Fix XSS based prototype solution on Segment.io (#582)

Julio Farah · web-flow · commit c2a21c26aa58 · 2021-04-13T15:37:52.000-07:00
* Fix XSS based prototype solution on Segment.io

* remove includes polyfill

* remove polyfills and arrow func

* 4.4.2.-beta.1

* bring ads

* remove beta tag
diff --git a/integrations/segmentio/lib/ads.js b/integrations/segmentio/lib/ads.js
@@ -0,0 +1,28 @@
+function ads(query) {
+  var queryIds = {
+    btid: 'dataxu',
+    urid: 'millennial-media',
+  }
+
+  if (query.lastIndexOf('?', 0) === 0) {
+    query = query.substring(1)
+  }
+
+  query = query.replace(/\?/g, '&')
+
+  var parts = query.split('&')
+
+  for (var i = 0; i < parts.length; i++) {
+    var k = parts[i].split('=')[0]
+    var v = parts[i].split('=')[1]
+
+    if (queryIds[k]) {
+      return {
+        id: v,
+        type: queryIds[k],
+      }
+    }
+  }
+}
+
+module.exports = ads
diff --git a/integrations/segmentio/lib/index.js b/integrations/segmentio/lib/index.js
@@ -4,7 +4,7 @@
  * Module dependencies.
  */
 
-var ads = require('@segment/ad-params');
+var ads = require('./ads');
 var clone = require('component-clone');
 var cookie = require('component-cookie');
 var extend = require('@ndhoule/extend');
@@ -15,7 +15,7 @@ var localstorage = require('yields-store');
 var protocol = require('@segment/protocol');
 var send = require('@segment/send-json');
 var topDomain = require('@segment/top-domain');
-var utm = require('@segment/utm-params');
+var utm = require('./utm');
 var uuid = require('uuid').v4;
 var Queue = require('@segment/localstorage-retry');
 
diff --git a/integrations/segmentio/lib/utm.js b/integrations/segmentio/lib/utm.js
@@ -0,0 +1,23 @@
+function utm(query) {
+  if (query.lastIndexOf('?', 0) === 0) {
+    query = query.substring(1)
+  }
+
+  query = query.replace(/\?/g, '&')
+
+  return query.split('&').reduce(function(acc, str) {
+    var k = str.split('=')[0]
+    var v = str.split('=')[1]
+
+    if (k.indexOf('utm_') !== -1) {
+      var utmParam = k.substr(4)
+      if (utmParam === 'campaign') {
+        utmParam = 'name'
+      }
+      acc[utmParam] = v
+    }
+    return acc
+  })
+}
+
+module.exports = utm
diff --git a/integrations/segmentio/package.json b/integrations/segmentio/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@segment/analytics.js-integration-segmentio",
   "description": "The Segmentio analytics.js integration.",
-  "version": "4.4.1",
+  "version": "4.4.2",
   "keywords": [
     "analytics.js",
     "analytics.js-integration",
@@ -26,13 +26,11 @@
   "dependencies": {
     "@ndhoule/extend": "^2.0.0",
     "@ndhoule/keys": "^2.0.0",
-    "@segment/ad-params": "^1.0.0",
     "@segment/analytics.js-integration": "^2.1.0",
     "@segment/localstorage-retry": "^1.2.2",
     "@segment/protocol": "^1.0.0",
     "@segment/send-json": "^3.0.0",
     "@segment/top-domain": "^3.0.0",
-    "@segment/utm-params": "^2.0.0",
     "component-clone": "^0.2.2",
     "component-cookie": "^1.1.2",
     "component-type": "^1.2.1",
diff --git a/yarn.lock b/yarn.lock
@@ -1787,13 +1787,6 @@
   dependencies:
     any-observable "^0.3.0"
 
-"@segment/ad-params@^1.0.0":
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/@segment/ad-params/-/ad-params-1.0.0.tgz#e02ded70a7f8db952af03c21208f47201b86bc95"
-  integrity sha1-4C3tcKf425Uq8DwhII9HIBuGvJU=
-  dependencies:
-    component-querystring "^2.0.0"
-
 "@segment/alias@^1.0.0", "@segment/alias@^1.0.1", "@segment/alias@^1.0.2":
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/@segment/alias/-/alias-1.0.2.tgz#1ce0d2a28df59706a1b5c92fb99c0c48adc22ec1"
@@ -2280,14 +2273,6 @@
   resolved "https://registry.yarnpkg.com/@segment/trample/-/trample-0.2.0.tgz#5b141159f67b06efaa295d2ebe240b51096134c5"
   integrity sha1-WxQRWfZ7Bu+qKV0uviQLUQlhNMU=
 
-"@segment/utm-params@^2.0.0":
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/@segment/utm-params/-/utm-params-2.0.0.tgz#fea3c8a92bfba0d69e861fb3b26d7d882f139334"
-  integrity sha1-/qPIqSv7oNaehh+zsm19iC8TkzQ=
-  dependencies:
-    "@ndhoule/foldl" "^2.0.1"
-    component-querystring "^2.0.0"
-
 "@sinonjs/commons@^1", "@sinonjs/commons@^1.0.2", "@sinonjs/commons@^1.4.0":
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/@sinonjs/commons/-/commons-1.4.0.tgz#7b3ec2d96af481d7a0321252e7b1c94724ec5a78"
@@ -6526,7 +6511,7 @@ extend@3.0.1:
   resolved "https://registry.yarnpkg.com/extend/-/extend-3.0.1.tgz#a755ea7bc1adfcc5a31ce7e762dbaadc5e636444"
   integrity sha1-p1Xqe8Gt/MWjHOfnYtuq3F5jZEQ=
 
-extend@3.0.2, extend@^3.0.0, extend@^3.0.1, extend@^3.0.2, extend@~3.0.2:
+extend@3.0.2, extend@^3.0.0, extend@^3.0.2, extend@~3.0.2:
   version "3.0.2"
   resolved "https://registry.yarnpkg.com/extend/-/extend-3.0.2.tgz#f8b1136b4071fbd8eb140aff858b1019ec2915fa"
   integrity sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==
