Fix vulnerabilities by removing request dependency (#98)

Summary:
[`srcclr`](https://optimizely.sourceclear.io/teams/3OOu2k/scans/3772139?login=saml) flags `request` and some of its transitive dependencies as vulnerable. Since we are only barely using it, we can switch to the native node modules `http`/`https` instead. The result is a [clean run](https://optimizely.sourceclear.io/teams/3OOu2k/scans/3772270?login=saml).
```
$ srcclr scan .
SourceClear scanning engine ready
Running the NPM scanner
Scanning completed
Found 12997 lines of code
Processing results...
Processing results complete

Summary Report
Scan ID                                   614c7376-d1ae-4d77-ad5f-3078f6a17917
Scan Date & Time                          May 16 2018 04:26PM PDT
Account type                              PRO
Scan engine                               2.14.7 (latest 2.14.7)
Analysis time                             12 seconds
User                                      tbrandt
Project                                   /Users/tbrandt/optly/Projects/javascript-sdk/packages/optimizely-sdk
Package Manager(s)                        NPM

Open-Source Libraries
Total Libraries                           5
Direct Libraries                          5
Transitive Libraries                      0
Vulnerable Libraries                      0
Third Party Code                          77.4%

Security
With Vulnerable Methods                   0
High Risk Vulnerabilities                 0
Medium Risk Vulnerabilities               0
Low Risk Vulnerabilities                  0

Licenses
Unique Library Licenses                   3
Libraries Using GPL                       0
Libraries With No License                 1
Libraries With Multiple Licenses          1

Full Report Details                       https://optimizely.sourceclear.io/teams/3OOu2k/scans/3772270?login=saml
```

Also add srcclr.yml with `scope: production` so we can scan more easily in the correct way.

Test Plan: Existing automated tests

Reviewers: matt.carroll, ola.nordstrom, michael.hood, ali, greeshma

Reviewed By: ali, greeshma

JIRA Issues: OASIS-2776

Differential Revision: https://phabricator.optimizely.com/D19829

Author: Tyler Brandt

packages/optimizely-sdk/lib/optimizely/index.js

@@ -362,7 +362,7 @@ Optimizely.prototype.getForcedVariation = function(experimentKey, userId) {
 Optimizely.prototype.__validateInputs = function(stringInputs, userAttributes, eventTags) {
   try {
     var inputKeys = Object.keys(stringInputs);
-    for (var index=0; index < inputKeys.length; index++) {
+    for (var index = 0; index < inputKeys.length; index++) {
       var key = inputKeys[index];
       if (!stringValidator.validate(stringInputs[key])) {
         throw new Error(sprintf(ERROR_MESSAGES.INVALID_INPUT_FORMAT, MODULE_NAME, key));
@@ -449,12 +449,12 @@ Optimizely.prototype.__notActivatingExperiment = function(experimentKey, userId)
 Optimizely.prototype.__dispatchEvent = function (eventToDispatch, callback) {
     var eventDispatcherResponse = this.eventDispatcher.dispatchEvent(eventToDispatch, callback);
     //checking that response value is a promise, not a request object
-    if (typeof eventDispatcherResponse == "object" && !eventDispatcherResponse.hasOwnProperty('uri')) {
+    if (!fns.isEmpty(eventDispatcherResponse) && typeof eventDispatcherResponse.then === 'function') {
       eventDispatcherResponse.then(function() {
         callback();
       });
     }
-}
+};
 
 /**
  * Filters out attributes/eventTags with null or undefined values
@@ -464,11 +464,11 @@ Optimizely.prototype.__dispatchEvent = function (eventToDispatch, callback) {
 Optimizely.prototype.__filterEmptyValues = function (map) {
     for (var key in map) {
       if (map.hasOwnProperty(key) && (map[key] === null || map[key] === undefined)) {
-        delete map[key]
+        delete map[key];
       }
     }
     return map;
-}
+};
 
 /**
  * Returns true if the feature is enabled for the given user.

packages/optimizely-sdk/lib/plugins/event_dispatcher/index.node.js

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2017, Optimizely
+ * Copyright 2016-2018, Optimizely
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,35 +13,54 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-var request = require('request');
-
-var POST_HEADERS = {'content-type': 'application/json'};
+var http = require('http');
+var https = require('https');
+var url = require('url');
 
 module.exports = {
   /**
    * Dispatch an HTTP request to the given url and the specified options
    * @param {Object}  eventObj          Event object containing
    * @param {string}  eventObj.url      the url to make the request to
-   * @param {Object}  eventObj.params   parameters to pass to the request
-   * @param {string}  eventObj.httpVerb the HTTP request method type
+   * @param {Object}  eventObj.params   parameters to pass to the request (i.e. in the POST body)
+   * @param {string}  eventObj.httpVerb the HTTP request method type. only POST is supported.
    * @param {function} callback         callback to execute
-   * @return {Promise<Object>}          the payload from the request
+   * @return {ClientRequest|undefined}          ClientRequest object which made the request, or undefined if no request was made (error)
    */
   dispatchEvent: function(eventObj, callback) {
+    // Non-POST requests not supported
+    if (eventObj.httpVerb !== 'POST') {
+      callback(new Error('httpVerb not supported: ' + eventObj.httpVerb));
+      return;
+    }
+
+    var parsedUrl = url.parse(eventObj.url);
+    var path = parsedUrl.path;
+    if (parsedUrl.query) {
+      path += '?' + parsedUrl.query;
+    }
+
+    var dataString = JSON.stringify(eventObj.params);
+
     var requestOptions = {
-      uri: eventObj.url,
-      body: eventObj.params,
-      headers: POST_HEADERS,
-      method: eventObj.httpVerb,
-      json: true,
+      host: parsedUrl.host,
+      path: parsedUrl.path,
+      method: 'POST',
+      headers: {
+        'content-type': 'application/json',
+        'content-length': dataString.length.toString(),
+      }
     };
 
     var requestCallback = function(error, response, body) {
       if (response && response.statusCode && response.statusCode >= 200 && response.statusCode < 400 && callback && typeof callback == 'function') {
         callback();
       }
-    }
+    };
 
-    return request(requestOptions, requestCallback);
+    var req = (parsedUrl.protocol === 'http:' ? http : https).request(requestOptions, requestCallback);
+    req.write(dataString);
+    req.end();
+    return req;
   }
 };

packages/optimizely-sdk/lib/plugins/event_dispatcher/index.node.tests.js

@@ -1,5 +1,5 @@
 /**
- * Copyright 2016-2017, Optimizely
+ * Copyright 2016-2018, Optimizely
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,7 +24,7 @@ describe('lib/plugins/event_dispatcher/node', function() {
     describe('dispatchEvent', function() {
       var stubCallback = {
         callback: function() {}
-      }
+      };
 
       beforeEach(function() {
         sinon.stub(stubCallback, 'callback');
@@ -43,7 +43,7 @@ describe('lib/plugins/event_dispatcher/node', function() {
       it('should send a POST request with the specified params', function(done) {
         var eventObj = {
           url: 'https://cdn.com/event',
-          body: {
+          params: {
             id: 123,
           },
           httpVerb: 'POST',
@@ -55,14 +55,14 @@ describe('lib/plugins/event_dispatcher/node', function() {
           done();
         })
         .on('error', function(error) {
-          assert.fail('status code okay', 'status code not okay', "")
-        })
+          assert.fail('status code okay', 'status code not okay', '');
+        });
       });
 
       it('should execute the callback passed to event dispatcher', function(done) {
         var eventObj = {
           url: 'https://cdn.com/event',
-          body: {
+          params: {
             id: 123,
           },
           httpVerb: 'POST',
@@ -74,10 +74,29 @@ describe('lib/plugins/event_dispatcher/node', function() {
           sinon.assert.calledOnce(stubCallback.callback);
         })
         .on('error', function(error) {
-          assert.fail('status code okay', 'status code not okay', "")
-        })
+          assert.fail('status code okay', 'status code not okay', '');
+        });
       });
 
+      it('rejects GET httpVerb', function(done) {
+        var eventObj = {
+          url: 'https://cdn.com/event',
+          params: {
+            id: 123,
+          },
+          httpVerb: 'GET',
+        };
+
+        var callback = function(err) {
+          if (err) {
+            done();
+          } else {
+            done(new Error('expected error not thrown'));
+          }
+        };
+
+        eventDispatcher.dispatchEvent(eventObj, callback);
+      });
     });
   });
 });

packages/optimizely-sdk/package.json

@@ -35,7 +35,6 @@
     "json-schema": "^0.2.3",
     "lodash": "^4.0.0",
     "murmurhash": "0.0.2",
-    "request": "~2.83.0",
     "sprintf": "^0.1.5",
     "uuid": "^3.0.1"
   },

packages/optimizely-sdk/srcclr.yml

@@ -0,0 +1 @@
+scope: production