Fix url validation in patch import-map, switch to strict-ssl fetch (#177)

Author: Joel Denning

package.json

@@ -42,7 +42,6 @@
     "lodash": "^4.17.21",
     "minimist": "^1.2.8",
     "morgan": "^1.10.0",
-    "request": "^2.88.2",
     "rwlock": "^5.0.0"
   },
   "devDependencies": {

src/modify.js

@@ -104,27 +104,23 @@ exports.modifyImportMap = function (env, newValues) {
     : integrity;
 
   // either imports or scopes have to be defined
-  if (newImports || newScopes || newIntegrity) {
-    return modifyLock(env, (json) => {
-      if (newImports) {
-        const imports = getMapFromManifest(json);
-        Object.assign(imports, newImports);
-      }
-      if (newScopes) {
-        json.scopes = json.scopes ?? {};
-        const scopes = getScopesFromManifest(json);
-        Object.assign(scopes, newScopes);
-      }
-      if (newIntegrity) {
-        json.integrity = json.integrity ?? {};
-        const integrity = getIntegrityFromManifest(json);
-        Object.assign(integrity, newIntegrity);
-      }
-      return json;
-    });
-  } else {
-    return Promise.resolve();
-  }
+  return modifyLock(env, (json) => {
+    if (newImports) {
+      const imports = getMapFromManifest(json);
+      Object.assign(imports, newImports);
+    }
+    if (newScopes) {
+      json.scopes = json.scopes ?? {};
+      const scopes = getScopesFromManifest(json);
+      Object.assign(scopes, newScopes);
+    }
+    if (newIntegrity) {
+      json.integrity = json.integrity ?? {};
+      const integrity = getIntegrityFromManifest(json);
+      Object.assign(integrity, newIntegrity);
+    }
+    return json;
+  });
 };
 
 exports.modifyService = function (

src/verify-valid-url.js

@@ -1,7 +1,3 @@
-const util = require("util");
-const request = require("request");
-const requestAsPromise = util.promisify(request);
-
 async function verifyValidUrl(req, url) {
   if (req.query.skip_url_check === "true" || req.query.skip_url_check === "") {
     // ?skip_url_check
@@ -10,15 +6,10 @@ async function verifyValidUrl(req, url) {
   } else {
     // ?skip_url_check=false
     // ?<no param>
-    try {
-      const resp = await requestAsPromise({ url, strictSSL: false });
-      if (resp.statusCode < 200 || resp.statusCode >= 400) {
-        throw Error(resp.statusCode);
-      }
-      return true;
-    } catch (err) {
+    const r = await fetch(url);
+    if (!r.ok) {
       throw Error(
-        `The following url in the request body is not reachable: ${url}`
+        `The following url in the request body is not reachable: ${url} ${r.status} ${r.statusText}`
       );
     }
   }

src/web-server.js

@@ -162,7 +162,7 @@ app.patch("/import-map.json", (req, res) => {
   }
 
   // Import map validation
-  let validImportUrlPromises = Promise.resolve();
+  let validImportUrlPromises = [];
   if (req.body.imports) {
     const importUrlsToValidate = findUrlsToValidateInServices(req.body.imports);
     const unsafeUrls = importUrlsToValidate.map(checkUrlUnsafe).filter(Boolean);
@@ -181,7 +181,7 @@ app.patch("/import-map.json", (req, res) => {
   }
 
   // Scope validation
-  let validScopeUrlPromises = Promise.resolve();
+  let validScopeUrlPromises = [];
   if (req.body.scopes) {
     const scopeUrlsToValidate = findUrlsToValidateInScopes(req.body.scopes);
     const unsafeUrls = scopeUrlsToValidate.map(checkUrlUnsafe).filter(Boolean);
@@ -199,7 +199,7 @@ app.patch("/import-map.json", (req, res) => {
     }
   }
 
-  let validIntegrityUrlPromises = Promise.resolve();
+  let validIntegrityUrlPromises = [];
   if (req.body.integrity) {
     const integrityUrlsToValidate = findUrlsToValidateInIntegrity(
       req.body.integrity
@@ -222,9 +222,9 @@ app.patch("/import-map.json", (req, res) => {
   }
 
   return Promise.all([
-    validImportUrlPromises,
-    validScopeUrlPromises,
-    validIntegrityUrlPromises,
+    ...validImportUrlPromises,
+    ...validScopeUrlPromises,
+    ...validIntegrityUrlPromises,
   ])
     .then(() => {
       modify
@@ -234,7 +234,6 @@ app.patch("/import-map.json", (req, res) => {
           integrity: req.body.integrity,
         })
         .then((newImportMap) => {
-          console.log(`Patched import map. New import map`, newImportMap);
           res.status(200).send(newImportMap);
         })
         .catch((err) => {