From ca7aacd601177b417acc3d30768e05460d019d51 Mon Sep 17 00:00:00 2001
From: Matt Kendall <mkendall@appnexus.com>
Date: Mon, 10 Dec 2018 16:35:19 -0500
Subject: [PATCH 1/3] validate URLs using regex

---
 src/cookieSync.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/cookieSync.js b/src/cookieSync.js
index ff2b1d38..a87d0cd4 100644
--- a/src/cookieSync.js
+++ b/src/cookieSync.js
@@ -1,8 +1,12 @@
 const ENDPOINT = 'https://prebid.adnxs.com/pbs/v1/cookie_sync';
+/**
+ * checks to make sure URL is valid. Regex from https://validatejs.org/#validators-url, https://gist.github.com/dperini/729294
+ */
+const isValidUrl =  new RegExp(/^(?:(?:(?:https?|ftp):)?\/\/)(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u00a1-\uffff][a-z0-9\u00a1-\uffff_-]{0,62})?[a-z0-9\u00a1-\uffff]\.)+(?:[a-z\u00a1-\uffff]{2,}\.?))(?::\d{2,5})?(?:[/?#]\S*)?$/i);
 
 function doBidderSync(type, url, bidder) {
-  if (!url) {
-    console.log(`No sync url for bidder "${bidder}": ${url}`);
+  if (!url || !isValidUrl.test(url)) {
+    console.log(`No valid sync url for bidder "${bidder}": ${url}`);
   } else if (type === 'image' || type === 'redirect') {
     console.log(`Invoking image pixel user sync for bidder: "${bidder}"`);
     triggerPixel(url);

From fbc87919f03a4626aea6c459012269cf1b70eab9 Mon Sep 17 00:00:00 2001
From: Matt Kendall <mkendall@appnexus.com>
Date: Mon, 10 Dec 2018 16:45:40 -0500
Subject: [PATCH 2/3] update dist file

---
 dist/load-cookie.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dist/load-cookie.html b/dist/load-cookie.html
index 70b228d3..a017d598 100644
--- a/dist/load-cookie.html
+++ b/dist/load-cookie.html
@@ -7,7 +7,7 @@
   <title>Document</title>
   <script type="text/javascript">
   // cookie-sync start
-  !function(o){var n={};function r(e){if(n[e])return n[e].exports;var t=n[e]={i:e,l:!1,exports:{}};return o[e].call(t.exports,t,t.exports,r),t.l=!0,t.exports}r.m=o,r.c=n,r.d=function(e,t,o){r.o(e,t)||Object.defineProperty(e,t,{configurable:!1,enumerable:!0,get:o})},r.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return r.d(t,"a",t),t},r.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},r.p="",r(r.s=0)}([function(e,t,o){"use strict";var u=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var o=arguments[t];for(var n in o)Object.prototype.hasOwnProperty.call(o,n)&&(e[n]=o[n])}return e},a="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e};function n(e,t,o){var n;t?"image"===e||"redirect"===e?(console.log('Invoking image pixel user sync for bidder: "'+o+'"'),n=t,(new Image).src=n):"iframe"==e||console.log('User sync type "'+e+'" not supported for bidder: "'+o+'"'):console.log('No sync url for bidder "'+o+'": '+t)}!function(e,t,o){var n=3<arguments.length&&void 0!==arguments[3]?arguments[3]:{};try{var r=void 0,s=n.method||(o?"POST":"GET"),c="object"===(void 0===t?"undefined":a(t))?t:{success:function(){console.log("xhr success")},error:function(e){console.log("xhr error",null,e)}};if("function"==typeof t&&(c.success=t),(r=new window.XMLHttpRequest).onreadystatechange=function(){if(4===r.readyState){var e=r.status;200<=e&&e<300||304===e?c.success(r.responseText,r):c.error(r.statusText,r)}},r.ontimeout=function(){console.log("xhr timeout after ",r.timeout,"ms")},"GET"===s&&o){var i=parseURL(e,n);u(i.search,o),e=formatURL(i)}r.open(s,e),r.timeout=3e3,n.withCredentials&&(r.withCredentials=!0),n.preflight&&r.setRequestHeader("X-Requested-With","XMLHttpRequest"),r.setRequestHeader("Content-Type",n.contentType||"text/plain"),"POST"===s&&o?r.send(o):r.send()}catch(e){console.log("xhr construction",e)}}("https://prebid.adnxs.com/pbs/v1/cookie_sync",function(e){var t=JSON.parse(e);"OK"!==t.status&&"no_cookie"!==t.status||t.bidder_status&&t.bidder_status.forEach(function(e){e.no_cookie&&n(e.usersync.type,e.usersync.url,e.bidder)})},"{}")}]);
+  !function(o){var n={};function r(e){if(n[e])return n[e].exports;var t=n[e]={i:e,l:!1,exports:{}};return o[e].call(t.exports,t,t.exports,r),t.l=!0,t.exports}r.m=o,r.c=n,r.d=function(e,t,o){r.o(e,t)||Object.defineProperty(e,t,{configurable:!1,enumerable:!0,get:o})},r.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return r.d(t,"a",t),t},r.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},r.p="",r(r.s=0)}([function(e,t,o){"use strict";var i=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var o=arguments[t];for(var n in o)Object.prototype.hasOwnProperty.call(o,n)&&(e[n]=o[n])}return e},f="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},r=new RegExp(/^(?:(?:(?:https?|ftp):)?\/\/)(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u00a1-\uffff][a-z0-9\u00a1-\uffff_-]{0,62})?[a-z0-9\u00a1-\uffff]\.)+(?:[a-z\u00a1-\uffff]{2,}\.?))(?::\d{2,5})?(?:[/?#]\S*)?$/i);function n(e,t,o){var n;t&&r.test(t)?"image"===e||"redirect"===e?(console.log('Invoking image pixel user sync for bidder: "'+o+'"'),n=t,(new Image).src=n):"iframe"==e||console.log('User sync type "'+e+'" not supported for bidder: "'+o+'"'):console.log('No valid sync url for bidder "'+o+'": '+t)}!function(e,t,o){var n=3<arguments.length&&void 0!==arguments[3]?arguments[3]:{};try{var r=void 0,s=n.method||(o?"POST":"GET"),u="object"===(void 0===t?"undefined":f(t))?t:{success:function(){console.log("xhr success")},error:function(e){console.log("xhr error",null,e)}};if("function"==typeof t&&(u.success=t),(r=new window.XMLHttpRequest).onreadystatechange=function(){if(4===r.readyState){var e=r.status;200<=e&&e<300||304===e?u.success(r.responseText,r):u.error(r.statusText,r)}},r.ontimeout=function(){console.log("xhr timeout after ",r.timeout,"ms")},"GET"===s&&o){var c=parseURL(e,n);i(c.search,o),e=formatURL(c)}r.open(s,e),r.timeout=3e3,n.withCredentials&&(r.withCredentials=!0),n.preflight&&r.setRequestHeader("X-Requested-With","XMLHttpRequest"),r.setRequestHeader("Content-Type",n.contentType||"text/plain"),"POST"===s&&o?r.send(o):r.send()}catch(e){console.log("xhr construction",e)}}("https://prebid.adnxs.com/pbs/v1/cookie_sync",function(e){var t=JSON.parse(e);"OK"!==t.status&&"no_cookie"!==t.status||t.bidder_status&&t.bidder_status.forEach(function(e){e.no_cookie&&n(e.usersync.type,e.usersync.url,e.bidder)})},"{}")}]);
   // end
   </script>
 </head>

From 55191fbd3e44fa15b1a0637bd8c3032d794cbb8d Mon Sep 17 00:00:00 2001
From: Matt Kendall <mkendall@appnexus.com>
Date: Mon, 10 Dec 2018 16:47:44 -0500
Subject: [PATCH 3/3] add test page

---
 testpages/hello_world_cookie_sync.html | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 testpages/hello_world_cookie_sync.html

diff --git a/testpages/hello_world_cookie_sync.html b/testpages/hello_world_cookie_sync.html
new file mode 100644
index 00000000..6fcfa333
--- /dev/null
+++ b/testpages/hello_world_cookie_sync.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+    <head></head>
+    <body>
+        <iframe src = '/dist/load-cookie.html'></iframe>
+    </body>
+</html>
\ No newline at end of file