hyperswitch - npm Package Compare versions

Comparing version 0.4.10 to 0.5.0

lib/filters/http.js

@@ -29,6 +29,2 @@ "use strict";
     req.headers = req.headers || {};
-    req.headers['user-agent'] = hyper._rootReq.headers['user-agent']
-        || req.headers['user-agent']
-        || hyper.config.user_agent;
-    hyper.setRequestId(req);
     hyper.log('trace/webrequest', {
@@ -41,8 +37,44 @@ req: req,
 
-    if (match.matcher.forward_headers) {
-        if (hyper.ctx.headers) {
-            req.headers = req.headers || {};
+
+    // The request ID is not personally identifyable information without
+    // access to logstash, so always set / forward it.
+    hyper.setRequestId(req);
+
+    var forwardHeaders = match.matcher.forward_headers;
+
+    // General precedence:
+    // 1) req.headers
+    // 2) hyper.ctx.headers (default: user-agent, x-forwarded-for &
+    //    x-client-ip)
+    function forwardHeader(name, defaultVal) {
+        if (forwardHeaders === true || forwardHeaders[name]) {
+            var newVal = req.headers[name] || defaultVal;
+            if (newVal === undefined) {
+                newVal = hyper.ctx.headers[name];
+            }
+            if (newVal === undefined && name === 'user-agent') {
+                newVal = hyper.config.user_agent;
+            }
+
+            if (newVal) {
+                req.headers[name] = newVal;
+            }
+        }
+    }
+
+    if (forwardHeaders) {
+        // All headers but the random request ID are potentially personally
+        // identifyable information, so only forward it to explicitly trusted
+        // services.
+
+        if (forwardHeaders === true) {
             Object.keys(hyper.ctx.headers).forEach(function(headerName) {
-                req.headers[headerName] = req.headers[headerName] || hyper.ctx.headers[headerName];
+                forwardHeader(headerName);
             });
+        } else {
+            // forwardHeaders is an object indicating which headers to
+            // forward.
+            Object.keys(forwardHeaders).forEach(function(headerName) {
+                forwardHeader(headerName);
+            });
         }
@@ -49,0 +81,0 @@ }

lib/hyperswitch.js

@@ -57,3 +57,8 @@ 'use strict';
         this._subRequestFilters = par._subRequestFilters;
-        this.ctx = par.ctx || {};
+        this.ctx = par.ctx || {
+            headers: {
+                'user-agent': req.headers['user-agent'],
+                'x-client-ip': req.headers['x-client-ip'],
+            }
+        };
     } else {
@@ -60,0 +65,0 @@ // Brand new instance

package.json

 {
   "name": "hyperswitch",
-  "version": "0.4.10",
+  "version": "0.5.0",
   "description": "REST API creation framework",
@@ -5,0 +5,0 @@ "main": "index.js",

test/hyperswitch/hyperswitch.js

@@ -190,3 +190,3 @@ 'use strict';
         return preq.get({
-            uri: server.hostPort + '/service/hop_to_hop'
+            uri: server.hostPort + '/service/hop_to_hop/en.wikipedia.org'
         })
@@ -245,14 +245,45 @@ .then(function(res) {
 
-    it('Should pass User-Agent header', function() {
-        var api = nock('https://en.wikipedia.org', {
+    it('Should only pass UA and x-client-ip if header forwarding is `true`', function() {
+        var api = nock('https://trusted.service', {
             reqheaders: {
-                'user-agent': 'test_user_agent'
+                'user-agent': 'test_user_agent',
+                'x-client-ip': '127.0.0.1',
+            },
+            badheaders: ['cookie', 'x-forwarded-for'],
+        })
+        .get('/wiki/Main_Page').reply(200, {});
+
+        return preq.get({
+            uri: server.hostPort + '/service/hop_to_hop/trusted.service',
+            headers: {
+                'user-agent': 'test_user_agent',
+                'x-client-ip': '127.0.0.1',
+                'x-forwarded-for': 'also secret',
+                cookie: 'very secret',
             }
         })
+        .then(function() {
+            api.done();
+        })
+        .finally(function() {
+            nock.cleanAll();
+        });
+    });
+
+    it('Should pass UA, but not other sensitive headers', function() {
+        var api = nock('https://en.wikipedia.org', {
+            reqheaders: {
+                'user-agent': 'test_user_agent',
+            },
+            badheaders: ['x-client-ip', 'cookie', 'x-forwarded-for'],
+        })
         .get('/wiki/Main_Page').reply(200, {});
 
         return preq.get({
-            uri: server.hostPort + '/service/hop_to_hop',
+            uri: server.hostPort + '/service/hop_to_hop/en.wikipedia.org',
             headers: {
-                'user-agent': 'test_user_agent'
+                'user-agent': 'test_user_agent',
+                'x-client-ip': 'secret',
+                'x-forwarded-for': 'also secret',
+                cookie: 'very secret',
             }
@@ -259,0 +290,0 @@ })

New alerts

Manifest confusion

Supply chain risk

This package has inconsistent metadata. This could be malicious or caused by an error when publishing the package.

Found 2 instances in 1 package

Improved metrics

Total package byte prevSize

173540

increased by1.49%

Lines of code

4066

increased by1.5%

Worsened metrics

Number of medium supply chain risk alerts

5

increased by66.67%

No dependency changes