From fb2b740d5b98319eb541d11f51d83421d7a9b2b7 Mon Sep 17 00:00:00 2001 From: krishnachaitanya Date: Fri, 20 Sep 2024 19:55:15 +0530 Subject: [PATCH 1/2] fix: dataplane sanitise logic --- src/deviceModeInit.js | 2 +- src/loadingCode.js | 2 +- src/router.js | 29 +++++------------------------ 3 files changed, 7 insertions(+), 26 deletions(-) diff --git a/src/deviceModeInit.js b/src/deviceModeInit.js index c64b075..d0dd6c5 100644 --- a/src/deviceModeInit.js +++ b/src/deviceModeInit.js @@ -340,7 +340,7 @@ let _rudderTracking = (function () { // common function for sending anonymousId and sessionId Identifier function sendToRudderWebhook(data, type, updateTypeCookieFunction, retryAttempt = 0) { - const webhookUrl = 'dataplaneUrl_placeHolder/v1/webhook?writeKey=writeKey_placeHolder'; + const webhookUrl = 'https://dataplaneUrl_placeHolder/v1/webhook?writeKey=writeKey_placeHolder'; const timeToRetry = 1000; // 1 second const maxRetries = 3; if (maxRetries > retryAttempt) { diff --git a/src/loadingCode.js b/src/loadingCode.js index 6dbedd1..a2f6ac1 100644 --- a/src/loadingCode.js +++ b/src/loadingCode.js @@ -23,7 +23,7 @@ }; })(method); } - rudderanalytics.load('writeKey', 'dataPlaneUrl', { + rudderanalytics.load('writeKey', 'https://dataPlaneUrl', { configUrl: 'configBackendUrl', logLevel: 'DEBUG', }); diff --git a/src/router.js b/src/router.js index 8a89da7..be8cb21 100644 --- a/src/router.js +++ b/src/router.js @@ -10,25 +10,8 @@ const configUrl = process.env.CONFIG_BACKEND_URL || 'https://api.rudderstack.com const jsSdkCdnUrl = process.env.JS_SDK_CDN || 'https://cdn.rudderlabs.com/v1.1/rudder-analytics.min.js'; -const ensureHttpsPrefix = (url) => { - // Check if the URL starts with http:// or https:// - if (!/^https?:\/\//i.test(url)) { - return `https://${url}`; - } - return url; -}; - -const formatDataPlaneURL = (dataPlaneUrl) => { - // TODO :: Sanitize dataplane url with basic checks before prefixing with https - const newDataPlaneUrl = ensureHttpsPrefix(dataPlaneUrl); - try { - new URL(newDataPlaneUrl); // This will throw if the URL is invalid - return newDataPlaneUrl; - } catch { - return undefined; - } -}; const isValidWriteKey = (writeKey) => /^[A-Za-z0-9_]{5,}$/.test(writeKey); +const isValidDataPlaneURL = (dataPlaneUrl) => /^(?!:\/\/)([a-zA-Z0-9-_]{1,63}\.)+[a-zA-Z]{2,6}$/.test(dataPlaneUrl); router.get('/load', async (ctx) => { // only takes in writeKey and DataPlane Url @@ -53,18 +36,16 @@ router.get('/load', async (ctx) => { const { writeKey, dataPlaneUrl } = ctx.request.query; console.log('writeKey', writeKey); console.log('dataplaneUrl', dataPlaneUrl); - if (formatDataPlaneURL(dataPlaneUrl) === undefined || !isValidWriteKey(writeKey)) { + if (!isValidDataPlaneURL(dataPlaneUrl) || !isValidWriteKey(writeKey)) { ctx.response.body = { error: 'writeKey or dataPlaneUrl is invalid or missing', }; ctx.status = 400; return ctx; } - const formattedDataPlaneUrl = formatDataPlaneURL(dataPlaneUrl); - console.log('formattedDataPlaneUrl', formattedDataPlaneUrl); - + d = d.replace('writeKey', writeKey); - d = d.replace('dataPlaneUrl', formattedDataPlaneUrl); + d = d.replace('dataPlaneUrl', dataPlaneUrl); d = d.replace('configBackendUrl', configUrl); const pollTimeForSessionIdentifierCheck = @@ -73,7 +54,7 @@ router.get('/load', async (ctx) => { /sessionIdentifierPollTime_placeHolder/g, pollTimeForSessionIdentifierCheck, ); - deviceModeInit = deviceModeInit.replace(/dataplaneUrl_placeHolder/g, formattedDataPlaneUrl); + deviceModeInit = deviceModeInit.replace(/dataplaneUrl_placeHolder/g, dataPlaneUrl); deviceModeInit = deviceModeInit.replace(/writeKey_placeHolder/g, writeKey); deviceModeInit = deviceModeInit.replace(/configUrl_placeholder/g, configUrl); From a1d7799402194870953115b380def034f14e2c0c Mon Sep 17 00:00:00 2001 From: Utsab Chowdhury Date: Mon, 23 Sep 2024 11:34:33 +0530 Subject: [PATCH 2/2] chore: add logs for invalid writekey and dataplane URL --- src/router.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/router.js b/src/router.js index be8cb21..ac20bb3 100644 --- a/src/router.js +++ b/src/router.js @@ -11,7 +11,8 @@ const jsSdkCdnUrl = process.env.JS_SDK_CDN || 'https://cdn.rudderlabs.com/v1.1/rudder-analytics.min.js'; const isValidWriteKey = (writeKey) => /^[A-Za-z0-9_]{5,}$/.test(writeKey); -const isValidDataPlaneURL = (dataPlaneUrl) => /^(?!:\/\/)([a-zA-Z0-9-_]{1,63}\.)+[a-zA-Z]{2,6}$/.test(dataPlaneUrl); +const isValidDataPlaneURL = (dataPlaneUrl) => + /^(?!:\/\/)([a-zA-Z0-9-_]{1,63}\.)+[a-zA-Z]{2,6}$/.test(dataPlaneUrl); router.get('/load', async (ctx) => { // only takes in writeKey and DataPlane Url @@ -37,13 +38,14 @@ router.get('/load', async (ctx) => { console.log('writeKey', writeKey); console.log('dataplaneUrl', dataPlaneUrl); if (!isValidDataPlaneURL(dataPlaneUrl) || !isValidWriteKey(writeKey)) { + console.log(`writeKey:${writeKey} or dataPlaneUrl:${dataPlaneUrl} is invalid or missing`); ctx.response.body = { error: 'writeKey or dataPlaneUrl is invalid or missing', }; ctx.status = 400; return ctx; } - + d = d.replace('writeKey', writeKey); d = d.replace('dataPlaneUrl', dataPlaneUrl); d = d.replace('configBackendUrl', configUrl);