fix: dataplane sanitise logic

rudderlabs · Sep 20, 2024 · fb2b740 · fb2b740
1 parent b8bff3e
commit fb2b740
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 26 deletions.
diff --git a/src/deviceModeInit.js b/src/deviceModeInit.js
@@ -340,7 +340,7 @@ let _rudderTracking = (function () {
 
   // common function for sending anonymousId and sessionId Identifier
   function sendToRudderWebhook(data, type, updateTypeCookieFunction, retryAttempt = 0) {
-    const webhookUrl = 'dataplaneUrl_placeHolder/v1/webhook?writeKey=writeKey_placeHolder';
+    const webhookUrl = 'https://dataplaneUrl_placeHolder/v1/webhook?writeKey=writeKey_placeHolder';
     const timeToRetry = 1000; // 1 second
     const maxRetries = 3;
     if (maxRetries > retryAttempt) {

diff --git a/src/loadingCode.js b/src/loadingCode.js
@@ -23,7 +23,7 @@
       };
     })(method);
   }
-  rudderanalytics.load('writeKey', 'dataPlaneUrl', {
+  rudderanalytics.load('writeKey', 'https://dataPlaneUrl', {
     configUrl: 'configBackendUrl',
     logLevel: 'DEBUG',
   });

diff --git a/src/router.js b/src/router.js
@@ -10,25 +10,8 @@ const configUrl = process.env.CONFIG_BACKEND_URL || 'https://api.rudderstack.com
 const jsSdkCdnUrl =
   process.env.JS_SDK_CDN || 'https://cdn.rudderlabs.com/v1.1/rudder-analytics.min.js';
 
-const ensureHttpsPrefix = (url) => {
-  // Check if the URL starts with http:// or https://
-  if (!/^https?:\/\//i.test(url)) {
-    return `https://${url}`;
-  }
-  return url;
-};
-
-const formatDataPlaneURL = (dataPlaneUrl) => {
-  // TODO :: Sanitize dataplane url with basic checks before prefixing with https
-  const newDataPlaneUrl = ensureHttpsPrefix(dataPlaneUrl);
-  try {
-    new URL(newDataPlaneUrl); // This will throw if the URL is invalid
-    return newDataPlaneUrl;
-  } catch {
-    return undefined;
-  }
-};
 const isValidWriteKey = (writeKey) => /^[A-Za-z0-9_]{5,}$/.test(writeKey);
+const isValidDataPlaneURL = (dataPlaneUrl) => /^(?!:\/\/)([a-zA-Z0-9-_]{1,63}\.)+[a-zA-Z]{2,6}$/.test(dataPlaneUrl);
 
 router.get('/load', async (ctx) => {
   // only takes in writeKey and DataPlane Url
@@ -53,18 +36,16 @@ router.get('/load', async (ctx) => {
   const { writeKey, dataPlaneUrl } = ctx.request.query;
   console.log('writeKey', writeKey);
   console.log('dataplaneUrl', dataPlaneUrl);
-  if (formatDataPlaneURL(dataPlaneUrl) === undefined || !isValidWriteKey(writeKey)) {
+  if (!isValidDataPlaneURL(dataPlaneUrl) || !isValidWriteKey(writeKey)) {
     ctx.response.body = {
       error: 'writeKey or dataPlaneUrl is invalid or missing',
     };
     ctx.status = 400;
     return ctx;
   }
-  const formattedDataPlaneUrl = formatDataPlaneURL(dataPlaneUrl);
-  console.log('formattedDataPlaneUrl', formattedDataPlaneUrl);
-
+
   d = d.replace('writeKey', writeKey);
-  d = d.replace('dataPlaneUrl', formattedDataPlaneUrl);
+  d = d.replace('dataPlaneUrl', dataPlaneUrl);
   d = d.replace('configBackendUrl', configUrl);
 
   const pollTimeForSessionIdentifierCheck =
@@ -73,7 +54,7 @@ router.get('/load', async (ctx) => {
     /sessionIdentifierPollTime_placeHolder/g,
     pollTimeForSessionIdentifierCheck,
   );
-  deviceModeInit = deviceModeInit.replace(/dataplaneUrl_placeHolder/g, formattedDataPlaneUrl);
+  deviceModeInit = deviceModeInit.replace(/dataplaneUrl_placeHolder/g, dataPlaneUrl);
   deviceModeInit = deviceModeInit.replace(/writeKey_placeHolder/g, writeKey);
   deviceModeInit = deviceModeInit.replace(/configUrl_placeholder/g, configUrl);