How I discovered a hole in the fetch specification
This company (that shall not be named) has a large Node codebase that was built up over the past many years. The codebase is a bit of a disaster, especially given its reliance on third-party vendors running code on unseen servers.
I've been slowly migrating our company codebase to more modern javascript, so I decided to try out running it on Deno instead. It worked! First try! Except that every chat message sent through the Deno system was in uppercase. Weird.
I kept combing through the code to see what could possibly be causing this discrepancy. It made no sense. How could a different javascript runtime affect how the application specific code was sending it's message? I was stumped.
The component of this codebase that is relevant to this short story interacts with a third-party chat server. The integration on our side has been rewritten many times, but the TLDR is that the code looks something like this:
The code is a bit of a mess, but the important part is that the message parameter is used as the METHOD, and not the BODY for the fetch request. I have stared at this code for too long to understand its original purpose. I have no idea why it was implemented like this. Even if I wanted to change it, I have no idea what code is running on that foreign IP address or who to contact to change it.
