Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: encode &, < and > to html counterparts in adobe analytics #2854

Merged
merged 2 commits into from
Nov 30, 2023
Merged

fix: encode &, < and > to html counterparts in adobe analytics #2854

merged 2 commits into from
Nov 30, 2023

Conversation

yashasvibajpai
Copy link
Contributor

@yashasvibajpai yashasvibajpai commented Nov 28, 2023
edited
Loading

What are the changes introduced in this PR?

Resolves INT-1042

Please explain the objectives of your changes below

There was a discrepancy informed regarding handling of url values in the XML sent to Adobe. The url values need to be properly encoded and escaped as per the doc here.

Type of change

If the pull request is a bug-fix, enhancement or a refactor, please fill in the details on the changes made.
bug-fix

  • Existing capabilities/behavior
    URLs were being passed unencoded.

  • New capabilities/behavior
    &, < and > are now encoded to their respective html counterparts and url values are properly encoded.

If the pull request is a new feature,

Any technical or performance related pointers to consider with the change?

Some values, if being rejected or discarded by Adobe till now will be accepted going ahead.

Any new dependencies introduced with this change?

N/A

Any new generic utility introduced or modified. Please explain the changes.

N/A

If the PR has changes in more than 10 files, please mention why the changes were not split into multiple PRs.

N/A

If multiple linear tasks are associated with the PR changes, please elaborate on the reason:

N/A

Developer checklist

  • No breaking changes are being introduced.

  • Are all related docs linked with the PR?

  • Are all changes manually tested?

  • Does this change require any documentation changes?

  • Are relevant unit and component test-cases added?

Reviewer checklist

  • Is the type of change in the PR title appropriate as per the changes?

  • Verified that there are no credentials or confidential data exposed with the changes.

Summary by CodeRabbit

  • New Features

    • Implemented HTML escaping for URL fields to enhance security against XSS attacks.

  • Bug Fixes

    • Ensured special characters in URLs are correctly escaped to prevent HTML injection.

  • Tests

    • Updated test descriptions to reflect specific event types.
    • Modified test URLs and payloads to include new query parameters for comprehensive testing.
    • Adjusted test data to test for proper escaping of special characters in URLs.

@yashasvibajpai yashasvibajpai self-assigned this Nov 28, 2023
@yashasvibajpai yashasvibajpai requested review from a team and sivashanmukh as code owners November 28, 2023 11:25
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Nov 28, 2023
edited
Loading

Important

Auto Review Skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository.

To trigger a single review, invoke the @coderabbitai review command.

Walkthrough

The changes involve enhancing security and data clarity in an Adobe Analytics integration. A new utility function escapeToHTML is introduced to sanitize URLs, preventing XSS attacks by escaping HTML special characters. This function is now used in the transformation logic for Adobe Analytics payloads. Additionally, test data has been updated to reflect new event types and include more complex URL structures, ensuring the integration handles these scenarios correctly.

Changes

File Path Change Summary
src/v0/.../transform.js Introduced escapeToHTML for sanitizing linkURL and pageUrl.
src/v0/.../utils.js Added escapeToHTML function; updated exports and ruderPropToDestMap to use it.
test/.../processor/data.ts Updated description with event types, added query params to URLs, and made minor data adjustments.

🐇✨
In the code's burrow, deep and vast,
A rabbit works to secure the past.
Escaping HTML, with care so true,
Ensuring data's safe for me and you. 🌐🔒

Tips

Chat with CodeRabbit Bot (@coderabbitai)

  • If you reply to a review comment from CodeRabbit, the bot will automatically respond.
  • To engage with CodeRabbit bot directly around the specific lines of code in the PR, mention @coderabbitai in your review comment
  • Note: Review comments are made on code diffs or files, not on the PR overview.
  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Commands (invoked as PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai help to get help.

Note: For conversation with the bot, please use the review comments on code diffs or files.

CodeRabbit Configration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • The JSON schema for the configuration file is available here.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

coderabbitai[bot]
coderabbitai bot reviewed Nov 28, 2023
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits Files that changed from the base of the PR and between 8c02b8c and 46dc69c.
Files selected for processing (3)
  • src/v0/destinations/adobe_analytics/transform.js (3 hunks)
  • src/v0/destinations/adobe_analytics/utils.js (3 hunks)
  • test/integrations/destinations/adobe_analytics/processor/data.ts (23 hunks)
Additional comments: 15
src/v0/destinations/adobe_analytics/transform.js (4)

  • 27-30: The import of the escapeToHTML function is correct and follows the established pattern of importing utility functions from ./utils.

  • 77-81: The application of escapeToHTML to payload.linkURL is a good security practice to prevent XSS vulnerabilities by escaping HTML special characters.

  • 99-103: The application of escapeToHTML to payload.pageUrl is a good security practice to prevent XSS vulnerabilities by escaping HTML special characters.

  • 104-105: Consider whether payload.pageName should also be escaped using escapeToHTML if it can contain user input or other data that might be at risk for XSS.

src/v0/destinations/adobe_analytics/utils.js (3)

  • 85-94: The escapeToHTML function correctly replaces special characters with their HTML entities to prevent XSS vulnerabilities.

  • 109-122: The rudderPropToDestMap function correctly uses escapeToHTML to escape values before adding them to the payload.

  • 219-223: The module.exports is correctly updated to include the escapeToHTML function.

test/integrations/destinations/adobe_analytics/processor/data.ts (8)

  • 2873-2879: The description field in the test data has been updated to include specific event types within square brackets, which improves clarity and can be useful for filtering and analysis purposes.

  • 2873-2879: The addition of query parameters to URLs in the test data and XML payload ensures consistency and can be important for tracking and analytics.

  • 2873-2879: The update to the library object to include "" in the name field is a specific change that should be verified to ensure it aligns with the intended use and does not affect any existing functionality that relies on the library.name value.

  • 2873-2879: The addition of a new value for the video key in the properties object within the test data is a change that should be verified to ensure it is being handled correctly wherever this data is processed or utilized.

  • 2873-2879: The changes made in the test data should be reflected in the corresponding documentation, if any, to ensure that the documentation stays up to date with the codebase.

  • 2873-2879: It's important to verify that the updated test data aligns with the actual data structure expected by the Adobe Analytics destination, including the correct use of eVars, props, and events.

  • 2873-2879: Ensure that the updated test data, including the new event types and query parameters, does not introduce any breaking changes to existing integrations or data processing pipelines.

  • 2873-2879: The changes to the test data should be tested thoroughly to confirm that they produce the expected results when processed by the Adobe Analytics destination and that they do not introduce any regressions.

@codecov Codecov
Copy link

codecov bot commented Nov 28, 2023
edited
Loading

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (9eda50e) 87.16% compared to head (2558227) 87.17%.
Report is 3 commits behind head on develop.

Files Patch % Lines
src/v0/destinations/adobe_analytics/utils.js 83.33% 1 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff            @@
##           develop    #2854   +/-   ##
========================================
  Coverage    87.16%   87.17%           
========================================
  Files          772      772           
  Lines        28788    28796    +8     
  Branches      6764     6767    +3     
========================================
+ Hits         25094    25103    +9     
+ Misses        3351     3350    -1     
  Partials       343      343

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

koladilip
koladilip previously approved these changes Nov 28, 2023
View reviewed changes
@sonarqubecloud SonarQubeCloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

85.7% 85.7% Coverage
0.0% 0.0% Duplication

@yashasvibajpai yashasvibajpai merged commit 571dbf5 into develop Nov 30, 2023
22 checks passed
anantjain45823 pushed a commit that referenced this pull request Dec 1, 2023
@yashasvibajpai @anantjain45823
fix: encode &, < and > to html counterparts in adobe analytics (#2854)
dac7613 
* fix: encode &, < and > to html counterparts in adobe

* fix: use encodeurl on url valuez
@yashasvibajpai yashasvibajpai mentioned this pull request Dec 7, 2023
Merged
7 tasks
@yashasvibajpai yashasvibajpai deleted the fix.adobe.url.encoding branch December 13, 2023 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@koladilip koladilip koladilip approved these changes

@sanpj2292 sanpj2292 sanpj2292 approved these changes

@sivashanmukh sivashanmukh Awaiting requested review from sivashanmukh sivashanmukh is a code owner

@krishna2020 krishna2020 Awaiting requested review from krishna2020 krishna2020 is a code owner automatically assigned from rudderlabs/integrations

Assignees

@yashasvibajpai yashasvibajpai

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yashasvibajpai @sanpj2292 @koladilip