Fix handling of some ISO-3166 geolocation edge cases in Privacy Center /fides.js endpoint

[NevilleS]

Closes PROD-2015

Description Of Changes

This fixes a subtle error where the Privacy Center would consider some valid ISO-3166 codes as invalid if they had single-character regions; for example, SE-O would be rejected. The fix here is trivial (accept 1-3 characters!) but this PR also adds additional test coverage for confidence, and also adds an extra defensive check to fallback to just the country header if an invalid CloudFront region header is detected.

Code Changes

• Update geolocation unit tests
• Fix ISO-3166 regex in geolocation.ts
• Discard invalid CloudFront region headers and fallback to country-only

Steps to Confirm

• Run test suite 👍

Pre-Merge Checklist

• All CI Pipelines Succeeded
• Documentation:
  • documentation complete, PR opened in fidesdocs
  • documentation issue created in fidesdocs
• Issue Requirements are Met
• Relevant Follow-Up Issues Created
• Update CHANGELOG.md
• For API changes, the Postman collection has been updated

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
fides-plus-nightly	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 2, 2024 10:57pm

[cypress]

Passing run #7594 ↗︎

0

4

0

0

0

Details:

Merge eb7c620 into 8751e3e...
Project: fides	Commit: 541868a4b4 ℹ️
Status: Passed	Duration: 00:33 💡
Started: May 2, 2024 11:06 PM	Ended: May 2, 2024 11:07 PM

Review all test suite changes for PR #4858 ↗︎

[gilluminate]

@NevilleS this all looks good, but we also do a validation on the fides-js-demo.html and fides-js-components-demo.html pages. Is that still necessary? If so, do those need to be updated to reflect these same changes?

[RobertKeyser]

nit: technically the \w metacharacter in regex would match some values that are invalid, e.g. _ and also country codes that starts with a digit. For the country part only (the region part is good, of course)

This is how the regex was already built, so it doesn't make anything worse as written. It's also of minimal risk IMO, but I just wanted to call it out.

The fix would be to replace your \w metacharacters with a set: [A-Za-z]

[RobertKeyser]

Might also worth adding it to the unit tests 😄

[NevilleS]

Fair- however, the true spec is "alphanumeric" characters (at least for the region codes, aka subdivisions), where numeric codes are definitely allowed. However, not just all "non-whitespace" characters!

There's some wiggle room in this regex to be more permissive, but tightening it up here might make sense...

I'll definitely add some test cases and then decide

[NevilleS]

Er my last comment is a bit backwards, low reading comprehension there - but yes, I do think I should reject numeric country codes, that's just another subtle footgun!

[NevilleS]

OK, updated! I think it's preferable to be defensive here and not overly permissive - the change to discard invalid region headers is there as a safety hatch, but I think it's good to be strict about the ?geolocation= param since that's a user-facing API

[NevilleS]

@NevilleS this all looks good, but we also do a validation on the fides-js-demo.html and fides-js-components-demo.html pages. Is that still necessary? If so, do those need to be updated to reflect these same changes?

I don't think it was ever really needed on those pages... removing for consistency, so that our tests don't silently discard that and hide potential issues...!

Pushed up and re-running.

[gilluminate]

Approved without looking too closely at the validation specifics since @RobertKeyser is the expert there.