Merge pull request #506 from appsignal/add-request-headers-allowlist

Add request headers allowlist

packages/express/.changesets/requestheaders-config-option-is-now-available.md

@@ -0,0 +1,6 @@
+---
+bump: "patch"
+---
+
+Collect request headers from express requests by default. See also our new `requestHeaders` config
+option, added in the @appsignal/nodejs package.

packages/express/src/middleware/index.ts

@@ -1,12 +1,13 @@
 import { Client } from "@appsignal/nodejs"
-
+import { HashMap } from "@appsignal/types"
 import {
   Request,
   Response,
   NextFunction,
   ErrorRequestHandler,
   RequestHandler
 } from "express"
+import { IncomingHttpHeaders } from "http"
 
 /**
  * Returns an Express middleware that can augment the current span
@@ -33,7 +34,8 @@ export function expressMiddleware(appsignal: Client): RequestHandler {
       res.end = function (this: Response) {
         res.end = originalEnd
 
-        const { method = "GET", params = {}, query = {} } = req
+        const { method = "GET", params = {}, query = {}, headers } = req
+        const filteredHeaders = filterHeaders(headers, appsignal)
 
         // if there is no error passed to `next()`, the span name will
         // be updated to match the current path
@@ -48,6 +50,7 @@ export function expressMiddleware(appsignal: Client): RequestHandler {
         // @TODO: keep an eye on this
         // @ts-ignore
         span.setSampleData("params", { ...params, ...query })
+        span.setSampleData("environment", filteredHeaders)
 
         return res.end.apply(this, arguments as any)
       }
@@ -80,3 +83,19 @@ export function expressErrorHandler(appsignal: Client): ErrorRequestHandler {
     return next(err)
   }
 }
+
+function filterHeaders(
+  headers: IncomingHttpHeaders,
+  appsignal: Client
+): HashMap<any> {
+  let filtered: HashMap<any> = {}
+  const headersAllowList = appsignal.config.data.requestHeaders || []
+
+  headersAllowList.forEach(key => {
+    if (headers[key] != undefined) {
+      filtered[key] = headers[key]
+    }
+  })
+
+  return filtered
+}

packages/nodejs/.changesets/requestheaders-config-option-is-now-available.md

@@ -0,0 +1,8 @@
+---
+bump: "patch"
+---
+
+The `requestHeaders` config option is now available. An allow list that gives the ability to define
+which request headers you want to be shown in sample detail views. The default is a list of common
+headers that do not include [personal identifiable information](https://docs.appsignal.com/appsignal/gdpr.html#allowed-request-headers-only).
+Read more about [request headers](https://docs.appsignal.com/application/header-filtering.html) on our documentation website.

packages/nodejs/global.d.ts

@@ -1,5 +1,7 @@
 export {}
 
+import { Client } from "./src/interfaces"
+
 declare global {
-  var __APPSIGNAL__: any
+  var __APPSIGNAL__: Client
 }

packages/nodejs/src/__tests__/config.test.ts

@@ -29,6 +29,16 @@ describe("Configuration", () => {
     ignoreNamespaces: [],
     log: "file",
     logPath: "/tmp",
+    requestHeaders: [
+      "accept",
+      "accept-charset",
+      "accept-encoding",
+      "accept-language",
+      "cache-control",
+      "connection",
+      "content-length",
+      "range"
+    ],
     transactionDebugMode: false
   }
 

packages/nodejs/src/cli/diagnose.ts

@@ -416,5 +416,9 @@ export class Diagnose {
 }
 
 function format_value(value: any) {
-  return util.inspect(value)
+  if (typeof value == "object") {
+    return JSON.stringify(value)
+  } else {
+    return util.inspect(value)
+  }
 }

packages/nodejs/src/config.ts

@@ -120,6 +120,16 @@ export class Configuration {
       ignoreNamespaces: [],
       log: "file",
       logPath: this._tmpdir(),
+      requestHeaders: [
+        "accept",
+        "accept-charset",
+        "accept-encoding",
+        "accept-language",
+        "cache-control",
+        "connection",
+        "content-length",
+        "range"
+      ],
       transactionDebugMode: false
     }
   }

packages/nodejs/src/config/configmap.ts

@@ -79,6 +79,7 @@ export const JS_TO_RUBY_MAPPING: { [key: string]: string } = {
   log: "log",
   logPath: "log_path",
   name: "name",
+  requestHeaders: "request_headers",
   revision: "revision",
   runningInContainer: "running_in_container",
   transactionDebugMode: "transaction_debug_mode",

packages/nodejs/src/instrumentation/http/lifecycle/incoming.ts

@@ -5,8 +5,9 @@
  */
 
 import { Tracer } from "../../../interfaces"
+import { HashMap } from "@appsignal/types"
 import { parse } from "url"
-import { IncomingMessage, ServerResponse } from "http"
+import { IncomingMessage, ServerResponse, IncomingHttpHeaders } from "http"
 
 // explicitly ignore some urls that we can't guarantee groupings on, or
 // routes that cause known issues.
@@ -32,8 +33,9 @@ function incomingRequest(
     }
 
     const [req, res] = args as [IncomingMessage, ServerResponse]
-    const { method = "GET", url = "/" } = req
+    const { method = "GET", url = "/", headers } = req
     const { pathname, query } = parse(url)
+    const allowedHeaders = filterHeaders(headers)
 
     // don't start a span for ignored urls
     if (url && DEFAULT_IGNORED_URLS.some(el => el.test(url))) {
@@ -58,6 +60,7 @@ function incomingRequest(
       .setName(`${method} ${pathname === "/" ? pathname : "[unknown route]"}`)
       .setCategory("process_request.http")
       .set("method", method)
+      .setSampleData("environment", allowedHeaders)
       .setSampleData("params", query ? { query } : {})
 
     return tracer.withSpan(rootSpan, span => {
@@ -83,6 +86,19 @@ function incomingRequest(
   }
 }
 
+function filterHeaders(headers: IncomingHttpHeaders): HashMap<any> {
+  let filtered: HashMap<any> = {}
+  const headersAllowList = global.__APPSIGNAL__.config.data.requestHeaders || []
+
+  headersAllowList.forEach(key => {
+    if (headers[key] != undefined) {
+      filtered[key] = headers[key]
+    }
+  })
+
+  return filtered
+}
+
 export function getPatchIncomingRequestFunction(tracer: Tracer) {
   return function (original: (event: string, ...args: unknown[]) => boolean) {
     return incomingRequest(original, tracer)