Fix XSS based prototype solution on Segment.io

juliofarah · juliofarah · commit 4882c0f11f6d · 2021-04-12T15:44:56.000-07:00
diff --git a/integrations/segmentio/lib/index.js b/integrations/segmentio/lib/index.js
@@ -15,7 +15,7 @@ var localstorage = require('yields-store');
 var protocol = require('@segment/protocol');
 var send = require('@segment/send-json');
 var topDomain = require('@segment/top-domain');
-var utm = require('@segment/utm-params');
+var utm = require('./utm');
 var uuid = require('uuid').v4;
 var Queue = require('@segment/localstorage-retry');
 
diff --git a/integrations/segmentio/lib/utm.js b/integrations/segmentio/lib/utm.js
@@ -0,0 +1,44 @@
+function utm(query) {
+  // Polyfills
+  if (!String.prototype.startsWith) {
+    Object.defineProperty(String.prototype, 'startsWith', {
+      value: function (search, rawPos) {
+        var pos = rawPos > 0 ? rawPos | 0 : 0
+        return this.substring(pos, pos + search.length) === search
+      }
+    })
+  }
+
+  if (!String.prototype.includes) {
+    String.prototype.includes = function (search, start) {
+      'use strict'
+
+      if (search instanceof RegExp) {
+        throw TypeError('first argument must not be a RegExp')
+      }
+      if (start === undefined) { start = 0 }
+      return this.indexOf(search, start) !== -1
+    }
+  }
+
+  if (query.startsWith('?')) {
+    query = query.substring(1)
+  }
+  query = query.replace(/\?/g, '&')
+
+  return query.split('&').reduce((acc, str) => {
+    var k = str.split('=')[0]
+    var v = str.split('=')[1]
+
+    if (k.includes('utm_')) {
+      var utmParam = k.substr(4)
+      if (utmParam === 'campaign') {
+        utmParam = 'name'
+      }
+      acc[utmParam] = v
+    }
+    return acc
+  })
+}
+
+module.exports = utm
diff --git a/integrations/segmentio/package.json b/integrations/segmentio/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@segment/analytics.js-integration-segmentio",
   "description": "The Segmentio analytics.js integration.",
-  "version": "4.4.1",
+  "version": "4.4.2",
   "keywords": [
     "analytics.js",
     "analytics.js-integration",
@@ -32,7 +32,6 @@
     "@segment/protocol": "^1.0.0",
     "@segment/send-json": "^3.0.0",
     "@segment/top-domain": "^3.0.0",
-    "@segment/utm-params": "^2.0.0",
     "component-clone": "^0.2.2",
     "component-cookie": "^1.1.2",
     "component-type": "^1.2.1",
diff --git a/yarn.lock b/yarn.lock
@@ -2280,14 +2280,6 @@
   resolved "https://registry.yarnpkg.com/@segment/trample/-/trample-0.2.0.tgz#5b141159f67b06efaa295d2ebe240b51096134c5"
   integrity sha1-WxQRWfZ7Bu+qKV0uviQLUQlhNMU=
 
-"@segment/utm-params@^2.0.0":
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/@segment/utm-params/-/utm-params-2.0.0.tgz#fea3c8a92bfba0d69e861fb3b26d7d882f139334"
-  integrity sha1-/qPIqSv7oNaehh+zsm19iC8TkzQ=
-  dependencies:
-    "@ndhoule/foldl" "^2.0.1"
-    component-querystring "^2.0.0"
-
 "@sinonjs/commons@^1", "@sinonjs/commons@^1.0.2", "@sinonjs/commons@^1.4.0":
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/@sinonjs/commons/-/commons-1.4.0.tgz#7b3ec2d96af481d7a0321252e7b1c94724ec5a78"
@@ -6526,7 +6518,7 @@ extend@3.0.1:
   resolved "https://registry.yarnpkg.com/extend/-/extend-3.0.1.tgz#a755ea7bc1adfcc5a31ce7e762dbaadc5e636444"
   integrity sha1-p1Xqe8Gt/MWjHOfnYtuq3F5jZEQ=
 
-extend@3.0.2, extend@^3.0.0, extend@^3.0.1, extend@^3.0.2, extend@~3.0.2:
+extend@3.0.2, extend@^3.0.0, extend@^3.0.2, extend@~3.0.2:
   version "3.0.2"
   resolved "https://registry.yarnpkg.com/extend/-/extend-3.0.2.tgz#f8b1136b4071fbd8eb140aff858b1019ec2915fa"
   integrity sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==
