microsoft · MSNev · Feb 5, 2025 · Feb 4, 2025
@@ -373,19 +373,18 @@ export class AppInsightsSku implements IApplicationInsights {
                             _throttleMgr.onReadyState(true);
                         }
 
-                        var result;
                         if (!_iKeySentMessage && !_config.connectionString && isFeatureEnabled(IKEY_USAGE, _config)) {
-                            result = _throttleMgr.sendMessage( _eInternalMessageId.InstrumentationKeyDeprecation, "See Instrumentation key support at aka.ms/IkeyMigrate");
+                            _throttleMgr.sendMessage( _eInternalMessageId.InstrumentationKeyDeprecation, "See Instrumentation key support at aka.ms/IkeyMigrate");
                             _iKeySentMessage = true;
                         }
 
                         if (!_cdnSentMessage && _self.context.internal.sdkSrc && _self.context.internal.sdkSrc.indexOf("az416426") != -1 && isFeatureEnabled(CDN_USAGE, _config)) {
-                            result = _throttleMgr.sendMessage( _eInternalMessageId.CdnDeprecation, "See Cdn support notice at aka.ms/JsActiveCdn");
+                            _throttleMgr.sendMessage( _eInternalMessageId.CdnDeprecation, "See Cdn support notice at aka.ms/JsActiveCdn");
                             _cdnSentMessage = true;
                         }
 
                         if (!_sdkVerSentMessage && parseInt(_snippetVersion) < 6 && isFeatureEnabled(SDK_LOADER_VER, _config)) {
-                            result = _throttleMgr.sendMessage( _eInternalMessageId.SdkLdrUpdate, "An updated Sdk Loader is available, see aka.ms/SnippetVer");
+                            _throttleMgr.sendMessage( _eInternalMessageId.SdkLdrUpdate, "An updated Sdk Loader is available, see aka.ms/SnippetVer");
                             _sdkVerSentMessage = true;
                         }
 

@@ -353,7 +353,7 @@ export class SessionStorageSendBuffer extends BaseSendBuffer implements ISendBuf
                     newBuffer.markAsSent(sentItems);
                 }
                 return newBuffer;
-            }
+            };
 
             function _removePayloadsFromBuffer(payloads: IInternalStorageItem[], buffer: IInternalStorageItem[]): IInternalStorageItem[] {
                 const remaining: IInternalStorageItem[] = [];

@@ -213,7 +213,7 @@ export class DomContentHandler implements IContentHandler {
                         eLoggingSeverity.WARNING,
                         _eInternalMessageId.InvalidContentBlob, "Invalid content blob.  Missing required attributes (id, contentName. " +
                         " Content information will still be collected!"
-                    )
+                    );
                 }
 
                 return elementContent;

@@ -22,7 +22,7 @@ import {
 } from "./DependencyListener";
 import { IAjaxRecordResponse, ajaxRecord } from "./ajaxRecord";
 
-const AJAX_MONITOR_PREFIX = "ai.ajxmn.";
+// const AJAX_MONITOR_PREFIX = "ai.ajxmn.";
 const strDiagLog = "diagLog";
 const AJAX_DATA_CONTAINER = "_ajaxData";
 const STR_FETCH = "fetch";
@@ -809,9 +809,7 @@ export class AjaxMonitor extends BaseTelemetryPlugin implements IDependenciesPlu
                                     if (ajaxData && _isMonitoredXhrInstance(xhr, ajaxData)) {
                                         _addSharedXhrHeaders(xhr, header, value);
                                         if (_enableRequestHeaderTracking && _canIncludeHeaders(header)) {
-                                            if (ajaxData) {
-                                                ajaxData.requestHeaders[header] = value;
-                                            }
+                                            ajaxData.requestHeaders[header] = value;
                                         }
                                     }
                                 }

@@ -784,18 +784,16 @@ module.exports = function (grunt) {
                         { src: "./tools/applicationinsights-web-snippet/build/output/snippet.min.js", dest: `./tools/applicationinsights-web-snippet/build/output/originSnippet.min.js` }
                        ]
                 },
-                "snippet": {
+                "snippetToDistEs5": {
                     files: [
-                        { src: "./tools/applicationinsights-web-snippet/build/output/snippet.js", dest: `./tools/applicationinsights-web-snippet/dist-es5/snippet.js` },
-                        { src: "./tools/applicationinsights-web-snippet/build/output/snippet.js.map", dest: `./tools/applicationinsights-web-snippet/dist-es5/snippet.js.map` },
-                        { src: "./tools/applicationinsights-web-snippet/build/output/snippet.min.js", dest: `./tools/applicationinsights-web-snippet/dist-es5/snippet.min.js` },
-                        { src: "./tools/applicationinsights-web-snippet/build/output/snippet.min.js.map", dest: `./tools/applicationinsights-web-snippet/dist-es5/snippet.min.js.map` }
+                        { expand: true, cwd: "./tools/applicationinsights-web-snippet/build/output/", src: "snippet.**", dest: "./tools/applicationinsights-web-snippet/dist-es5/" },
+                        { expand: true, cwd: "./tools/applicationinsights-web-snippet/build/output/common/", src: "**", dest: "./tools/applicationinsights-web-snippet/dist-es5/common/" },
                        ]
                 },
 
                 "web-snippet": {
                     files: [  
-                        { src: "./tools/applicationinsights-web-snippet/build/output/applicationinsights-web-snippet.js", dest: `./tools/applicationinsights-web-snippet/dist-es5/applicationinsights-web-snippet.js` },
+                        { src: "./tools/applicationinsights-web-snippet/build/output/applicationinsights-web-snippet.js", dest: `./tools/applicationinsights-web-snippet/dist-es5/applicationinsights-web-snippet.js` }
                     ]
                 },
                 config: {
@@ -924,7 +922,7 @@ module.exports = function (grunt) {
         grunt.registerTask("chromedebugextension-restore", restoreTasks("chrome-debug-extension"));
 
         grunt.registerTask("websnippet", tsBuildActions("applicationinsights-web-snippet"));
-        grunt.registerTask("snippetCopy", ["copy:snippet"]);
+        grunt.registerTask("snippetCopy", ["copy:snippetToDistEs5"]);
         grunt.registerTask("originSnippetCopy", ["copy:originSnippet"]);
         grunt.registerTask("websnippetReplace", ["string-replace:generate-expanded-JS", "copy:web-snippet", "string-replace:generate-expanded-min", "string-replace:generate-snippet-ikey", "string-replace:generate-snippet-connString", "string-replace:generate-snippet-origin"]);
 

@@ -31,7 +31,7 @@ function parseArgs(expectedArgs) {
     var argIdx = 2 + expIdx;
     while (argIdx < passedArgs.length) {
         let done = false;
-        value = passedArgs[argIdx++];
+        let value = passedArgs[argIdx++];
         // console.log(`${argIdx}: ${value}`);
         if (value && value.length > 2) {
             if (value[0] === "-") {
@@ -336,7 +336,7 @@ function createNsFile(dtsContents) {
     }
 
     // Read the generated dts file and append to the new content
-    var lastLine = ""
+    var lastLine = "";
 
     var nsLines = dtsContents.split("\n");
     console.log(`Lines: ${nsLines.length}`);

@@ -5,7 +5,7 @@
 * File containing the enums as constants.
 */
 
-import { _eInternalMessageId, createEnumStyle, objFreeze } from "@microsoft/applicationinsights-core-js";
+import { _eInternalMessageId, createEnumStyle } from "@microsoft/applicationinsights-core-js";
 
 /**
  * The eValueKind contains a set of values that specify value kind of the property.

@@ -13,6 +13,10 @@ interface ISanitizerMapValue {
     fieldHandler?: IFieldValueSanitizerProvider;
 }
 
+function _isSpecialName(name: string) {
+    return (name == "__proto__" || name == "constructor" || name == "prototype");
+}
+
 export class ValueSanitizer implements IValueSanitizer {
 
     public static getFieldType = getFieldValueType;
@@ -134,9 +138,19 @@ export class ValueSanitizer implements IValueSanitizer {
                 }
 
                 if (!fieldLookup) {
+                    // Handle edge case to avoid prototype pollution
+                    if (_isSpecialName(path)) {
+                        return null;
+                    }
+
                     fieldLookup = _sanitizerMap[path] = {};
                 }
 
+                // Handle edge case to avoid prototype pollution
+                if (_isSpecialName(name)) {
+                    return null;
+                }
+
                 fieldLookup[name] = result;
             }
 
@@ -145,7 +159,7 @@ export class ValueSanitizer implements IValueSanitizer {
 
         _self.clearCache = () => {
             _sanitizerMap = {};
-        }
+        };
 
         _self.addSanitizer = (newSanitizer: IValueSanitizer) => {
             if (newSanitizer) {
@@ -213,7 +227,7 @@ export class ValueSanitizer implements IValueSanitizer {
         _self.value = (path: string, name: string, value: FieldValueSanitizerTypes, stringifyObjects?: boolean): IEventProperty | null => {
             let mapValue: ISanitizerMapValue = _getFieldSanitizer(path, name);
             if (mapValue && mapValue.canHandle) {
-                if (!mapValue || !mapValue.canHandle) {
+                if (!mapValue.canHandle) {
                     return null;
                 }
 

@@ -8,8 +8,6 @@ import { ITelemetryPlugin } from "./ITelemetryPlugin";
 import { ITelemetryUnloadState } from "./ITelemetryUnloadState";
 import { IPayloadData } from "./IXHROverride";
 
-"use strict";
-
 /**
  * Internal Interface
  */

@@ -590,7 +590,7 @@ export class AppInsightsCore<CfgType extends IConfiguration = IConfiguration> im
                 if (_notificationManager) {
                     _notificationManager.removeNotificationListener(listener);
                 }
-            }
+            };
 
             _self.getCookieMgr = (): ICookieMgr => {
                 if (!_cookieManager) {
@@ -708,7 +708,7 @@ export class AppInsightsCore<CfgType extends IConfiguration = IConfiguration> im
                 _forceStopInternalLogPoller = true;
                 _internalLogPoller && _internalLogPoller.cancel();
                 _flushInternalLogs();
-            }
+            };
 
             // Add addTelemetryInitializer
             proxyFunctions(_self, () => _telemetryInitializerPlugin, [ "addTelemetryInitializer" ]);
@@ -729,7 +729,7 @@ export class AppInsightsCore<CfgType extends IConfiguration = IConfiguration> im
                     reason: TelemetryUnloadReason.SdkUnload,
                     isAsync: isAsync,
                     flushComplete: false
-                }
+                };
 
                 let result: IPromise<ITelemetryUnloadState>;
                 if (isAsync && !unloadComplete) {

@@ -65,5 +65,37 @@ export class SnippetTests extends AITestClass {
                 QUnit.assert.notEqual(-1, theSnippet.indexOf(key), "key is injected");
             }
         });
+
+        this.testCase({
+            name: "Verify config object doesn't include invalid keys",
+            test: () => {
+                let key = "InstrumentationKey=814a172a-92fd-4950-9023-9cf13bb65696;IngestionEndpoint=https://eastus-8.in.applicationinsights.azure.com/;LiveEndpoint=https://eastus.livediagnostics.monitor.azure.com/";
+                let config = {
+                    connectionString: key, 
+                    instrumentationKey: key,
+                    sri: { "</script>": "bad" },
+                    cr: "</script>",
+                    name: "</script>Name<script>alert('xss');</script>",
+                };
+                let theSnippet = getSdkLoaderScript(config);
+                QUnit.assert.ok(theSnippet.indexOf("</script>") === -1, "Make sure the Snippet does not contain </script> - " + theSnippet);
+                QUnit.assert.ok(theSnippet.indexOf("/script") !== -1, "Make sure the / character is not escaped - " + theSnippet);
+            }
+        });
+
+        this.testCase({
+            name: "Verify that the / character is not escaped",
+            test: () => {
+                let key = "InstrumentationKey=814a172a-92fd-4950-9023-9cf13bb65696;IngestionEndpoint=https://eastus-8.in.applicationinsights.azure.com/;LiveEndpoint=https://eastus.livediagnostics.monitor.azure.com/";
+                let config = {
+                    connectionString: key, 
+                    instrumentationKey: key
+                };
+                let theSnippet = getSdkLoaderScript(config);
+                QUnit.assert.ok(theSnippet.indexOf("https://eastus-8.") !== -1, "Make sure the / character is not escaped - " + theSnippet);
+                QUnit.assert.ok(theSnippet.indexOf("LiveEndpoint=https://eastus.livediagnostics.monitor.azure.com/") !== -1, "Make sure the / character is not escaped - " + theSnippet);
+            }
+        });
+
     }
 }
@@ -1,3 +1,5 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
 import { oneDsEnvelope } from "./1dsType";
 import { _getTime } from "./support";
 

@@ -1,3 +1,6 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
 export interface oneDsEnvelope {
     data: any;
     ext: any;

@@ -1,3 +1,5 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
 import { IEnvelope } from "@microsoft/applicationinsights-common";
 import { _getTime } from "./support";
 

@@ -1,10 +1,13 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
 import { ISnippetConfig, SdkLoaderConfig } from "./type";
+import { _ensureBoolean, _ensureNumber, _escapeUnsupportedChars } from "./common/utils";
 
 const originSnippet = "##replaceOriginSnippet##";
-const webSnippet = "##replaceIKeySnippet##";
-const webSnippetCs = "##replaceConnStringSnippet##";
+export const webSnippet = "##replaceIKeySnippet##";
+export const webSnippetCs = "##replaceConnStringSnippet##";
 
-function webSnippetVersion() {
+export function webSnippetVersion() {
     let parse = /sv:\"([^\"]+)\"/.exec(webSnippet);
     if (parse) {
         return parse[1];
@@ -13,29 +16,25 @@ function webSnippetVersion() {
     return "";
 }
 
-function getSdkLoaderScript(config: SdkLoaderConfig) {
+export function getSdkLoaderScript(config: SdkLoaderConfig): string {
     let snippetConfig: ISnippetConfig = {
-        src: config.src? config.src : "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js",
-        crossOrigin: config.crossOrigin ? config.crossOrigin : "anonymous",
+        src: _escapeUnsupportedChars(config.src? config.src : "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js"),
+        crossOrigin: _escapeUnsupportedChars(config.crossOrigin ? config.crossOrigin : "anonymous"),
         cfg: {},
-        name: config.name ? config.name : "appInsights",
-        ld: config.ld,
-        useXhr: config.useXhr,
-        cr: config.cr,
-        dle: config.dle,
-        sri: config.sri
+        name: _escapeUnsupportedChars(config.name ? config.name : "appInsights"),
+        ld: _ensureNumber(config.ld),
+        useXhr: _ensureBoolean(config.useXhr),
+        cr: _ensureBoolean(config.cr),
+        dle: _ensureBoolean(config.dle),
+        sri: _ensureBoolean(config.sri)
     };
 
     if (config.instrumentationKey) {
-        snippetConfig.cfg.instrumentationKey = config.instrumentationKey;
+        snippetConfig.cfg.instrumentationKey = _escapeUnsupportedChars(config.instrumentationKey);
     } else if (config.connectionString) {
-        snippetConfig.cfg.connectionString = config.connectionString;
+        snippetConfig.cfg.connectionString = _escapeUnsupportedChars(config.connectionString);
     }
 
-    let configString = JSON.stringify(snippetConfig);
-    let userSnippet = `!(function (cfg){${originSnippet}})(\n${configString}\n);`;
-    return userSnippet;
+    let configString: string = JSON.stringify(snippetConfig);
+    return "!(function (cfg){" + originSnippet + "}})(\n" + configString + "\n);";
 }
-
-
-export { webSnippet, webSnippetCs, webSnippetVersion, getSdkLoaderScript }
@@ -0,0 +1,41 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+const charMap: { [key: string]: string } = {
+    "<": "\\u003C",
+    ">" : "\\u003E",
+    "\\": "\\\\",
+    "\b": "\\b",
+    "\f": "\\f",
+    "\n": "\\n",
+    "\r": "\\r",
+    "\t": "\\t",
+    "\0": "\\0",
+    "\u2028": "\\u2028",
+    "\u2029": "\\u2029"
+};
+
+export function _escapeUnsupportedChars(value: any) {
+    if (value) {
+        value = value.replace(/[<>\\\b\f\n\r\t\0\u2028\u2029]/g, (match: string) => {
+            return charMap[match];
+        });
+    }
+
+    return value;
+}
+
+export function _ensureBoolean(value: any): boolean {
+    if (value !== undefined) {
+        value = !!value;
+    }
+
+    return value;
+}
+
+export function _ensureNumber(value: any): number {
+    if (value !== undefined) {
+        value = Number(value);
+    }
+
+    return value;
+}
@@ -1,3 +1,6 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
 /* eslint-disable no-constant-condition */
 import { Fields, ISnippetConfig } from "./type";
 import { IConfig, IEnvelope } from "@microsoft/applicationinsights-common";

@@ -1,3 +1,5 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
 
 let strEmpty = "";
 

@@ -1,3 +1,5 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
 import { IConfiguration } from "@microsoft/applicationinsights-web";
 
 export interface SdkLoaderConfig {

@@ -20,7 +20,7 @@
   },
   "include": [
     "./src/*.ts"
-  ],
+, "src/common/utils.ts"  ],
   "exclude": [
     "node_modules"
   ]