From babe16f4b08e8dd3095b841aaea9a6f026e4ba8c Mon Sep 17 00:00:00 2001 From: Krishna Chaitanya Date: Mon, 23 Sep 2024 11:41:38 +0530 Subject: [PATCH] fix: dataplane sanitise logic (#166) --- src/deviceModeInit.js | 2 +- src/loadingCode.js | 2 +- src/router.js | 29 ++++++----------------------- 3 files changed, 8 insertions(+), 25 deletions(-) diff --git a/src/deviceModeInit.js b/src/deviceModeInit.js index c64b075..d0dd6c5 100644 --- a/src/deviceModeInit.js +++ b/src/deviceModeInit.js @@ -340,7 +340,7 @@ let _rudderTracking = (function () { // common function for sending anonymousId and sessionId Identifier function sendToRudderWebhook(data, type, updateTypeCookieFunction, retryAttempt = 0) { - const webhookUrl = 'dataplaneUrl_placeHolder/v1/webhook?writeKey=writeKey_placeHolder'; + const webhookUrl = 'https://dataplaneUrl_placeHolder/v1/webhook?writeKey=writeKey_placeHolder'; const timeToRetry = 1000; // 1 second const maxRetries = 3; if (maxRetries > retryAttempt) { diff --git a/src/loadingCode.js b/src/loadingCode.js index 6dbedd1..a2f6ac1 100644 --- a/src/loadingCode.js +++ b/src/loadingCode.js @@ -23,7 +23,7 @@ }; })(method); } - rudderanalytics.load('writeKey', 'dataPlaneUrl', { + rudderanalytics.load('writeKey', 'https://dataPlaneUrl', { configUrl: 'configBackendUrl', logLevel: 'DEBUG', }); diff --git a/src/router.js b/src/router.js index 8a89da7..ac20bb3 100644 --- a/src/router.js +++ b/src/router.js @@ -10,25 +10,9 @@ const configUrl = process.env.CONFIG_BACKEND_URL || 'https://api.rudderstack.com const jsSdkCdnUrl = process.env.JS_SDK_CDN || 'https://cdn.rudderlabs.com/v1.1/rudder-analytics.min.js'; -const ensureHttpsPrefix = (url) => { - // Check if the URL starts with http:// or https:// - if (!/^https?:\/\//i.test(url)) { - return `https://${url}`; - } - return url; -}; - -const formatDataPlaneURL = (dataPlaneUrl) => { - // TODO :: Sanitize dataplane url with basic checks before prefixing with https - const newDataPlaneUrl = ensureHttpsPrefix(dataPlaneUrl); - try { - new URL(newDataPlaneUrl); // This will throw if the URL is invalid - return newDataPlaneUrl; - } catch { - return undefined; - } -}; const isValidWriteKey = (writeKey) => /^[A-Za-z0-9_]{5,}$/.test(writeKey); +const isValidDataPlaneURL = (dataPlaneUrl) => + /^(?!:\/\/)([a-zA-Z0-9-_]{1,63}\.)+[a-zA-Z]{2,6}$/.test(dataPlaneUrl); router.get('/load', async (ctx) => { // only takes in writeKey and DataPlane Url @@ -53,18 +37,17 @@ router.get('/load', async (ctx) => { const { writeKey, dataPlaneUrl } = ctx.request.query; console.log('writeKey', writeKey); console.log('dataplaneUrl', dataPlaneUrl); - if (formatDataPlaneURL(dataPlaneUrl) === undefined || !isValidWriteKey(writeKey)) { + if (!isValidDataPlaneURL(dataPlaneUrl) || !isValidWriteKey(writeKey)) { + console.log(`writeKey:${writeKey} or dataPlaneUrl:${dataPlaneUrl} is invalid or missing`); ctx.response.body = { error: 'writeKey or dataPlaneUrl is invalid or missing', }; ctx.status = 400; return ctx; } - const formattedDataPlaneUrl = formatDataPlaneURL(dataPlaneUrl); - console.log('formattedDataPlaneUrl', formattedDataPlaneUrl); d = d.replace('writeKey', writeKey); - d = d.replace('dataPlaneUrl', formattedDataPlaneUrl); + d = d.replace('dataPlaneUrl', dataPlaneUrl); d = d.replace('configBackendUrl', configUrl); const pollTimeForSessionIdentifierCheck = @@ -73,7 +56,7 @@ router.get('/load', async (ctx) => { /sessionIdentifierPollTime_placeHolder/g, pollTimeForSessionIdentifierCheck, ); - deviceModeInit = deviceModeInit.replace(/dataplaneUrl_placeHolder/g, formattedDataPlaneUrl); + deviceModeInit = deviceModeInit.replace(/dataplaneUrl_placeHolder/g, dataPlaneUrl); deviceModeInit = deviceModeInit.replace(/writeKey_placeHolder/g, writeKey); deviceModeInit = deviceModeInit.replace(/configUrl_placeholder/g, configUrl);