Improve URL sanitization to support relative URLs

Author: ccschmitz-launchdarkly

sdk/highlight-run/src/client/listeners/network-listener/utils/network-sanitizer.ts

@@ -76,10 +76,27 @@ const SENSITIVE_QUERY_PARAMS = [
 	'x-goog-signature',
 ]
 
+/**
+ * Safely parses a URL, handling both absolute and relative URLs.
+ * For relative URLs, resolves against globalThis.location.origin (browser/worker)
+ * or a placeholder base (non-browser environments).
+ */
+export const safeParseUrl = (url: string): URL => {
+	try {
+		return new URL(url)
+	} catch {
+		// For relative URLs, we need a base to parse. The base doesn't affect
+		// the output since sanitizeUrl strips it for relative URLs.
+		// Use globalThis for broader environment support (window, workers, etc.)
+		return new URL(url, globalThis.location?.origin ?? 'http://example.com')
+	}
+}
+
 /**
  * Sanitizes a URL according to OpenTelemetry semantic conventions.
  * - Redacts credentials (username:password) in the URL
  * - Redacts sensitive query parameter values while preserving keys
+ * - Handles both absolute and relative URLs
  *
  * @param url - The URL string to sanitize
  * @returns Sanitized URL string
@@ -91,12 +108,15 @@ const SENSITIVE_QUERY_PARAMS = [
  * @example
  * sanitizeUrl('https://example.com/path?color=blue&sig=secret123')
  * // Returns: 'https://example.com/path?color=blue&sig=REDACTED'
+ *
+ * @example
+ * sanitizeUrl('/api?sig=secret123')
+ * // Returns: '/api?sig=REDACTED'
  */
 export const sanitizeUrl = (url: string): string => {
 	try {
-		const urlObject = new URL(url)
+		const urlObject = safeParseUrl(url)
 
-		// Redact credentials if present
 		if (urlObject.username || urlObject.password) {
 			urlObject.username = 'REDACTED'
 			urlObject.password = 'REDACTED'
@@ -111,10 +131,13 @@ export const sanitizeUrl = (url: string): string => {
 			}
 		})
 
+		// If the URL is relative, return only the pathname + search + hash
+		if (!url.includes('://')) {
+			return urlObject.pathname + urlObject.search + urlObject.hash
+		}
+
 		return urlObject.toString()
 	} catch {
-		// If URL parsing fails, return original URL
-		// This handles relative URLs or malformed URLs
 		return url
 	}
 }

sdk/highlight-run/src/client/otel/index.ts

@@ -27,6 +27,7 @@ import * as SemanticAttributes from '@opentelemetry/semantic-conventions'
 import { getResponseBody } from '../listeners/network-listener/utils/fetch-listener'
 import {
 	DEFAULT_URL_BLOCKLIST,
+	safeParseUrl,
 	sanitizeHeaders,
 	sanitizeUrl,
 } from '../listeners/network-listener/utils/network-sanitizer'
@@ -481,23 +482,6 @@ export const shutdown = async () => {
 	])
 }
 
-/**
- * Safely parses a URL, handling both absolute and relative URLs.
- * For relative URLs, resolves against window.location.origin (browser)
- * or a placeholder base (non-browser environments).
- */
-export const safeParseUrl = (url: string): URL => {
-	try {
-		return new URL(url)
-	} catch {
-		if (typeof window !== 'undefined') {
-			return new URL(url, window.location.origin)
-		}
-
-		return new URL(url, 'http://localhost')
-	}
-}
-
 const enhanceSpanWithHttpRequestAttributes = (
 	span: api.Span,
 	body: Request['body'] | RequestInit['body'] | BrowserXHR['_body'],

sdk/highlight-run/src/client/otel/instrumentation.test.ts

@@ -1,13 +1,13 @@
 import { describe, it, expect } from 'vitest'
 import {
+	safeParseUrl,
 	sanitizeHeaders,
 	sanitizeUrl,
 } from '../listeners/network-listener/utils/network-sanitizer'
 import {
 	parseXhrResponseHeaders,
 	splitHeaderValue,
 	convertHeadersToOtelAttributes,
-	safeParseUrl,
 } from './index'
 
 describe('Network Instrumentation Custom Attributes', () => {
@@ -1224,7 +1224,8 @@ describe('Network Instrumentation Custom Attributes', () => {
 			})
 
 			it('should return original URL if parsing fails', () => {
-				const invalidUrl = 'not-a-valid-url'
+				// Truly malformed URLs that fail even with a base URL fallback
+				const invalidUrl = 'http://[invalid-ipv6'
 				const result = sanitizeUrl(invalidUrl)
 				expect(result).toBe(invalidUrl)
 			})
@@ -1254,6 +1255,54 @@ describe('Network Instrumentation Custom Attributes', () => {
 				expect(result).toContain('sig=REDACTED')
 			})
 		})
+
+		describe('relative URLs', () => {
+			it('should redact sensitive query params in relative URLs', () => {
+				const url = '/api?sig=secret'
+				const result = sanitizeUrl(url)
+				expect(result).toBe('/api?sig=REDACTED')
+			})
+
+			it('should redact AWSAccessKeyId in relative URLs', () => {
+				const url =
+					'/api?awsAccessKeyId=AKIAIOSFODNN7EXAMPLE&color=blue'
+				const result = sanitizeUrl(url)
+				expect(result).toBe('/api?awsAccessKeyId=REDACTED&color=blue')
+			})
+
+			it('should redact multiple sensitive params in relative URLs', () => {
+				const url =
+					'/path/to/resource?signature=abc123&x-goog-signature=xyz789'
+				const result = sanitizeUrl(url)
+				expect(result).toBe(
+					'/path/to/resource?signature=REDACTED&x-goog-signature=REDACTED',
+				)
+			})
+
+			it('should handle relative URLs without query params', () => {
+				const url = '/api/data'
+				const result = sanitizeUrl(url)
+				expect(result).toBe('/api/data')
+			})
+
+			it('should handle relative URLs with fragment', () => {
+				const url = '/api?sig=secret#section'
+				const result = sanitizeUrl(url)
+				expect(result).toBe('/api?sig=REDACTED#section')
+			})
+
+			it('should handle relative URLs with safe query params only', () => {
+				const url = '/users?id=123&filter=active'
+				const result = sanitizeUrl(url)
+				expect(result).toBe('/users?id=123&filter=active')
+			})
+
+			it('should handle root-relative URLs', () => {
+				const url = '/?sig=secret'
+				const result = sanitizeUrl(url)
+				expect(result).toBe('/?sig=REDACTED')
+			})
+		})
 	})
 
 	describe('safeParseUrl', () => {