npm - securenow - Versions diffs - 5.5.0 → 5.6.0 - Mend

securenow 5.5.0 → 5.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/cli.js CHANGED Viewed

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 'use strict';
 const ui = require('./cli/ui');

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.5.0",
+  "version": "5.6.0",
   "description": "OpenTelemetry instrumentation for Node.js and Next.js - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",

package/tracing.d.ts CHANGED Viewed

@@ -178,5 +178,6 @@ export const loggerProvider: LoggerProvider | null;
  * - SECURENOW_DISABLE_INSTRUMENTATIONS=pkg1,pkg2
  * - OTEL_LOG_LEVEL=info|debug
  * - SECURENOW_TEST_SPAN=1
+ * - SECURENOW_TRUSTED_PROXIES=ip1,ip2       # Additional trusted proxy IPs for X-Forwarded-For
  * - OTEL_EXPORTER_OTLP_LOGS_ENDPOINT=...    # Override logs endpoint
  */

package/tracing.js CHANGED Viewed

@@ -188,11 +188,74 @@ const maxBodySize = parseInt(env('SECURENOW_MAX_BODY_SIZE') || '10240'); // 10KB
 const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
 const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+// -------- Trusted proxy IP resolution --------
+// Only trust X-Forwarded-For / X-Real-IP when the direct connection comes from
+// a known proxy (loopback, private RFC-1918/RFC-4193, or an explicit allowlist).
+// This prevents end-users from spoofing their IP via custom headers.
+const os = require('os');
+const LOOPBACK_RE = /^(127\.|::1$|::ffff:127\.)/;
+const PRIVATE_IP_RE = /^(127\.|::1|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|fc|fd)/;
+const trustedProxyCsv = (env('SECURENOW_TRUSTED_PROXIES') || '').trim();
+const trustedProxySet = trustedProxyCsv ? new Set(trustedProxyCsv.split(',').map(s => s.trim()).filter(Boolean)) : null;
+// Resolve the host's actual network IP once at startup (used when socket is loopback)
+let _hostIp = null;
+function getHostIp() {
+  if (_hostIp !== null) return _hostIp;
+  try {
+    const ifaces = os.networkInterfaces();
+    for (const name of Object.keys(ifaces)) {
+      for (const iface of ifaces[name]) {
+        if (!iface.internal && iface.family === 'IPv4') { _hostIp = iface.address; return _hostIp; }
+      }
+    }
+  } catch (_) {}
+  _hostIp = '';
+  return _hostIp;
+}
+function isFromTrustedProxy(socketIp) {
+  if (!socketIp) return false;
+  const normalized = socketIp.replace(/^::ffff:/, '');
+  if (trustedProxySet && trustedProxySet.has(normalized)) return true;
+  return PRIVATE_IP_RE.test(socketIp);
+}
+function resolveClientIp(request) {
+  const socketIp = request.socket?.remoteAddress || '';
+  if (!isFromTrustedProxy(socketIp)) return socketIp;
+  // Connection is from a trusted proxy — read the leftmost untrusted IP
+  const fwd = request.headers['x-forwarded-for'];
+  if (fwd) {
+    const chain = String(fwd).split(',').map(s => s.trim()).filter(Boolean);
+    for (let i = chain.length - 1; i >= 0; i--) {
+      if (!isFromTrustedProxy(chain[i])) return chain[i];
+    }
+    return chain[0] || socketIp;
+  }
+  const headerIp = request.headers['x-real-ip'];
+  if (headerIp) return headerIp;
+  // Loopback means the client is on this machine — use the host's network IP
+  // so traces are attributed to the actual machine, not a useless ::1 / 127.0.0.1
+  if (LOOPBACK_RE.test(socketIp)) {
+    const hostIp = getHostIp();
+    if (hostIp) return hostIp;
+  }
+  return socketIp;
+}
 // Configure HTTP instrumentation with body capture
 const { HttpInstrumentation } = require('@opentelemetry/instrumentation-http');
 const httpInstrumentation = new HttpInstrumentation({
   requestHook: (span, request) => {
     try {
+      const clientIp = resolveClientIp(request);
+      if (clientIp) {
+        span.setAttribute('http.client_ip', clientIp);
+      }
       if (captureBody && request.method && ['POST', 'PUT', 'PATCH'].includes(request.method)) {
         const contentType = request.headers['content-type'] || '';
@@ -293,6 +356,26 @@ if (loggingEnabled) {
     resource: sharedResource,
   });
   loggerProvider.addLogRecordProcessor(batchLogProcessor);
+  // Auto-patch console.* so every log/warn/error becomes an OTel log record
+  const _logger = loggerProvider.getLogger('console', '1.0.0');
+  const _orig = { log: console.log, info: console.info, warn: console.warn, error: console.error, debug: console.debug };
+  const SEV = { DEBUG: 5, INFO: 9, WARN: 13, ERROR: 17 };
+  function _emit(sn, st, args) {
+    try {
+      _logger.emit({
+        severityNumber: sn,
+        severityText: st,
+        body: args.map(a => (typeof a === 'object' && a !== null) ? JSON.stringify(a) : String(a)).join(' '),
+        attributes: { 'log.source': 'console', 'log.method': st.toLowerCase() },
+      });
+    } catch (_) {}
+  }
+  console.log   = function (...a) { _emit(SEV.INFO,  'INFO',  a); _orig.log.apply(console, a); };
+  console.info  = function (...a) { _emit(SEV.INFO,  'INFO',  a); _orig.info.apply(console, a); };
+  console.warn  = function (...a) { _emit(SEV.WARN,  'WARN',  a); _orig.warn.apply(console, a); };
+  console.error = function (...a) { _emit(SEV.ERROR, 'ERROR', a); _orig.error.apply(console, a); };
+  console.debug = function (...a) { _emit(SEV.DEBUG, 'DEBUG', a); _orig.debug.apply(console, a); };
 }
 // -------- SDK --------