bugsnag · djskinner · Oct 15, 2024 · Oct 15, 2024 · Oct 15, 2024 · Oct 15, 2024
diff --git a/dockerfiles/Dockerfile.browser b/dockerfiles/Dockerfile.browser
@@ -7,6 +7,7 @@ WORKDIR /app
 
 COPY package*.json ./
 COPY babel.config.js lerna.json .eslintignore .eslintrc.js jest.config.js tsconfig.json ./
+COPY jest ./jest
 ADD min_packages.tar .
 COPY bin ./bin
 COPY packages ./packages

diff --git a/dockerfiles/Dockerfile.ci b/dockerfiles/Dockerfile.ci
@@ -7,6 +7,7 @@ WORKDIR /app
 
 COPY package*.json ./
 COPY babel.config.js lerna.json .eslintignore .eslintrc.js jest.config.js tsconfig.json ./
+COPY jest ./jest
 ADD min_packages.tar .
 COPY bin ./bin
 COPY scripts ./scripts

diff --git a/dockerfiles/Dockerfile.node b/dockerfiles/Dockerfile.node
@@ -7,6 +7,7 @@ WORKDIR /app
 
 COPY package*.json ./
 COPY babel.config.js lerna.json .eslintignore .eslintrc.js jest.config.js tsconfig.json ./
+COPY jest ./jest
 ADD min_packages.tar .
 COPY bin ./bin
 COPY packages ./packages

diff --git a/jest.config.js b/jest.config.js
@@ -26,7 +26,9 @@ module.exports = {
   ],
   projects: [
     project('core', ['core']),
-    project('web workers', ['web-worker']),
+    project('web workers', ['web-worker'], {
+      testEnvironment: '<rootDir>/jest/FixJSDOMEnvironment.js'
+    }),
     project('shared plugins', ['plugin-app-duration', 'plugin-stackframe-path-normaliser']),
     project('browser', [
       'browser',
@@ -49,7 +51,9 @@ module.exports = {
       'plugin-simple-throttle',
       'plugin-console-breadcrumbs',
       'plugin-browser-session'
-    ]),
+    ], {
+      testEnvironment: '<rootDir>/jest/FixJSDOMEnvironment.js'
+    }),
     project('react native', [
       'react-native',
       'delivery-react-native',

diff --git a/jest/FixJSDOMEnvironment.js b/jest/FixJSDOMEnvironment.js
@@ -0,0 +1,18 @@
+const { TextDecoder, TextEncoder } = require('node:util')
+const crypto = require('crypto')
+
+const JSDOMEnvironment = require('jest-environment-jsdom')
+
+class FixJSDOMEnvironment extends JSDOMEnvironment {
+  constructor (...args) {
+    super(...args)
+
+    this.global.TextEncoder = TextEncoder
+    this.global.TextDecoder = TextDecoder
+    this.global.crypto = {
+      subtle: crypto.webcrypto.subtle
+    }
+  }
+}
+
+module.exports = FixJSDOMEnvironment
diff --git a/packages/browser/src/config.js b/packages/browser/src/config.js
@@ -19,6 +19,10 @@ module.exports = {
       (typeof console !== 'undefined' && typeof console.debug === 'function')
         ? getPrefixedConsole()
         : undefined
+  }),
+  sendPayloadChecksums: assign({}, schema.sendPayloadChecksums, {
+    defaultValue: () => false,
+    validate: value => value === true || value === false
   })
 }
 

diff --git a/packages/browser/src/notifier.js b/packages/browser/src/notifier.js
@@ -41,6 +41,11 @@ const Bugsnag = {
     if (typeof opts === 'string') opts = { apiKey: opts }
     if (!opts) opts = {}
 
+    // sendPayloadChecksums is false by default unless custom endpoints are not specified
+    if (!opts.endpoints) {
+      opts.sendPayloadChecksums = 'sendPayloadChecksums' in opts ? opts.sendPayloadChecksums : true
+    }
+
     const internalPlugins = [
       // add browser-specific plugins
       pluginApp,

diff --git a/packages/browser/test/index.test.ts b/packages/browser/test/index.test.ts
@@ -4,38 +4,55 @@ const DONE = window.XMLHttpRequest.DONE
 
 const API_KEY = '030bab153e7c2349be364d23b5ae93b5'
 
-function mockFetch () {
-  const makeMockXHR = () => ({
-    open: jest.fn(),
-    send: jest.fn(),
-    setRequestHeader: jest.fn(),
-    readyState: DONE,
-    onreadystatechange: () => {}
-  })
+interface MockXHR {
+  open: jest.Mock<any, any>
+  send: jest.Mock<any, any>
+  setRequestHeader: jest.Mock<any, any>
+}
+
+type SendCallback = (xhr: MockXHR) => void
+
+function mockFetch (onSessionSend?: SendCallback, onNotifySend?: SendCallback) {
+  const makeMockXHR = (onSend?: SendCallback) => {
+    const xhr = {
+      open: jest.fn(),
+      send: jest.fn(),
+      setRequestHeader: jest.fn(),
+      readyState: DONE,
+      onreadystatechange: () => {}
+    }
+    xhr.send.mockImplementation((...args) => {
+      xhr.onreadystatechange()
+      onSend?.(xhr)
+    })
+    return xhr
+  }
 
-  const session = makeMockXHR()
-  const notify = makeMockXHR()
+  const session = makeMockXHR(onSessionSend)
+  const notify = makeMockXHR(onNotifySend)
 
   // @ts-ignore
   window.XMLHttpRequest = jest.fn()
     .mockImplementationOnce(() => session)
     .mockImplementationOnce(() => notify)
-    .mockImplementation(() => makeMockXHR())
+    .mockImplementation(() => makeMockXHR(() => {}))
   // @ts-ignore
   window.XMLHttpRequest.DONE = DONE
 
   return { session, notify }
 }
 
 describe('browser notifier', () => {
+  const onNotifySend = jest.fn()
+  const onSessionSend = jest.fn()
+
   beforeAll(() => {
     jest.spyOn(console, 'debug').mockImplementation(() => {})
     jest.spyOn(console, 'warn').mockImplementation(() => {})
   })
 
   beforeEach(() => {
     jest.resetModules()
-    mockFetch()
   })
 
   function getBugsnag (): typeof BugsnagBrowserStatic {
@@ -56,48 +73,48 @@ describe('browser notifier', () => {
   })
 
   it('notifies handled errors', (done) => {
-    const { session, notify } = mockFetch()
-    const Bugsnag = getBugsnag()
-    Bugsnag.start(API_KEY)
-    Bugsnag.notify(new Error('123'), undefined, (err, event) => {
-      if (err) {
-        done(err)
-      }
-      expect(event.breadcrumbs[0]).toStrictEqual(expect.objectContaining({
-        type: 'state',
-        message: 'Bugsnag loaded'
-      }))
-      expect(event.originalError.message).toBe('123')
-
+    const onSessionSend = (session: MockXHR) => {
       expect(session.open).toHaveBeenCalledWith('POST', 'https://sessions.bugsnag.com')
       expect(session.setRequestHeader).toHaveBeenCalledWith('Content-Type', 'application/json')
       expect(session.setRequestHeader).toHaveBeenCalledWith('Bugsnag-Api-Key', '030bab153e7c2349be364d23b5ae93b5')
       expect(session.setRequestHeader).toHaveBeenCalledWith('Bugsnag-Payload-Version', '1')
       expect(session.send).toHaveBeenCalledWith(expect.any(String))
+    }
 
+    const onNotifySend = (notify: MockXHR) => {
       expect(notify.open).toHaveBeenCalledWith('POST', 'https://notify.bugsnag.com')
       expect(notify.setRequestHeader).toHaveBeenCalledWith('Content-Type', 'application/json')
       expect(notify.setRequestHeader).toHaveBeenCalledWith('Bugsnag-Api-Key', '030bab153e7c2349be364d23b5ae93b5')
       expect(notify.setRequestHeader).toHaveBeenCalledWith('Bugsnag-Payload-Version', '4')
       expect(notify.send).toHaveBeenCalledWith(expect.any(String))
       done()
-    })
+    }
 
-    session.onreadystatechange()
-    notify.onreadystatechange()
+    mockFetch(onSessionSend, onNotifySend)
+
+    const Bugsnag = getBugsnag()
+    Bugsnag.start(API_KEY)
+    Bugsnag.notify(new Error('123'), undefined, (err, event) => {
+      if (err) {
+        done(err)
+      }
+      expect(event.breadcrumbs[0]).toStrictEqual(expect.objectContaining({
+        type: 'state',
+        message: 'Bugsnag loaded'
+      }))
+      expect(event.originalError.message).toBe('123')
+    })
   })
 
   it('does not send an event with invalid configuration', () => {
-    const { session, notify } = mockFetch()
+    mockFetch(onSessionSend, onNotifySend)
+
     const Bugsnag = getBugsnag()
     // @ts-expect-error
     Bugsnag.start({ apiKey: API_KEY, endpoints: { notify: 'https://notify.bugsnag.com' } })
     Bugsnag.notify(new Error('123'), undefined, (err, event) => {
       expect(err).toStrictEqual(new Error('Event not sent due to incomplete endpoint configuration'))
     })
-
-    session.onreadystatechange()
-    notify.onreadystatechange()
   })
 
   it('does not send a session with invalid configuration', (done) => {
@@ -247,4 +264,96 @@ describe('browser notifier', () => {
       startSession.mockRestore()
     })
   })
+
+  describe('payload checksum behaviour (Bugsnag-Integrity header)', () => {
+    beforeEach(() => {
+      // @ts-ignore
+      window.isSecureContext = true
+    })
+
+    afterEach(() => {
+      // @ts-ignore
+      window.isSecureContext = false
+    })
+
+    it('includes the integrity header by default', (done) => {
+      const onSessionSend = (session: MockXHR) => {
+        expect(session.open).toHaveBeenCalledWith('POST', 'https://sessions.bugsnag.com')
+        expect(session.setRequestHeader).toHaveBeenCalledWith('Bugsnag-Integrity', expect.any(String))
+        expect(session.send).toHaveBeenCalledWith(expect.any(String))
+      }
+
+      const onNotifySend = (notify: MockXHR) => {
+        expect(notify.open).toHaveBeenCalledWith('POST', 'https://notify.bugsnag.com')
+        expect(notify.setRequestHeader).toHaveBeenCalledWith('Bugsnag-Integrity', expect.any(String))
+        expect(notify.send).toHaveBeenCalledWith(expect.any(String))
+        done()
+      }
+
+      mockFetch(onSessionSend, onNotifySend)
+
+      const Bugsnag = getBugsnag()
+      Bugsnag.start(API_KEY)
+
+      Bugsnag.notify(new Error('123'), undefined, (err, event) => {
+        if (err) {
+          done(err)
+        }
+      })
+    })
+
+    it('does not include the integrity header if endpoint configuration is supplied', (done) => {
+      const onSessionSend = (session: MockXHR) => {
+        expect(session.open).toHaveBeenCalledWith('POST', 'https://sessions.custom.com')
+        expect(session.setRequestHeader).not.toHaveBeenCalledWith('Bugsnag-Integrity', expect.any(String))
+        expect(session.send).toHaveBeenCalledWith(expect.any(String))
+      }
+
+      const onNotifySend = (notify: MockXHR) => {
+        expect(notify.open).toHaveBeenCalledWith('POST', 'https://notify.custom.com')
+        expect(notify.setRequestHeader).not.toHaveBeenCalledWith('Bugsnag-Integrity', expect.any(String))
+        expect(notify.send).toHaveBeenCalledWith(expect.any(String))
+        done()
+      }
+
+      mockFetch(onSessionSend, onNotifySend)
+
+      const Bugsnag = getBugsnag()
+      Bugsnag.start({ apiKey: API_KEY, endpoints: { notify: 'https://notify.custom.com', sessions: 'https://sessions.custom.com' } })
+      Bugsnag.notify(new Error('123'), undefined, (err, event) => {
+        if (err) {
+          done(err)
+        }
+      })
+    })
+
+    it('can be enabled for a custom endpoint configuration by using sendPayloadChecksums', (done) => {
+      const onSessionSend = (session: MockXHR) => {
+        expect(session.open).toHaveBeenCalledWith('POST', 'https://sessions.custom.com')
+        expect(session.setRequestHeader).toHaveBeenCalledWith('Bugsnag-Integrity', expect.any(String))
+        expect(session.send).toHaveBeenCalledWith(expect.any(String))
+      }
+
+      const onNotifySend = (notify: MockXHR) => {
+        expect(notify.open).toHaveBeenCalledWith('POST', 'https://notify.custom.com')
+        expect(notify.setRequestHeader).toHaveBeenCalledWith('Bugsnag-Integrity', expect.any(String))
+        expect(notify.send).toHaveBeenCalledWith(expect.any(String))
+        done()
+      }
+
+      mockFetch(onSessionSend, onNotifySend)
+
+      const Bugsnag = getBugsnag()
+      Bugsnag.start({
+        apiKey: API_KEY,
+        endpoints: { notify: 'https://notify.custom.com', sessions: 'https://sessions.custom.com' },
+        sendPayloadChecksums: true
+      })
+      Bugsnag.notify(new Error('123'), undefined, (err, event) => {
+        if (err) {
+          done(err)
+        }
+      })
+    })
+  })
 })
diff --git a/packages/browser/types/bugsnag.d.ts b/packages/browser/types/bugsnag.d.ts
@@ -5,6 +5,7 @@ interface BrowserConfig extends Config {
   collectUserIp?: boolean
   generateAnonymousId?: boolean
   trackInlineScripts?: boolean
+  sendPayloadChecksums?: boolean
 }
 
 export interface BrowserBugsnagStatic extends BugsnagStatic {

diff --git a/packages/delivery-fetch/delivery.js b/packages/delivery-fetch/delivery.js
@@ -1,19 +1,37 @@
 import payload from '@bugsnag/core/lib/json-payload'
 
-const delivery = (client, fetch = global.fetch) => ({
+async function addIntegrityHeader (windowOrWorkerGlobalScope, requestBody, headers) {
+  if (windowOrWorkerGlobalScope.isSecureContext && windowOrWorkerGlobalScope.crypto && windowOrWorkerGlobalScope.crypto.subtle && windowOrWorkerGlobalScope.crypto.subtle.digest && typeof TextEncoder === 'function') {
+    const msgUint8 = new TextEncoder().encode(requestBody)
+    const hashBuffer = await windowOrWorkerGlobalScope.crypto.subtle.digest('SHA-1', msgUint8)
+    const hashArray = Array.from(new Uint8Array(hashBuffer))
+    const hashHex = hashArray
+      .map((b) => b.toString(16).padStart(2, '0'))
+      .join('')
+
+    headers['Bugsnag-Integrity'] = 'sha1 ' + hashHex
+  }
+}
+
+const delivery = (client, fetch = global.fetch, windowOrWorkerGlobalScope = window) => ({
   sendEvent: (event, cb = () => {}) => {
     const url = client._config.endpoints.notify
 
-    fetch(url, {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        'Bugsnag-Api-Key': event.apiKey || client._config.apiKey,
-        'Bugsnag-Payload-Version': '4',
-        'Bugsnag-Sent-At': (new Date()).toISOString()
-      },
-      body: payload.event(event, client._config.redactedKeys)
-    }).then(() => {
+    const body = payload.event(event, client._config.redactedKeys)
+    const headers = {
+      'Content-Type': 'application/json',
+      'Bugsnag-Api-Key': event.apiKey || client._config.apiKey,
+      'Bugsnag-Payload-Version': '4',
+      'Bugsnag-Sent-At': (new Date()).toISOString()
+    }
+
+    addIntegrityHeader(windowOrWorkerGlobalScope, body, headers).then(() =>
+      fetch(url, {
+        method: 'POST',
+        headers,
+        body
+      })
+    ).then(() => {
       cb(null)
     }).catch(err => {
       client._logger.error(err)