From 0abbcab58ddcf6c6efe51db62a2fb1a561112531 Mon Sep 17 00:00:00 2001 From: Julio Date: Mon, 12 Apr 2021 15:38:45 -0700 Subject: [PATCH 1/6] Fix XSS based prototype solution on Segment.io --- integrations/segmentio/lib/index.js | 2 +- integrations/segmentio/lib/utm.js | 44 +++++++++++++++++++++++++++++ integrations/segmentio/package.json | 3 +- yarn.lock | 10 +------ 4 files changed, 47 insertions(+), 12 deletions(-) create mode 100644 integrations/segmentio/lib/utm.js diff --git a/integrations/segmentio/lib/index.js b/integrations/segmentio/lib/index.js index b090de442..49fdd3b78 100644 --- a/integrations/segmentio/lib/index.js +++ b/integrations/segmentio/lib/index.js @@ -15,7 +15,7 @@ var localstorage = require('yields-store'); var protocol = require('@segment/protocol'); var send = require('@segment/send-json'); var topDomain = require('@segment/top-domain'); -var utm = require('@segment/utm-params'); +var utm = require('./utm'); var uuid = require('uuid').v4; var Queue = require('@segment/localstorage-retry'); diff --git a/integrations/segmentio/lib/utm.js b/integrations/segmentio/lib/utm.js new file mode 100644 index 000000000..dc775ec03 --- /dev/null +++ b/integrations/segmentio/lib/utm.js @@ -0,0 +1,44 @@ +function utm(query) { + // Polyfills + if (!String.prototype.startsWith) { + Object.defineProperty(String.prototype, 'startsWith', { + value: function (search, rawPos) { + var pos = rawPos > 0 ? rawPos | 0 : 0 + return this.substring(pos, pos + search.length) === search + } + }) + } + + if (!String.prototype.includes) { + String.prototype.includes = function (search, start) { + 'use strict' + + if (search instanceof RegExp) { + throw TypeError('first argument must not be a RegExp') + } + if (start === undefined) { start = 0 } + return this.indexOf(search, start) !== -1 + } + } + + if (query.startsWith('?')) { + query = query.substring(1) + } + query = query.replace(/\?/g, '&') + + return query.split('&').reduce((acc, str) => { + var k = str.split('=')[0] + var v = str.split('=')[1] + + if (k.includes('utm_')) { + var utmParam = k.substr(4) + if (utmParam === 'campaign') { + utmParam = 'name' + } + acc[utmParam] = v + } + return acc + }) +} + +module.exports = utm \ No newline at end of file diff --git a/integrations/segmentio/package.json b/integrations/segmentio/package.json index 9af665e52..e0e69131b 100644 --- a/integrations/segmentio/package.json +++ b/integrations/segmentio/package.json @@ -1,7 +1,7 @@ { "name": "@segment/analytics.js-integration-segmentio", "description": "The Segmentio analytics.js integration.", - "version": "4.4.1", + "version": "4.4.2-beta.0", "keywords": [ "analytics.js", "analytics.js-integration", @@ -32,7 +32,6 @@ "@segment/protocol": "^1.0.0", "@segment/send-json": "^3.0.0", "@segment/top-domain": "^3.0.0", - "@segment/utm-params": "^2.0.0", "component-clone": "^0.2.2", "component-cookie": "^1.1.2", "component-type": "^1.2.1", diff --git a/yarn.lock b/yarn.lock index c213a3818..7804ee683 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2280,14 +2280,6 @@ resolved "https://registry.yarnpkg.com/@segment/trample/-/trample-0.2.0.tgz#5b141159f67b06efaa295d2ebe240b51096134c5" integrity sha1-WxQRWfZ7Bu+qKV0uviQLUQlhNMU= -"@segment/utm-params@^2.0.0": - version "2.0.0" - resolved "https://registry.yarnpkg.com/@segment/utm-params/-/utm-params-2.0.0.tgz#fea3c8a92bfba0d69e861fb3b26d7d882f139334" - integrity sha1-/qPIqSv7oNaehh+zsm19iC8TkzQ= - dependencies: - "@ndhoule/foldl" "^2.0.1" - component-querystring "^2.0.0" - "@sinonjs/commons@^1", "@sinonjs/commons@^1.0.2", "@sinonjs/commons@^1.4.0": version "1.4.0" resolved "https://registry.yarnpkg.com/@sinonjs/commons/-/commons-1.4.0.tgz#7b3ec2d96af481d7a0321252e7b1c94724ec5a78" @@ -6526,7 +6518,7 @@ extend@3.0.1: resolved "https://registry.yarnpkg.com/extend/-/extend-3.0.1.tgz#a755ea7bc1adfcc5a31ce7e762dbaadc5e636444" integrity sha1-p1Xqe8Gt/MWjHOfnYtuq3F5jZEQ= -extend@3.0.2, extend@^3.0.0, extend@^3.0.1, extend@^3.0.2, extend@~3.0.2: +extend@3.0.2, extend@^3.0.0, extend@^3.0.2, extend@~3.0.2: version "3.0.2" resolved "https://registry.yarnpkg.com/extend/-/extend-3.0.2.tgz#f8b1136b4071fbd8eb140aff858b1019ec2915fa" integrity sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g== From c88c6c465617704d1ec0b6a261f406602f4549f1 Mon Sep 17 00:00:00 2001 From: Julio Date: Mon, 12 Apr 2021 17:10:02 -0700 Subject: [PATCH 2/6] remove includes polyfill --- integrations/segmentio/lib/utm.js | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/integrations/segmentio/lib/utm.js b/integrations/segmentio/lib/utm.js index dc775ec03..84f3f10ba 100644 --- a/integrations/segmentio/lib/utm.js +++ b/integrations/segmentio/lib/utm.js @@ -1,23 +1,9 @@ function utm(query) { // Polyfills if (!String.prototype.startsWith) { - Object.defineProperty(String.prototype, 'startsWith', { - value: function (search, rawPos) { - var pos = rawPos > 0 ? rawPos | 0 : 0 - return this.substring(pos, pos + search.length) === search - } - }) - } - - if (!String.prototype.includes) { - String.prototype.includes = function (search, start) { - 'use strict' - - if (search instanceof RegExp) { - throw TypeError('first argument must not be a RegExp') - } - if (start === undefined) { start = 0 } - return this.indexOf(search, start) !== -1 + String.prototype.startsWith = function(search, rawPos) { + var pos = rawPos > 0 ? rawPos | 0 : 0 + return this.substring(pos, pos + search.length) === search } } @@ -30,7 +16,7 @@ function utm(query) { var k = str.split('=')[0] var v = str.split('=')[1] - if (k.includes('utm_')) { + if (k.indexOf('utm_') !== -1) { var utmParam = k.substr(4) if (utmParam === 'campaign') { utmParam = 'name' From c944c8cccfa6eb592f3819edf40915f934d34ddc Mon Sep 17 00:00:00 2001 From: Julio Date: Mon, 12 Apr 2021 17:16:39 -0700 Subject: [PATCH 3/6] remove polyfills and arrow func --- integrations/segmentio/lib/utm.js | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/integrations/segmentio/lib/utm.js b/integrations/segmentio/lib/utm.js index 84f3f10ba..12f7d3d7c 100644 --- a/integrations/segmentio/lib/utm.js +++ b/integrations/segmentio/lib/utm.js @@ -1,18 +1,11 @@ function utm(query) { - // Polyfills - if (!String.prototype.startsWith) { - String.prototype.startsWith = function(search, rawPos) { - var pos = rawPos > 0 ? rawPos | 0 : 0 - return this.substring(pos, pos + search.length) === search - } - } - - if (query.startsWith('?')) { + if (query.lastIndexOf('?', 0) === 0) { query = query.substring(1) } + query = query.replace(/\?/g, '&') - return query.split('&').reduce((acc, str) => { + return query.split('&').reduce(function(acc, str) { var k = str.split('=')[0] var v = str.split('=')[1] From 9e10a5d280e0dfd9aaa15d3995b7045cc6c5ec99 Mon Sep 17 00:00:00 2001 From: Julio Date: Mon, 12 Apr 2021 17:28:58 -0700 Subject: [PATCH 4/6] 4.4.2.-beta.1 --- integrations/segmentio/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integrations/segmentio/package.json b/integrations/segmentio/package.json index e0e69131b..9fb450c7a 100644 --- a/integrations/segmentio/package.json +++ b/integrations/segmentio/package.json @@ -1,7 +1,7 @@ { "name": "@segment/analytics.js-integration-segmentio", "description": "The Segmentio analytics.js integration.", - "version": "4.4.2-beta.0", + "version": "4.4.2-beta.1", "keywords": [ "analytics.js", "analytics.js-integration", From c359b297c26993cd821fcd79c4aaa94eac356def Mon Sep 17 00:00:00 2001 From: Julio Date: Mon, 12 Apr 2021 18:59:41 -0700 Subject: [PATCH 5/6] bring ads --- integrations/segmentio/lib/ads.js | 28 ++++++++++++++++++++++++++++ integrations/segmentio/lib/index.js | 2 +- integrations/segmentio/package.json | 3 +-- yarn.lock | 7 ------- 4 files changed, 30 insertions(+), 10 deletions(-) create mode 100644 integrations/segmentio/lib/ads.js diff --git a/integrations/segmentio/lib/ads.js b/integrations/segmentio/lib/ads.js new file mode 100644 index 000000000..5f2c7b7cd --- /dev/null +++ b/integrations/segmentio/lib/ads.js @@ -0,0 +1,28 @@ +function ads(query) { + var queryIds = { + btid: 'dataxu', + urid: 'millennial-media', + } + + if (query.lastIndexOf('?', 0) === 0) { + query = query.substring(1) + } + + query = query.replace(/\?/g, '&') + + var parts = query.split('&') + + for (var i = 0; i < parts.length; i++) { + var k = parts[i].split('=')[0] + var v = parts[i].split('=')[1] + + if (queryIds[k]) { + return { + id: v, + type: queryIds[k], + } + } + } +} + +module.exports = ads \ No newline at end of file diff --git a/integrations/segmentio/lib/index.js b/integrations/segmentio/lib/index.js index 49fdd3b78..63bb2750f 100644 --- a/integrations/segmentio/lib/index.js +++ b/integrations/segmentio/lib/index.js @@ -4,7 +4,7 @@ * Module dependencies. */ -var ads = require('@segment/ad-params'); +var ads = require('./ads'); var clone = require('component-clone'); var cookie = require('component-cookie'); var extend = require('@ndhoule/extend'); diff --git a/integrations/segmentio/package.json b/integrations/segmentio/package.json index 9fb450c7a..adc988556 100644 --- a/integrations/segmentio/package.json +++ b/integrations/segmentio/package.json @@ -1,7 +1,7 @@ { "name": "@segment/analytics.js-integration-segmentio", "description": "The Segmentio analytics.js integration.", - "version": "4.4.2-beta.1", + "version": "4.4.2-beta.2", "keywords": [ "analytics.js", "analytics.js-integration", @@ -26,7 +26,6 @@ "dependencies": { "@ndhoule/extend": "^2.0.0", "@ndhoule/keys": "^2.0.0", - "@segment/ad-params": "^1.0.0", "@segment/analytics.js-integration": "^2.1.0", "@segment/localstorage-retry": "^1.2.2", "@segment/protocol": "^1.0.0", diff --git a/yarn.lock b/yarn.lock index 7804ee683..9f6b62a7c 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1787,13 +1787,6 @@ dependencies: any-observable "^0.3.0" -"@segment/ad-params@^1.0.0": - version "1.0.0" - resolved "https://registry.yarnpkg.com/@segment/ad-params/-/ad-params-1.0.0.tgz#e02ded70a7f8db952af03c21208f47201b86bc95" - integrity sha1-4C3tcKf425Uq8DwhII9HIBuGvJU= - dependencies: - component-querystring "^2.0.0" - "@segment/alias@^1.0.0", "@segment/alias@^1.0.1", "@segment/alias@^1.0.2": version "1.0.2" resolved "https://registry.yarnpkg.com/@segment/alias/-/alias-1.0.2.tgz#1ce0d2a28df59706a1b5c92fb99c0c48adc22ec1" From 606cf3ddc868110c53de9f052efe6e751b8a9db6 Mon Sep 17 00:00:00 2001 From: Julio Date: Tue, 13 Apr 2021 14:59:46 -0700 Subject: [PATCH 6/6] remove beta tag --- integrations/segmentio/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integrations/segmentio/package.json b/integrations/segmentio/package.json index adc988556..c5b061545 100644 --- a/integrations/segmentio/package.json +++ b/integrations/segmentio/package.json @@ -1,7 +1,7 @@ { "name": "@segment/analytics.js-integration-segmentio", "description": "The Segmentio analytics.js integration.", - "version": "4.4.2-beta.2", + "version": "4.4.2", "keywords": [ "analytics.js", "analytics.js-integration",