandlerInterface~authPostHookCallback} done -
+     */
+    post: function (auth, response, done) {
+        done(null, true);
+    },
+    /**
+     * Signs a request.
+     *
+     * @param {AuthInterface} auth -
+     * @param {Request} request -
+     * @param {AuthHandlerInterface~authSignHookCallback} done -
+     */
+    sign: function (auth, request, done) {
+        var params = auth.get(ASAP_PARAMETERS),
+            claims = params.claims || {},
+            issuer,
+            subject,
+            audience,
+            jwtTokenId,
+            currentTimeStamp,
+            issuedAt,
+            expiry,
+            expiryTimestamp,
+            privateKey,
+            kid,
+            alg;
+        if (typeof claims === 'string') {
+            const trimmedClaims = claims.trim();
+            try {
+                claims = trimmedClaims && JSON.parse(trimmedClaims);
+            }
+            catch (err) {
+                return done(new Error('Failed to parse claims'));
+            }
+        }
+        // Give priority to the claims object, if present
+        issuer = claims.iss || params.iss;
+        // Atlassian wants subject to fall back to issuer if not present
+        subject = claims.sub || params.sub || issuer;
+        audience = claims.aud || params.aud;
+        // Default to a uuid, this is mandatory in ASAP
+        jwtTokenId = claims.jti || uuid.v4();
+        currentTimeStamp = Math.floor(Date.now() / 1000);
+        issuedAt = claims.iat || currentTimeStamp;
+        // Check if expiry is present in claims or params, parse it to int
+        expiry = (params.exp && parseInt(params.exp, 10)) ||
+            DEFAULT_EXPIRY;
+        // Allow overriding expiry timestamp in claims. The ASAP and JWT specs
+        // mention exp to be a timestamp rather than a duration, so we let the
+        // override pass through.
+        expiryTimestamp = (claims.exp && parseInt(claims.exp, 10)) ||
+            currentTimeStamp + expiry;
+        privateKey = params.privateKey;
+        kid = claims.kid || params.kid;
+        // Atlassian's internal tool for generating keys uses RS256 by default
+        alg = params.alg || DEFAULT_ALGORITHM;
+        // Validation
+        if (!kid || !issuer || !audience || !jwtTokenId || !privateKey || !kid) {
+            return done(new Error('One or more of required claims missing'));
+        }
+        if (!ALGORITHMS_SUPPORTED[alg]) {
+            return done(new Error('invalid algorithm'));
+        }
+        if (typeof privateKey !== 'string') {
+            return done(new Error('privateKey must be a string'));
+        }
+        try {
+            privateKey = removeNewlines(privateKey);
+            privateKey = parsePrivateKey(kid, privateKey);
+        }
+        catch (err) {
+            return done(new Error('Failed to parse private key.'));
+        }
+        jose.importPKCS8(privateKey, alg)
+            .then((signKey) => {
+                return new jose.SignJWT(claims)
+                    .setProtectedHeader({ alg, kid })
+                    // This will be system generated if not present
+                    .setIssuedAt(issuedAt)
+                    .setIssuer(issuer)
+                    .setSubject(subject)
+                    .setJti(jwtTokenId)
+                    .setAudience(audience)
+                    .setExpirationTime(expiryTimestamp)
+                    .sign(signKey);
+            })
+            .then((token) => {
+                request.removeHeader(AUTHORIZATION, { ignoreCase: true });
+                request.addHeader({
+                    key: AUTHORIZATION,
+                    value: AUTHORIZATION_PREFIX + token,
+                    system: true
+                });
+                return done();
+            })
+            .catch(() => {
+                done(new Error('Failed to sign request with key.'));
+            });
+    }
+};

package/lib/authorizer/index.js CHANGED Viewed

@@ -86,6 +86,7 @@ _.forEach({
     hawk: require('./hawk'),
     oauth1: require('./oauth1'),
     oauth2: require('./oauth2'),
+    asap: require('./asap'),
     ntlm: require('./ntlm'),
     apikey: require('./apikey'),
     edgegrid: require('./edgegrid'),

package/lib/requester/core-body-builder.js CHANGED Viewed

@@ -154,18 +154,13 @@ formDataBodyReducer = function (data, param) {
         formParam.value = E; // make sure value is not null/undefined ever
     }
-    // if data has a truthy content type, we mutate the value to take the options. we are assuming that
-    // blank string will not be considered as an accepted content type.
     if (param.contentType && typeof param.contentType === STRING) {
         (options || (options = {})).contentType = param.contentType;
     }
-    // additionally parse the file name and length if sent
-    // @note: Add support for fileName & fileLength option in Schema & SDK.
-    //        The filepath property overrides filename and may contain a relative path.
-    if (typeof param.fileName === STRING) { (options || (options = {})).filename = param.fileName; }
-    if (typeof param.fileLength === 'number') { (options || (options = {})).knownLength = param.fileLength; }
+    if (typeof param.fileName === STRING) {
+        (options || (options = {})).filename = param.fileName;
+    }
     // if options were set, add them to formParam
     options && (formParam.options = options);

package/lib/requester/core.js CHANGED Viewed

@@ -229,7 +229,10 @@ var dns = require('dns'),
             // returning error synchronously causes uncaught error because listeners are not attached to error events
             // on socket yet
             return setImmediate(function () {
-                callback(null, resolvedAddr, resolvedFamily);
+                // when options.all is set, the callback expects an array of addresses
+                return options.all ?
+                    callback(null, [{ address: resolvedAddr, family: resolvedFamily }]) :
+                    callback(null, resolvedAddr, resolvedFamily);
             });
         }
@@ -289,20 +292,46 @@ var dns = require('dns'),
         // - localhost
         // - *.localhost
         if (getTLD(lowercaseHost) !== LOCALHOST) {
+            // when options.all is set, the callback expects an array of addresses
+            if (options.all) {
+                return _lookup(options, hostLookup, lowercaseHost, function (err, addresses) {
+                    if (err) { return callback(err); }
+                    // error out if any of the resolved addresses are restricted
+                    if (_.some(addresses, (addr) => {
+                        return self.isAddressRestricted(addr && addr.address, networkOpts);
+                    })) {
+                        return callback(new Error(ERROR_ADDRESS_RESOLVE + hostname));
+                    }
+                    return callback(null, addresses);
+                });
+            }
             return _lookup(options, hostLookup, lowercaseHost, function (err, addr, family) {
                 if (err) { return callback(err); }
-                return callback(self.isAddressRestricted(addr, networkOpts) ?
-                    new Error(ERROR_ADDRESS_RESOLVE + hostname) : null, addr, family);
+                // error out if the resolved address is restricted
+                if (self.isAddressRestricted(addr, networkOpts)) {
+                    return callback(new Error(ERROR_ADDRESS_RESOLVE + hostname));
+                }
+                return callback(null, addr, family);
             });
         }
         // Try checking if we can connect to IPv6 localhost ('::1')
         connect(LOCAL_IPV6, lookupOptions.port, function (err) {
             // use IPv4 if we cannot connect to IPv6
-            if (err) { return callback(null, LOCAL_IPV4, 4); }
+            if (err) {
+                return options.all ?
+                    callback(null, [{ address: LOCAL_IPV4, family: 4 }]) :
+                    callback(null, LOCAL_IPV4, 4);
+            }
-            callback(null, LOCAL_IPV6, 6);
+            return options.all ?
+                callback(null, [{ address: LOCAL_IPV6, family: 6 }]) :
+                callback(null, LOCAL_IPV6, 6);
         });
     },

package/lib/runner/request-helpers-presend.js CHANGED Viewed

@@ -124,6 +124,13 @@ module.exports = [
                             disableParam && (formparam.disabled = true);
                         };
+                    // handle base64 encoded file
+                    if (!formparam.src && formparam.value && typeof formparam.value === STRING) {
+                        formparam.value = Buffer.from(formparam.value, 'base64');
+                        return callback();
+                    }
                     // handle missing file src
                     if (!formparam.src || (paramIsComposite && !formparam.src.length)) {
                         onLoadError(new Error('missing file source'), false);
@@ -188,6 +195,13 @@ module.exports = [
             },
             // file data
             file (filedata, next) {
+                // handle base64 encoded file
+                if (!filedata.src && filedata.content && typeof filedata.content === STRING) {
+                    filedata.content = Buffer.from(filedata.content, 'base64');
+                    return next();
+                }
                 // eslint-disable-next-line security/detect-non-literal-fs-filename
                 util.createReadStream(resolver, filedata.src, function (err, stream) {
                     if (err) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "postman-runtime",
-  "version": "7.32.3",
+  "version": "7.34.0",
   "description": "Underlying library of executing Postman Collections",
   "author": "Postman Inc.",
   "license": "Apache-2.0",
@@ -45,17 +45,18 @@
     "@postman/tough-cookie": "4.1.3-postman.1",
     "async": "3.2.4",
     "aws4": "1.12.0",
-    "handlebars": "4.7.7",
-    "httpntlm": "1.8.12",
+    "handlebars": "4.7.8",
+    "httpntlm": "1.8.13",
     "jose": "4.14.4",
     "js-sha512": "0.8.0",
     "lodash": "4.17.21",
     "mime-types": "2.1.35",
+    "node-forge": "1.3.1",
     "node-oauth1": "1.3.0",
     "performance-now": "2.1.0",
-    "postman-collection": "4.1.7",
+    "postman-collection": "4.2.1",
     "postman-request": "2.88.1-postman.33",
-    "postman-sandbox": "4.2.6",
+    "postman-sandbox": "4.2.8",
     "postman-url-encoder": "3.0.5",
     "serialised-error": "1.1.3",
     "strip-json-comments": "3.1.1",
@@ -65,14 +66,14 @@
     "@postman/shipit": "^0.4.0",
     "ajv": "^8.12.0",
     "browserify": "^17.0.0",
-    "chai": "^4.3.7",
+    "chai": "^4.3.10",
     "chalk": "^4.1.2",
     "dependency-check": "^4.1.0",
     "editorconfig": "^1.0.2",
     "eslint": "^7.32.0",
     "eslint-plugin-jsdoc": "^36.1.1",
     "eslint-plugin-lodash": "^7.4.0",
-    "eslint-plugin-mocha": "^10.1.0",
+    "eslint-plugin-mocha": "^10.2.0",
     "eslint-plugin-security": "^1.7.1",
     "express": "^4.17.2",
     "graphql": "^15.7.2",
@@ -92,7 +93,7 @@
     "shelljs": "^0.8.5",
     "sinon": "^12.0.1",
     "teleport-javascript": "^1.0.0",
-    "terser": "^5.17.7",
+    "terser": "^5.22.0",
     "tmp": "^0.2.1",
     "webpack": "^5.86.0",
     "yankee": "^1.0.8"