Merge pull request #1593 from topcoder-platform/PM-222_open-redirect

PM-222 handle open redirect issue

Author: vas3a

src/config/constants.js

@@ -19,7 +19,6 @@ export const {
   CP_TRACK_ID,
   CHALLENGE_TYPE_ID,
   MARATHON_TYPE_ID,
-  SEGMENT_API_KEY,
   MULTI_ROUND_CHALLENGE_TEMPLATE_ID,
   UNIVERSAL_NAV_URL,
   HEADER_AUTH_URLS_HREF,

src/index.js

@@ -6,41 +6,35 @@ import ReactDOM from 'react-dom'
 import './styles/main.scss'
 import 'react-redux-toastr/lib/css/react-redux-toastr.min.css'
 import App from './App'
-import { SEGMENT_API_KEY, UNIVERSAL_NAV_URL } from './config/constants'
+import { UNIVERSAL_NAV_URL } from './config/constants'
 
 ReactDOM.render(<App />, document.getElementById('root'))
 
-/* eslint-disable */
-if (!_.isEmpty(SEGMENT_API_KEY)) {
-    !function(){var analytics=window.analytics=window.analytics||[];if(!analytics.initialize)if(analytics.invoked)window.console&&console.error&&console.error("Segment snippet included twice.");else{analytics.invoked=!0;analytics.methods=["trackSubmit","trackClick","trackLink","trackForm","pageview","identify","reset","group","track","ready","alias","debug","page","once","off","on","addSourceMiddleware","addIntegrationMiddleware","setAnonymousId","addDestinationMiddleware"];analytics.factory=function(e){return function(){var t=Array.prototype.slice.call(arguments);t.unshift(e);analytics.push(t);return analytics}};for(var e=0;e<analytics.methods.length;e++){var t=analytics.methods[e];analytics[t]=analytics.factory(t)}analytics.load=function(e,t){var n=document.createElement("script");n.type="text/javascript";n.async=!0;n.src="https://cdn.segment.com/analytics.js/v1/"+e+"/analytics.min.js";var a=document.getElementsByTagName("script")[0];a.parentNode.insertBefore(n,a);analytics._loadOptions=t};analytics.SNIPPET_VERSION="4.1.0";
-    analytics.load(SEGMENT_API_KEY);
-    analytics.page();
-    }}();
-}
-/* eslint-enable */
-
 // <!-- Start of topcoder Topcoder Universal Navigation script -->
-// eslint-disable-next-line no-unused-expressions
-!(function (n, t, e, a, c, i, o) {
-// eslint-disable-next-line no-unused-expressions, no-sequences
-  ;(n['TcUnivNavConfig'] = c),
-  (n[c] =
-    n[c] ||
-    function () {
-      ;(n[c].q = n[c].q || []).push(arguments)
-    }),
-  (n[c].l = 1 * new Date())
+// SAST/open-redirect handling: make sure script hostname matches what we expect
+if ((new URL(UNIVERSAL_NAV_URL)).hostname.match(/uni-nav\.topcoder(-dev)?\.com$/i)) {
+  // eslint-disable-next-line no-unused-expressions
+  !(function (n, t, e, a, c, i, o) {
   // eslint-disable-next-line no-unused-expressions, no-sequences
-  ;(i = t.createElement(e)), (o = t.getElementsByTagName(e)[0])
-  i.async = 1
-  i.type = 'module'
-  i.src = a
-  o.parentNode.insertBefore(i, o)
-})(
-  window,
-  document,
-  'script',
-  UNIVERSAL_NAV_URL,
-  'tcUniNav'
-)
+    ;(n['TcUnivNavConfig'] = c),
+    (n[c] =
+      n[c] ||
+      function () {
+        ;(n[c].q = n[c].q || []).push(arguments)
+      }),
+    (n[c].l = 1 * new Date())
+    // eslint-disable-next-line no-unused-expressions, no-sequences
+    ;(i = t.createElement(e)), (o = t.getElementsByTagName(e)[0])
+    i.async = 1
+    i.type = 'module'
+    i.src = a
+    o.parentNode.insertBefore(i, o)
+  })(
+    window,
+    document,
+    'script',
+    UNIVERSAL_NAV_URL,
+    'tcUniNav'
+  )
+}
 // <!-- End of topcoder Topcoder Universal Navigation script -->