postman-runtime 7.37.3 → 7.39.0

package/lib/authorizer/digest.js

@@ -226,6 +226,21 @@ function computeBodyHash (body, algorithm, digestEncoding, callback) {
     return callback();
 }
 
+/**
+ * increase nonce count by 1
+ *
+ * @param {String} nonceCount - nonce count
+ */
+function increaseNonceCount (nonceCount) {
+    const nc = _.parseInt(nonceCount);
+
+    if (_.isNaN(nc)) {
+        return ONE;
+    }
+
+    return _.padStart((nc + 1).toString(), ONE.length, '0');
+}
+
 /**
  * All the auth definition parameters excluding username and password should be stored and resued.
  *
@@ -298,6 +313,7 @@ module.exports = {
         }
 
         var code,
+            nonceCount,
             realm,
             nonce,
             qop,
@@ -306,6 +322,7 @@ module.exports = {
             authParams = {};
 
         code = response.code;
+        nonceCount = auth.get('nonceCount');
         authHeader = _getDigestAuthHeader(response.headers);
 
         // If code is forbidden or unauthorized, and an auth header exists,
@@ -337,6 +354,8 @@ module.exports = {
             return done(null, false);
         }
 
+        auth.set('nonceCount', increaseNonceCount(nonceCount));
+
         done(null, true);
     },
 

package/lib/authorizer/edgegrid.js

@@ -88,15 +88,37 @@ var _ = require('lodash'),
         return encrypt.digest('base64');
     },
 
+    /**
+     * Trim the body if it exceeds the max body limit.
+     *
+     * @param {String|Buffer} body Request body
+     * @param {Number} size Maximum body size to hash
+     */
+    limitRequestBody = function (body, size) {
+        if (!body || size <= 0) { return EMPTY; }
+
+        if (!Buffer.isBuffer(body)) {
+            // We are converting the body to a buffer to obtain the exact byte length and to precisely trim the body.
+            body = Buffer.from(body);
+        }
+
+        if (body.byteLength > size) {
+            body = body.subarray(0, size);
+        }
+
+        return body;
+    },
+
     /**
      * Calculates body hash with given algorithm and digestEncoding.
      *
      * @param {RequestBody} body Request body
      * @param {String} algorithm Hash algorithm to use
      * @param {String} digestEncoding Encoding of the hash
+     * @param {Number} maxBodySize Maximum body size to hash
      * @param {Function} callback Callback function that will be called with body hash
      */
-    computeBodyHash = function (body, algorithm, digestEncoding, callback) {
+    computeBodyHash = function (body, algorithm, digestEncoding, maxBodySize, callback) {
         if (!(body && algorithm && digestEncoding) || body.isEmpty()) { return callback(); }
 
         var hash = crypto.createHash(algorithm),
@@ -107,7 +129,7 @@ var _ = require('lodash'),
 
         if (body.mode === RequestBody.MODES.raw) {
             rawBody = bodyBuilder.raw(body.raw).body;
-            hash.update(rawBody);
+            hash.update(limitRequestBody(rawBody, maxBodySize));
 
             return callback(hash.digest(digestEncoding));
         }
@@ -115,7 +137,7 @@ var _ = require('lodash'),
         if (body.mode === RequestBody.MODES.urlencoded) {
             urlencodedBody = bodyBuilder.urlencoded(body.urlencoded).form;
             urlencodedBody = urlEncoder.encodeQueryString(urlencodedBody);
-            hash.update(urlencodedBody);
+            hash.update(limitRequestBody(urlencodedBody, maxBodySize));
 
             return callback(hash.digest(digestEncoding));
         }
@@ -129,9 +151,13 @@ var _ = require('lodash'),
 
             return originalReadStream.cloneReadStream(function (err, clonedStream) {
                 if (err) { return callback(); }
+                let readBytes = 0;
 
                 clonedStream.on('data', function (chunk) {
-                    hash.update(chunk);
+                    if (readBytes <= maxBodySize) {
+                        hash.update(limitRequestBody(chunk, maxBodySize - readBytes));
+                        readBytes += chunk.byteLength;
+                    }
                 });
 
                 clonedStream.on('end', function () {
@@ -142,7 +168,7 @@ var _ = require('lodash'),
 
         if (body.mode === RequestBody.MODES.graphql) {
             graphqlBody = bodyBuilder.graphql(body.graphql).body;
-            hash.update(graphqlBody);
+            hash.update(limitRequestBody(graphqlBody, maxBodySize));
 
             return callback(hash.digest(digestEncoding));
         }
@@ -257,6 +283,7 @@ module.exports = {
     sign: function (auth, request, done) {
         var params = auth.get([
                 'accessToken',
+                'maxBodySize',
                 'clientToken',
                 'clientSecret',
                 'baseURL',
@@ -279,6 +306,7 @@ module.exports = {
         params.timestamp = params.timestamp || getTimestamp();
         params.url = url;
         params.method = request.method;
+        params.maxBodySize = params.maxBodySize || 131072; // 128 KB
 
         // ensure that headers are case-insensitive as specified in the documentation
         params.headers = request.getHeaders({ enabled: true, ignoreCase: true });
@@ -292,7 +320,7 @@ module.exports = {
 
         // only calculate body hash for POST requests according to specification
         if (request.method === 'POST') {
-            return computeBodyHash(request.body, 'sha256', 'base64', function (bodyHash) {
+            return computeBodyHash(request.body, 'sha256', 'base64', params.maxBodySize, function (bodyHash) {
                 params.bodyHash = bodyHash;
 
                 request.addHeader({

package/lib/authorizer/ntlm.js

@@ -150,7 +150,10 @@ module.exports = {
      * @param {AuthHandlerInterface~authPreHookCallback} done -
      */
     pre: function (auth, done) {
-        !auth.get(STATE) && auth.set(STATE, STATES.INITIALIZED);
+        if (!auth.get(STATE)) {
+            auth.set(STATE, STATES.INITIALIZED);
+            auth.set(NTLM_HEADER, undefined);
+        }
 
         done(null, true);
     },
@@ -176,10 +179,18 @@ module.exports = {
             challengeMessage, // type 2
             authenticateMessage, // type 3
             ntlmType2Header,
-            parsedParameters;
+            parsedParameters,
+
+            // resets the state and NTLM header and exits replay loop
+            resetStateAndStop = function (err) {
+                auth.set(STATE, STATES.INITIALIZED);
+                auth.set(NTLM_HEADER, undefined);
+
+                return done(err || null, true);
+            };
 
         if (response.code !== 401 && response.code !== 403) {
-            return done(null, true);
+            return resetStateAndStop();
         }
 
         // we try to extract domain from username if not specified.
@@ -193,7 +204,7 @@ module.exports = {
         if (state === STATES.INITIALIZED) {
             // Nothing to do if the server does not ask us for auth in the first place.
             if (!hasNTLMChallenge(response.headers)) {
-                return done(null, true);
+                return resetStateAndStop();
             }
 
             // Create a type 1 message to send to the server
@@ -223,13 +234,13 @@ module.exports = {
             });
 
             if (!ntlmType2Header) {
-                return done(new Error('ntlm: server did not send NTLM type 2 message'));
+                return resetStateAndStop(new Error('ntlm: server did not send NTLM type 2 message'));
             }
 
             challengeMessage = ntlmUtil.parseType2Message(ntlmType2Header.valueOf(), _.noop);
 
             if (!challengeMessage) {
-                return done(new Error('ntlm: server did not correctly process authentication request'));
+                return resetStateAndStop(new Error('ntlm: server did not correctly process authentication request'));
             }
 
             authenticateMessage = ntlmUtil.createType3Message(challengeMessage, {
@@ -248,11 +259,11 @@ module.exports = {
         }
         else if (state === STATES.T3_MSG_CREATED) {
             // Means we have tried to authenticate, so we should stop here without worrying about anything
-            return done(null, true);
+            return resetStateAndStop();
         }
 
         // We are in an undefined state
-        return done(null, true);
+        return resetStateAndStop();
     },
 
     /**

package/lib/runner/create-item-context.js

@@ -7,7 +7,7 @@ var _ = require('lodash'),
      */
     FUNCTION = 'function',
 
-    SAFE_CONTEXT_PROPERTIES = ['replayState', 'coords'];
+    SAFE_CONTEXT_PROPERTIES = ['replayState', 'coords', 'originalItem'];
 
 /**
  * Creates a context object to be used with `http-request.command` extension.
@@ -31,7 +31,7 @@ module.exports = function (payload, defaults) {
     !context.coords && (context.coords = payload.coords);
 
     // save original item for reference
-    context.originalItem = payload.item;
+    context.originalItem = context.originalItem || payload.item;
 
     // we clone item from the payload, so that we can make any changes we need there, without mutating the
     // collection

package/lib/runner/extensions/http-request.command.js

@@ -83,7 +83,7 @@ module.exports = {
 
                 // Helper function to call the afterRequest trigger.
                 afterRequest = function (err, response, request, cookies, history) {
-                    self.triggers.request(err, context.coords, response, request, payload.item, cookies, history);
+                    self.triggers.request(err, context.coords, response, request, context.item, cookies, history);
                 };
 
                 // Ensure that this is called.
@@ -159,7 +159,7 @@ module.exports = {
                         var nextPayload = {
                                 response: res,
                                 request: req,
-                                item: context.originalItem,
+                                item: context.item,
                                 cookies: cookies,
                                 coords: context.coords,
                                 history: history
@@ -188,9 +188,17 @@ module.exports = {
                             // replay controller invokes callback no. 1 when replaying the request
                             // invokes callback no. 2 when replay count has exceeded maximum limit
                             // @note: errors in replayed requests are passed to callback no. 1
+                            // @note: we are adding variables list to resolve variables after new context is created
                             return replayController.requestReplay(context,
                                 context.item,
-                                { source: replayOptions.helper },
+                                { source: replayOptions.helper, ..._.pick(payload, [
+                                    '_variables',
+                                    'data',
+                                    'environment',
+                                    'collectionVariables',
+                                    'globals',
+                                    'vaultSecrets'
+                                ]) },
                                 // new payload with response from replay is sent to `next`
                                 function (err, payloadFromReplay) { safeNext(err, payloadFromReplay); },
                                 // replay was stopped, move on with older payload

package/lib/runner/extensions/request.command.js

@@ -1,87 +1,7 @@
 var _ = require('lodash'),
-    sdk = require('postman-collection'),
     createItemContext = require('../create-item-context'),
+    { resolveVariables } = require('../util');
 
-    /**
-     * Resolve variables in item and auth in context.
-     *
-     * @param {ItemContext} context -
-     * @param {Item} [context.item] -
-     * @param {RequestAuth} [context.auth] -
-     * @param {Object} payload -
-     * @param {VariableScope} payload._variables -
-     * @param {Object} payload.data -
-     * @param {VariableScope} payload.environment -
-     * @param {VariableScope} payload.collectionVariables -
-     * @param {VariableScope} payload.globals -
-     * @param {VariableScope} payload.vaultSecrets -
-     */
-    resolveVariables = function (context, payload) {
-        if (!(context.item && context.item.request)) { return; }
-
-        // @todo - resolve variables in a more graceful way
-        var variableDefinitions = [
-                // extract the variable list from variable scopes
-                // @note: this is the order of precedence for variable resolution - don't change it
-                payload._variables.values,
-                payload.data,
-                payload.environment.values,
-                payload.collectionVariables.values,
-                payload.globals.values
-                // @note vault variables are added later
-            ],
-
-            hasVaultSecrets = payload.vaultSecrets.values.count() > 0,
-
-            urlObj = context.item.request.url,
-            // @note URL string is used to resolve nested variables as URL parser doesn't support them well.
-            urlString = urlObj.toString(),
-            unresolvedUrlString = urlString,
-
-            vaultVariables,
-            vaultUrl,
-            item,
-            auth;
-
-        if (hasVaultSecrets) {
-            // get the vault variables that match the unresolved URL string
-            vaultUrl = urlObj.protocol ? urlString : `http://${urlString}`; // force protocol
-            vaultVariables = payload.vaultSecrets.__getMatchingVariables(vaultUrl);
-
-            // resolve variables in URL string with initial vault variables
-            urlString = sdk.Property.replaceSubstitutions(urlString, [...variableDefinitions, vaultVariables]);
-
-            if (urlString !== unresolvedUrlString) {
-                // get the final list of vault variables that match the resolved URL string
-                vaultUrl = new sdk.Url(urlString).toString(true);
-                vaultVariables = payload.vaultSecrets.__getMatchingVariables(vaultUrl);
-
-                // resolve vault variables in URL string
-                // @note other variable scopes are skipped as they are already resolved
-                urlString = sdk.Property.replaceSubstitutions(urlString, [vaultVariables]);
-            }
-
-            // add vault variables to the list of variable definitions
-            variableDefinitions.push(vaultVariables);
-        }
-        else if (urlString) {
-            urlString = sdk.Property.replaceSubstitutions(urlString, variableDefinitions);
-        }
-
-        // @todo - no need to sync variables when SDK starts supporting resolution from scope directly
-        // @todo - avoid resolving the entire item as this unnecessarily resolves URL
-        item = context.item = new sdk.Item(context.item.toObjectResolved(null,
-            variableDefinitions, { ignoreOwnVariables: true }));
-
-        // re-parse and update the URL from the resolved string
-        urlString && (item.request.url = new sdk.Url(urlString));
-
-        auth = context.auth;
-
-        // resolve variables in auth
-        auth && (context.auth = new sdk.RequestAuth(auth.toObjectResolved(null,
-            variableDefinitions, { ignoreOwnVariables: true })));
-    };
 
 module.exports = {
     init: function (done) {

package/lib/runner/replay-controller.js

@@ -1,5 +1,6 @@
 var _ = require('lodash'),
     createItemContext = require('./create-item-context'),
+    { resolveVariables } = require('./util'),
 
     // total number of replays allowed
     MAX_REPLAY_COUNT = 3,
@@ -54,6 +55,8 @@ _.assign(ReplayController.prototype, /** @lends ReplayController.prototype */{
         // create item context from the new item
         payload.context = createItemContext(payload, context);
 
+        resolveVariables(payload.context, payload);
+
         this.run.immediate('httprequest', payload)
             .done(function (response) {
                 success(null, response);

package/lib/runner/request-helpers-presend.js

@@ -314,15 +314,18 @@ module.exports = [
 
                 // prepare for sending intermediate request
                 var replayController = new ReplayController(context.replayState, run),
-                    item = new sdk.Item({ request });
+                    item = new sdk.Item({ request }),
+                    originalItem = context.originalItem;
 
                 // auth handler gave a no go, and an intermediate request.
                 // make the intermediate request the response is passed to `init` hook
-                replayController.requestReplay(context,
+                // we are overriding the originalItem because in pre we have a entire new request
+                replayController.requestReplay(_.assign(context, { originalItem: item }),
                     item,
                     // marks the auth as source for intermediate request
                     { source: auth.type + DOT_AUTH },
                     function (err, response) {
+                        context.originalItem = originalItem; // reset the original item
                         // errors for intermediate requests are passed to request callback
                         // passing it here will add it to original request as well, so don't do it
                         if (err) { return done(); }
@@ -343,6 +346,7 @@ module.exports = [
                         });
                     },
                     function (err) {
+                        context.originalItem = originalItem; // reset the original item
                         // warn users that maximum retries have exceeded
                         if (err) {
                             run.triggers.console(context.coords,

package/lib/runner/util.js

@@ -1,4 +1,6 @@
 var { Url, UrlMatchPatternList, VariableList } = require('postman-collection'),
+    sdk = require('postman-collection'),
+    _ = require('lodash'),
 
     /**
      * @const
@@ -234,5 +236,87 @@ module.exports = {
 
         // mark the scope as a vault variable scope
         scope.__vaultVariableScope = true;
+    },
+
+    /**
+     * Resolve variables in item and auth in context.
+     *
+     * @param {ItemContext} context -
+     * @param {Item} [context.item] -
+     * @param {RequestAuth} [context.auth] -
+     * @param {Object} payload -
+     * @param {VariableScope} payload._variables -
+     * @param {Object} payload.data -
+     * @param {VariableScope} payload.environment -
+     * @param {VariableScope} payload.collectionVariables -
+     * @param {VariableScope} payload.globals -
+     * @param {VariableScope} payload.vaultSecrets -
+     */
+    resolveVariables (context, payload) {
+        if (!(context.item && context.item.request)) { return; }
+
+        // @todo - resolve variables in a more graceful way
+        var variableDefinitions = [
+            // extract the variable list from variable scopes
+            // @note: this is the order of precedence for variable resolution - don't change it
+                _.get(payload, '_variables.values', []),
+                _.get(payload, 'data', []),
+                _.get(payload, 'environment.values', []),
+                _.get(payload, 'collectionVariables.values', []),
+                _.get(payload, 'globals.values', [])
+            // @note vault variables are added later
+            ],
+            vaultValues = _.get(payload, 'vaultSecrets.values'),
+
+            hasVaultSecrets = vaultValues ? vaultValues.count() > 0 : false,
+
+            urlObj = context.item.request.url,
+            // @note URL string is used to resolve nested variables as URL parser doesn't support them well.
+            urlString = urlObj.toString(),
+            unresolvedUrlString = urlString,
+
+            vaultVariables,
+            vaultUrl,
+            item,
+            auth;
+
+        if (hasVaultSecrets) {
+        // get the vault variables that match the unresolved URL string
+            vaultUrl = urlObj.protocol ? urlString : `http://${urlString}`; // force protocol
+            vaultVariables = payload.vaultSecrets.__getMatchingVariables(vaultUrl);
+
+            // resolve variables in URL string with initial vault variables
+            urlString = sdk.Property.replaceSubstitutions(urlString, [...variableDefinitions, vaultVariables]);
+
+            if (urlString !== unresolvedUrlString) {
+            // get the final list of vault variables that match the resolved URL string
+                vaultUrl = new sdk.Url(urlString).toString(true);
+                vaultVariables = payload.vaultSecrets.__getMatchingVariables(vaultUrl);
+
+                // resolve vault variables in URL string
+                // @note other variable scopes are skipped as they are already resolved
+                urlString = sdk.Property.replaceSubstitutions(urlString, [vaultVariables]);
+            }
+
+            // add vault variables to the list of variable definitions
+            variableDefinitions.push(vaultVariables);
+        }
+        else if (urlString) {
+            urlString = sdk.Property.replaceSubstitutions(urlString, variableDefinitions);
+        }
+
+        // @todo - no need to sync variables when SDK starts supporting resolution from scope directly
+        // @todo - avoid resolving the entire item as this unnecessarily resolves URL
+        item = context.item = new sdk.Item(context.item.toObjectResolved(null,
+            variableDefinitions, { ignoreOwnVariables: true }));
+
+        // re-parse and update the URL from the resolved string
+        urlString && (item.request.url = new sdk.Url(urlString));
+
+        auth = context.auth;
+
+        // resolve variables in auth
+        auth && (context.auth = new sdk.RequestAuth(auth.toObjectResolved(null,
+            variableDefinitions, { ignoreOwnVariables: true })));
     }
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "postman-runtime",
-  "version": "7.37.3",
+  "version": "7.39.0",
   "description": "Underlying library of executing Postman Collections",
   "author": "Postman Inc.",
   "license": "Apache-2.0",
@@ -56,7 +56,7 @@
     "performance-now": "2.1.0",
     "postman-collection": "4.4.0",
     "postman-request": "2.88.1-postman.33",
-    "postman-sandbox": "4.6.2",
+    "postman-sandbox": "4.7.1",
     "postman-url-encoder": "3.0.5",
     "serialised-error": "1.1.3",
     "strip-json-comments": "3.1.1",
@@ -93,7 +93,7 @@
     "shelljs": "^0.8.5",
     "sinon": "^12.0.1",
     "teleport-javascript": "^1.0.0",
-    "terser": "^5.30.0",
+    "terser": "^5.30.2",
     "tmp": "^0.2.3",
     "webpack": "^5.91.0",
     "yankee": "^1.0.8"