Skip to content

Fix vulnerabilities by removing request dependency #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
May 21, 2018
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@ node_js:
- '4'
- '6'
- '8'
- node
- '9'
- '10'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like Node 10 might be causing issues?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I was talking about it with @aliabbasrizvi on Friday. It's affecting master as well (https://travis-ci.org/optimizely/javascript-sdk/builds/380812924), hence the other PR #101

branches:
only:
- master
Expand Down
10 changes: 5 additions & 5 deletions packages/optimizely-sdk/lib/optimizely/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -362,7 +362,7 @@ Optimizely.prototype.getForcedVariation = function(experimentKey, userId) {
Optimizely.prototype.__validateInputs = function(stringInputs, userAttributes, eventTags) {
try {
var inputKeys = Object.keys(stringInputs);
for (var index=0; index < inputKeys.length; index++) {
for (var index = 0; index < inputKeys.length; index++) {
var key = inputKeys[index];
if (!stringValidator.validate(stringInputs[key])) {
throw new Error(sprintf(ERROR_MESSAGES.INVALID_INPUT_FORMAT, MODULE_NAME, key));
Expand Down Expand Up @@ -449,12 +449,12 @@ Optimizely.prototype.__notActivatingExperiment = function(experimentKey, userId)
Optimizely.prototype.__dispatchEvent = function (eventToDispatch, callback) {
var eventDispatcherResponse = this.eventDispatcher.dispatchEvent(eventToDispatch, callback);
//checking that response value is a promise, not a request object
if (typeof eventDispatcherResponse == "object" && !eventDispatcherResponse.hasOwnProperty('uri')) {
if (!fns.isEmpty(eventDispatcherResponse) && typeof eventDispatcherResponse.then === 'function') {
eventDispatcherResponse.then(function() {
callback();
});
}
}
};

/**
* Filters out attributes/eventTags with null or undefined values
Expand All @@ -464,11 +464,11 @@ Optimizely.prototype.__dispatchEvent = function (eventToDispatch, callback) {
Optimizely.prototype.__filterEmptyValues = function (map) {
for (var key in map) {
if (map.hasOwnProperty(key) && (map[key] === null || map[key] === undefined)) {
delete map[key]
delete map[key];
}
}
return map;
}
};

/**
* Returns true if the feature is enabled for the given user.
Expand Down
43 changes: 31 additions & 12 deletions packages/optimizely-sdk/lib/plugins/event_dispatcher/index.node.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/**
* Copyright 2016-2017, Optimizely
* Copyright 2016-2018, Optimizely
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -13,9 +13,9 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
var request = require('request');

var POST_HEADERS = {'content-type': 'application/json'};
var http = require('http');
var https = require('https');
var url = require('url');

module.exports = {
/**
Expand All @@ -25,23 +25,42 @@ module.exports = {
* @param {Object} eventObj.params parameters to pass to the request
* @param {string} eventObj.httpVerb the HTTP request method type
* @param {function} callback callback to execute
* @return {Promise<Object>} the payload from the request
* @return {ClientRequest} ClientRequest object which made the request
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also document that we return undefined if the req is non POSt? Or we can return an explicit null in that case as well

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I'll update this

*/
dispatchEvent: function(eventObj, callback) {
// Non-POST requests not supported
if (eventObj.httpVerb !== 'POST') {
callback(new Error('httpVerb not supported: ' + eventObj.httpVerb));
return;
}

var parsedUrl = url.parse(eventObj.url);
var path = parsedUrl.path;
if (parsedUrl.query) {
path += '?' + parsedUrl.query;
}

var dataString = JSON.stringify(eventObj.params);

var requestOptions = {
uri: eventObj.url,
body: eventObj.params,
headers: POST_HEADERS,
method: eventObj.httpVerb,
json: true,
host: parsedUrl.host,
path: parsedUrl.path,
method: 'POST',
headers: {
'content-type': 'application/json',
'content-length': dataString.length.toString(),
}
};

var requestCallback = function(error, response, body) {
if (response && response.statusCode && response.statusCode >= 200 && response.statusCode < 400 && callback && typeof callback == 'function') {
callback();
}
}
};

return request(requestOptions, requestCallback);
var req = (parsedUrl.protocol === 'http:' ? http : https).request(requestOptions, requestCallback);
req.write(dataString);
req.end();
return req;
}
};
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ describe('lib/plugins/event_dispatcher/node', function() {
describe('dispatchEvent', function() {
var stubCallback = {
callback: function() {}
}
};

beforeEach(function() {
sinon.stub(stubCallback, 'callback');
Expand All @@ -43,7 +43,7 @@ describe('lib/plugins/event_dispatcher/node', function() {
it('should send a POST request with the specified params', function(done) {
var eventObj = {
url: 'https://cdn.com/event',
body: {
params: {
id: 123,
},
httpVerb: 'POST',
Expand All @@ -55,14 +55,14 @@ describe('lib/plugins/event_dispatcher/node', function() {
done();
})
.on('error', function(error) {
assert.fail('status code okay', 'status code not okay', "")
})
assert.fail('status code okay', 'status code not okay', '');
});
});

it('should execute the callback passed to event dispatcher', function(done) {
var eventObj = {
url: 'https://cdn.com/event',
body: {
params: {
id: 123,
},
httpVerb: 'POST',
Expand All @@ -74,10 +74,29 @@ describe('lib/plugins/event_dispatcher/node', function() {
sinon.assert.calledOnce(stubCallback.callback);
})
.on('error', function(error) {
assert.fail('status code okay', 'status code not okay', "")
})
assert.fail('status code okay', 'status code not okay', '');
});
});

it('rejects GET httpVerb', function(done) {
var eventObj = {
url: 'https://cdn.com/event',
params: {
id: 123,
},
httpVerb: 'GET',
};

var callback = function(err) {
if (err) {
done();
} else {
done(new Error('expected error not thrown'));
}
};

eventDispatcher.dispatchEvent(eventObj, callback);
});
});
});
});
1 change: 0 additions & 1 deletion packages/optimizely-sdk/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@
"json-schema": "^0.2.3",
"lodash": "^4.0.0",
"murmurhash": "0.0.2",
"request": "~2.83.0",
"sprintf": "^0.1.5",
"uuid": "^3.0.1"
},
Expand Down
1 change: 1 addition & 0 deletions packages/optimizely-sdk/srcclr.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
scope: production