securenow 5.10.2 → 5.11.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.10.2",
+  "version": "5.11.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",
@@ -33,7 +33,11 @@
     "nuxt",
     "nuxt3",
     "nitro",
-    "vue"
+    "vue",
+    "firewall",
+    "ip-blocking",
+    "waf",
+    "security"
   ],
   "exports": {
     ".": {
@@ -74,6 +78,15 @@
       "import": "./nuxt.mjs",
       "default": "./nuxt.mjs"
     },
+    "./firewall": {
+      "default": "./firewall.js"
+    },
+    "./cidr": {
+      "default": "./cidr.js"
+    },
+    "./resolve-ip": {
+      "default": "./resolve-ip.js"
+    },
     "./register-vite": "./register-vite.js",
     "./web-vite": {
       "import": "./web-vite.mjs",
@@ -101,6 +114,12 @@
     "cli.js",
     "cli/",
     "free-trial-banner.js",
+    "resolve-ip.js",
+    "cidr.js",
+    "firewall.js",
+    "firewall-tcp.js",
+    "firewall-iptables.js",
+    "firewall-cloud.js",
     "postinstall.js",
     "register-vite.js",
     "web-vite.mjs",
@@ -134,7 +153,9 @@
   },
   "peerDependencies": {
     "next": ">=13.0.0",
-    "nuxt": ">=3.0.0"
+    "nuxt": ">=3.0.0",
+    "@aws-sdk/client-wafv2": ">=3.0.0",
+    "@google-cloud/compute": ">=4.0.0"
   },
   "peerDependenciesMeta": {
     "next": {
@@ -142,6 +163,12 @@
     },
     "nuxt": {
       "optional": true
+    },
+    "@aws-sdk/client-wafv2": {
+      "optional": true
+    },
+    "@google-cloud/compute": {
+      "optional": true
     }
   },
   "overrides": {

package/resolve-ip.js

@@ -0,0 +1,77 @@
+'use strict';
+
+const os = require('os');
+
+const LOOPBACK_RE = /^(127\.|::1$|::ffff:127\.)/;
+const PRIVATE_IP_RE = /^(127\.|::1$|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|f[cd][0-9a-f]{2}:)/;
+
+const trustedProxyCsv = (process.env.SECURENOW_TRUSTED_PROXIES || '').trim();
+const trustedProxySet = trustedProxyCsv
+  ? new Set(trustedProxyCsv.split(',').map(s => s.trim()).filter(Boolean))
+  : null;
+
+let _hostIp = null;
+function getHostIp() {
+  if (_hostIp !== null) return _hostIp;
+  try {
+    const ifaces = os.networkInterfaces();
+    for (const name of Object.keys(ifaces)) {
+      for (const iface of ifaces[name]) {
+        if (!iface.internal && iface.family === 'IPv4') { _hostIp = iface.address; return _hostIp; }
+      }
+    }
+  } catch (_) {}
+  _hostIp = '';
+  return _hostIp;
+}
+
+function isFromTrustedProxy(socketIp) {
+  if (!socketIp) return false;
+  const normalized = socketIp.replace(/^::ffff:/, '');
+  if (trustedProxySet && trustedProxySet.has(normalized)) return true;
+  return PRIVATE_IP_RE.test(socketIp);
+}
+
+/**
+ * Resolve the real client IP from an HTTP request, respecting trusted proxies.
+ * Reads X-Forwarded-For / X-Real-IP only when the direct connection comes
+ * from a private/trusted proxy IP. Prevents client-side IP spoofing.
+ */
+function resolveClientIp(request) {
+  const socketIp = request.socket?.remoteAddress || '';
+  if (!isFromTrustedProxy(socketIp)) return socketIp;
+
+  const fwd = request.headers['x-forwarded-for'];
+  if (fwd) {
+    const chain = String(fwd).split(',').map(s => s.trim()).filter(Boolean);
+    for (let i = chain.length - 1; i >= 0; i--) {
+      if (!isFromTrustedProxy(chain[i])) return chain[i];
+    }
+    return socketIp;
+  }
+  const headerIp = request.headers['x-real-ip'];
+  if (headerIp) return headerIp;
+
+  if (LOOPBACK_RE.test(socketIp)) {
+    const hostIp = getHostIp();
+    if (hostIp) return hostIp;
+  }
+  return socketIp;
+}
+
+/**
+ * Resolve IP from a raw TCP socket (no HTTP headers available).
+ * Normalizes IPv6-mapped IPv4 addresses.
+ */
+function resolveSocketIp(socket) {
+  const raw = socket?.remoteAddress || '';
+  return raw.replace(/^::ffff:/, '');
+}
+
+module.exports = {
+  resolveClientIp,
+  resolveSocketIp,
+  isFromTrustedProxy,
+  LOOPBACK_RE,
+  PRIVATE_IP_RE,
+};

package/tracing.js

@@ -327,62 +327,7 @@ const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveField
 const captureMultipart = String(env('SECURENOW_CAPTURE_MULTIPART')) === '1' || String(env('SECURENOW_CAPTURE_MULTIPART')).toLowerCase() === 'true';
 
 // -------- Trusted proxy IP resolution --------
-// Only trust X-Forwarded-For / X-Real-IP when the direct connection comes from
-// a known proxy (loopback, private RFC-1918/RFC-4193, or an explicit allowlist).
-// This prevents end-users from spoofing their IP via custom headers.
-const os = require('os');
-const LOOPBACK_RE = /^(127\.|::1$|::ffff:127\.)/;
-const PRIVATE_IP_RE = /^(127\.|::1$|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|f[cd][0-9a-f]{2}:)/;
-const trustedProxyCsv = (env('SECURENOW_TRUSTED_PROXIES') || '').trim();
-const trustedProxySet = trustedProxyCsv ? new Set(trustedProxyCsv.split(',').map(s => s.trim()).filter(Boolean)) : null;
-
-// Resolve the host's actual network IP once at startup (used when socket is loopback)
-let _hostIp = null;
-function getHostIp() {
-  if (_hostIp !== null) return _hostIp;
-  try {
-    const ifaces = os.networkInterfaces();
-    for (const name of Object.keys(ifaces)) {
-      for (const iface of ifaces[name]) {
-        if (!iface.internal && iface.family === 'IPv4') { _hostIp = iface.address; return _hostIp; }
-      }
-    }
-  } catch (_) {}
-  _hostIp = '';
-  return _hostIp;
-}
-
-function isFromTrustedProxy(socketIp) {
-  if (!socketIp) return false;
-  const normalized = socketIp.replace(/^::ffff:/, '');
-  if (trustedProxySet && trustedProxySet.has(normalized)) return true;
-  return PRIVATE_IP_RE.test(socketIp);
-}
-
-function resolveClientIp(request) {
-  const socketIp = request.socket?.remoteAddress || '';
-  if (!isFromTrustedProxy(socketIp)) return socketIp;
-
-  // Connection is from a trusted proxy — read the leftmost untrusted IP
-  const fwd = request.headers['x-forwarded-for'];
-  if (fwd) {
-    const chain = String(fwd).split(',').map(s => s.trim()).filter(Boolean);
-    for (let i = chain.length - 1; i >= 0; i--) {
-      if (!isFromTrustedProxy(chain[i])) return chain[i];
-    }
-    return socketIp;
-  }
-  const headerIp = request.headers['x-real-ip'];
-  if (headerIp) return headerIp;
-
-  // Loopback means the client is on this machine — use the host's network IP
-  // so traces are attributed to the actual machine, not a useless ::1 / 127.0.0.1
-  if (LOOPBACK_RE.test(socketIp)) {
-    const hostIp = getHostIp();
-    if (hostIp) return hostIp;
-  }
-  return socketIp;
-}
+const { resolveClientIp, isFromTrustedProxy, LOOPBACK_RE } = require('./resolve-ip');
 
 // Configure HTTP instrumentation with body capture
 const { HttpInstrumentation } = require('@opentelemetry/instrumentation-http');
@@ -394,6 +339,19 @@ const httpInstrumentation = new HttpInstrumentation({
         span.setAttribute('http.client_ip', clientIp);
       }
 
+      if (request.headers) {
+        const SKIP_HEADERS = new Set(['cookie', 'authorization', 'proxy-authorization', 'set-cookie', 'x-api-key', 'x-auth-token']);
+        const safe = {};
+        for (const [k, v] of Object.entries(request.headers)) {
+          if (SKIP_HEADERS.has(k.toLowerCase())) { safe[k] = '[REDACTED]'; continue; }
+          safe[k] = typeof v === 'string' ? v.substring(0, 500) : String(v);
+        }
+        const serialized = JSON.stringify(safe);
+        if (serialized.length <= 8192) {
+          span.setAttribute('http.request.headers', serialized);
+        }
+      }
+
       if ((captureBody || captureMultipart) && request.method && ['POST', 'PUT', 'PATCH'].includes(request.method)) {
         const contentType = request.headers['content-type'] || '';
         
@@ -591,6 +549,22 @@ const sdk = new NodeSDK({
     if (isFreeTrial(endpointBase) && String(env('SECURENOW_HIDE_BANNER')) !== '1') {
       patchHttpForBanner();
     }
+
+    // Firewall — auto-activates when SECURENOW_API_KEY is set
+    const firewallApiKey = env('SECURENOW_API_KEY');
+    if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
+      require('./firewall').init({
+        apiKey: firewallApiKey,
+        apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
+        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 60,
+        failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
+        statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
+        log: env('SECURENOW_FIREWALL_LOG') !== '0',
+        tcp: env('SECURENOW_FIREWALL_TCP') === '1',
+        iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
+        cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
+      });
+    }
   } catch (e) {
     console.error('[securenow] OTel start failed:', e && e.stack || e);
   }
@@ -605,6 +579,7 @@ async function safeShutdown(sig) {
     if (loggerProvider) {
       await Promise.resolve(loggerProvider.shutdown?.());
     }
+    try { require('./firewall').shutdown(); } catch (_) {}
     console.log(`[securenow] Tracing and logging terminated on ${sig}`); 
   }
   catch (e) { console.error('[securenow] Shutdown error:', e); }