npm - securenow - Versions diffs - 5.9.0 → 5.10.1 - Mend

securenow 5.9.0 → 5.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/console-instrumentation.js +6 -0
package/nextjs-auto-capture.js +1 -9
package/nextjs-middleware.js +2 -2
package/nextjs-wrapper.js +1 -1
package/nextjs.js +27 -130
package/package.json +1 -1
package/tracing.js +5 -4
package/web-vite.mjs +11 -13

package/console-instrumentation.js CHANGED Viewed

@@ -36,6 +36,12 @@ if (!logger) {
   return;
 }
+if (console.__securenow_patched) {
+  console.warn('[securenow] Console already instrumented by tracing.js — skipping to avoid duplicate logs.');
+  module.exports = {};
+  return;
+}
 // Store original console methods
 const originalConsole = {
   log: console.log,

package/nextjs-auto-capture.js CHANGED Viewed

@@ -54,7 +54,7 @@ async function safeBodyCapture(request, span) {
   try {
     const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = parseInt(process.env.SECURENOW_MAX_BODY_SIZE || '10240');
+    const maxBodySize = Math.max(1024, parseInt(process.env.SECURENOW_MAX_BODY_SIZE, 10) || 10240);
     const customSensitiveFields = (process.env.SECURENOW_SENSITIVE_FIELDS || '').split(',').map(s => s.trim()).filter(Boolean);
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
@@ -139,7 +139,6 @@ function patchNextRequest() {
   const originalText = Request.prototype.text;
   const originalJson = Request.prototype.json;
-  const originalFormData = Request.prototype.formData;
   // Patch text() to cache result
   Request.prototype.text = async function() {
@@ -171,13 +170,6 @@ function patchNextRequest() {
     return JSON.parse(text);
   };
-  // Patch formData() to cache and capture
-  Request.prototype.formData = async function() {
-    const text = await this.text();
-    const params = new URLSearchParams(text);
-    return params;
-  };
   console.log('[securenow] ✅ Auto-capture: Patched Next.js Request for automatic body capture');
 }

package/nextjs-middleware.js CHANGED Viewed

@@ -99,7 +99,7 @@ async function middleware(request) {
   try {
     const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = parseInt(process.env.SECURENOW_MAX_BODY_SIZE || '10240');
+    const maxBodySize = Math.max(1024, parseInt(process.env.SECURENOW_MAX_BODY_SIZE, 10) || 10240);
     const customSensitiveFields = (process.env.SECURENOW_SENSITIVE_FIELDS || '').split(',').map(s => s.trim()).filter(Boolean);
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
@@ -124,7 +124,7 @@ async function middleware(request) {
             const redacted = redactSensitiveData(parsed, allSensitiveFields);
             redactedBody = JSON.stringify(redacted);
           } catch (e) {
-            redactedBody = bodyText; // Keep as-is if parse fails
+            redactedBody = '[UNPARSEABLE - REDACTED FOR SAFETY]';
           }
         }

package/nextjs-wrapper.js CHANGED Viewed

@@ -60,7 +60,7 @@ async function captureRequestBody(request) {
   try {
     const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = parseInt(process.env.SECURENOW_MAX_BODY_SIZE || '10240');
+    const maxBodySize = Math.max(1024, parseInt(process.env.SECURENOW_MAX_BODY_SIZE, 10) || 10240);
     const customSensitiveFields = (process.env.SECURENOW_SENSITIVE_FIELDS || '').split(',').map(s => s.trim()).filter(Boolean);
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];

package/nextjs.js CHANGED Viewed

@@ -68,10 +68,9 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
-  for (const key in redacted) {
+  for (const key of Object.keys(redacted)) {
     const lowerKey = key.toLowerCase();
-    // Check if field is sensitive
     if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
       redacted[key] = '[REDACTED]';
     } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
@@ -83,6 +82,10 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   return redacted;
 }
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
 /**
  * Redact sensitive data from GraphQL query strings
  */
@@ -94,10 +97,10 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   // Redact sensitive fields in GraphQL arguments and variables
   // Matches patterns like: password: "value" or password:"value" or password:'value'
   sensitiveFields.forEach(field => {
-    // Match field: "value" or field: 'value' or field:"value" (with optional spaces)
+    const escaped = escapeRegex(field);
     const patterns = [
-      new RegExp(`(${field}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
-      new RegExp(`(${field}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
     ];
     patterns.forEach(pattern => {
@@ -114,115 +117,6 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   return redacted;
 }
-/**
- * Parse and capture request body safely
- */
-async function captureRequestBody(request, maxSize = 10240) {
-  try {
-    const contentType = request.headers['content-type'] || '';
-    let body = '';
-    // Collect body chunks
-    const chunks = [];
-    let size = 0;
-    return new Promise((resolve) => {
-      request.on('data', (chunk) => {
-        size += chunk.length;
-        if (size <= maxSize) {
-          chunks.push(chunk);
-        }
-      });
-      request.on('end', () => {
-        if (size > maxSize) {
-          resolve({
-            captured: false,
-            reason: `Body too large (${size} bytes > ${maxSize} bytes)`,
-            size
-          });
-          return;
-        }
-        body = Buffer.concat(chunks).toString('utf8');
-        // Parse based on content type
-        if (contentType.includes('application/json')) {
-          try {
-            const parsed = JSON.parse(body);
-            resolve({
-              captured: true,
-              type: 'json',
-              body: parsed,
-              size
-            });
-          } catch (e) {
-            resolve({
-              captured: true,
-              type: 'json',
-              body: body.substring(0, 1000),
-              parseError: true,
-              size
-            });
-          }
-        } else if (contentType.includes('application/graphql')) {
-          // GraphQL queries need redaction too!
-          resolve({
-            captured: true,
-            type: 'graphql',
-            body: body,  // Will be redacted later
-            size
-          });
-        } else if (contentType.includes('multipart/form-data')) {
-          // Multipart is NOT captured (files can be huge)
-          resolve({
-            captured: false,
-            type: 'multipart',
-            reason: 'Multipart data not captured (file uploads)',
-            size
-          });
-        } else if (contentType.includes('application/x-www-form-urlencoded')) {
-          try {
-            const params = new URLSearchParams(body);
-            const parsed = Object.fromEntries(params);
-            resolve({
-              captured: true,
-              type: 'form',
-              body: parsed,
-              size
-            });
-          } catch (e) {
-            resolve({
-              captured: true,
-              type: 'form',
-              body: body.substring(0, 1000),
-              size
-            });
-          }
-        } else {
-          resolve({
-            captured: true,
-            type: 'text',
-            body: body.substring(0, 1000),
-            size
-          });
-        }
-      });
-      request.on('error', () => {
-        resolve({ captured: false, reason: 'Stream error' });
-      });
-      // Timeout after 100ms
-      setTimeout(() => {
-        resolve({ captured: false, reason: 'Timeout' });
-      }, 100);
-    });
-  } catch (error) {
-    return { captured: false, reason: error.message };
-  }
-}
 /**
  * Register SecureNow OpenTelemetry for Next.js using @vercel/otel
  * @param {Object} options - Optional configuration
@@ -281,10 +175,9 @@ function registerSecureNow(options = {}) {
     const tracesUrl = env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT') || `${endpointBase}/v1/traces`;
     const logsUrl = env('OTEL_EXPORTER_OTLP_LOGS_ENDPOINT') || `${endpointBase}/v1/logs`;
-    // Set environment variables for @vercel/otel to pick up
-    process.env.OTEL_SERVICE_NAME = serviceName;
-    process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
-    process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
+    if (!process.env.OTEL_SERVICE_NAME) process.env.OTEL_SERVICE_NAME = serviceName;
+    if (!process.env.OTEL_EXPORTER_OTLP_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
+    if (!process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
     console.log('[securenow] 🚀 Next.js App → service.name=%s', serviceName);
@@ -292,7 +185,7 @@ function registerSecureNow(options = {}) {
     const captureBody = String(env('SECURENOW_CAPTURE_BODY')) === '1' ||
                        String(env('SECURENOW_CAPTURE_BODY')).toLowerCase() === 'true' ||
                        options.captureBody === true;
-    const maxBodySize = parseInt(env('SECURENOW_MAX_BODY_SIZE') || '10240'); // 10KB default
+    const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
     const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
@@ -326,14 +219,19 @@ function registerSecureNow(options = {}) {
           const clientIp = headers['x-client-ip'];
           const socketIp = request.socket?.remoteAddress;
-          // Primary IP (first in chain is the real client)
-          const primaryIp =
-            (forwardedFor ? forwardedFor.split(',')[0]?.trim() : null) ||
-            realIp ||
-            cfConnectingIp ||
-            clientIp ||
-            socketIp ||
-            'unknown';
+          const PRIVATE_RE = /^(127\.|::1$|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|f[cd][0-9a-f]{2}:)/;
+          const isProxied = socketIp && PRIVATE_RE.test(socketIp);
+          let primaryIp = socketIp || 'unknown';
+          if (isProxied) {
+            if (forwardedFor) {
+              const chain = forwardedFor.split(',').map(s => s.trim()).filter(Boolean);
+              for (let i = chain.length - 1; i >= 0; i--) {
+                if (!PRIVATE_RE.test(chain[i])) { primaryIp = chain[i]; break; }
+              }
+            } else {
+              primaryIp = realIp || cfConnectingIp || clientIp || primaryIp;
+            }
+          }
           // ======== PROTOCOL & CONNECTION ========
           const scheme = headers['x-forwarded-proto'] ||
@@ -588,10 +486,9 @@ function registerSecureNow(options = {}) {
                 const start = Date.now();
                 const method = req.method;
                 const url = req.url;
-                const reqCtx = otelContext.active();
-                const reqSpanCtx = otelTrace.getSpanContext(reqCtx);
                 res.on('finish', () => {
+                  const reqCtx = otelContext.active();
+                  const reqSpanCtx = otelTrace.getSpanContext(reqCtx);
                   const duration = Date.now() - start;
                   const status = res.statusCode;
                   const ip = req.headers['x-forwarded-for'] || req.headers['x-real-ip'] || req.socket?.remoteAddress || '-';

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.9.0",
+  "version": "5.10.1",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",

package/tracing.js CHANGED Viewed

@@ -370,7 +370,7 @@ function resolveClientIp(request) {
     for (let i = chain.length - 1; i >= 0; i--) {
       if (!isFromTrustedProxy(chain[i])) return chain[i];
     }
-    return chain[0] || socketIp;
+    return socketIp;
   }
   const headerIp = request.headers['x-real-ip'];
   if (headerIp) return headerIp;
@@ -394,12 +394,12 @@ const httpInstrumentation = new HttpInstrumentation({
         span.setAttribute('http.client_ip', clientIp);
       }
-      if (captureBody && request.method && ['POST', 'PUT', 'PATCH'].includes(request.method)) {
+      if ((captureBody || captureMultipart) && request.method && ['POST', 'PUT', 'PATCH'].includes(request.method)) {
         const contentType = request.headers['content-type'] || '';
-        if (contentType.includes('application/json') ||
+        if (captureBody && (contentType.includes('application/json') ||
             contentType.includes('application/graphql') ||
-            contentType.includes('application/x-www-form-urlencoded')) {
+            contentType.includes('application/x-www-form-urlencoded'))) {
           let body = '';
           const chunks = [];
@@ -545,6 +545,7 @@ if (loggingEnabled) {
   console.warn  = function (...a) { _emit(SEV.WARN,  'WARN',  a); _orig.warn.apply(console, a); };
   console.error = function (...a) { _emit(SEV.ERROR, 'ERROR', a); _orig.error.apply(console, a); };
   console.debug = function (...a) { _emit(SEV.DEBUG, 'DEBUG', a); _orig.debug.apply(console, a); };
+  console.__securenow_patched = true;
 }
 // -------- SDK --------

package/web-vite.mjs CHANGED Viewed

@@ -72,20 +72,19 @@ function uuidv4(): string {
 }
 let serviceName: string;
+let disabled = false;
 if (baseName) {
   serviceName = noUuid ? baseName : `${baseName}-${uuidv4()}`;
 } else {
   if (strict) {
     console.error('[securenow/web-vite] FATAL: SECURENOW_APPID/OTEL_SERVICE_NAME missing and SECURENOW_STRICT=1. Tracing disabled.');
-    // Do not start tracing
     // @ts-expect-error
     window.__SECURENOW_DISABLED__ = true;
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    const _noop = true;
-    // early return by throwing a no-op error caught below:
-    throw new Error('__SECURENOW_NO_START__');
+    disabled = true;
+    serviceName = 'disabled';
+  } else {
+    serviceName = `securenow-free-${uuidv4()}`;
   }
-  serviceName = `securenow-free-${uuidv4()}`;
 }
 const instancePrefix = baseName || 'securenow';
@@ -109,7 +108,7 @@ try {
 let started = false;
 export function startSecurenowWeb() {
-  if (started) return;
+  if (started || disabled) return;
   started = true;
   const exporter = new OTLPTraceExporter({
@@ -145,9 +144,10 @@ export function startSecurenowWeb() {
   // Optional smoke span (same flag name)
   if (String(env('SECURENOW_TEST_SPAN')) === '1') {
-    const api = await import('@opentelemetry/api');
-    const tracer = api.trace.getTracer('securenow-smoke');
-    const span = tracer.startSpan('securenow.startup.smoke.web'); span.end();
+    import('@opentelemetry/api').then(api => {
+      const tracer = api.trace.getTracer('securenow-smoke');
+      const span = tracer.startSpan('securenow.startup.smoke.web'); span.end();
+    }).catch(() => {});
   }
   // eslint-disable-next-line no-console
@@ -233,9 +233,7 @@ try {
   startSecurenowWeb();
   injectFreeTrialBanner();
 } catch (e: any) {
-  if (String(e?.message) !== '__SECURENOW_NO_START__') {
-    console.error('[securenow/web-vite] failed to start:', e);
-  }
+  console.error('[securenow/web-vite] failed to start:', e);
 }
 export default startSecurenowWeb;