Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions app.js
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ const session = require('express-session')
const RedisStore = require('connect-redis')(session)
const helmet = require('helmet')
const nunjucks = require('nunjucks')
const { xss } = require('express-xss-sanitizer')

const { APP_PORT, ENV, REDIS_URL, SESSION_SECRET } = require('./config')
const addComponentRoutes = require('./routes/add-component')
Expand Down Expand Up @@ -90,6 +91,7 @@ expressNunjucks(app, {
app.use(express.urlencoded({ extended: true }))
app.use(express.static(path.join(__dirname, 'public')))
app.use(express.json())
app.use(xss())

// Routes
app.use('/contribute/add-new-component', addComponentRoutes)
Expand Down
110 changes: 110 additions & 0 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@
"express-nunjucks": "^3.1.2",
"express-rate-limit": "^7.5.0",
"express-session": "^1.18.1",
"express-xss-sanitizer": "^2.0.0",
"govuk-frontend": "^5.9.0",
"helmet": "^8.1.0",
"ioredis": "^5.6.0",
Expand Down
27 changes: 12 additions & 15 deletions routes/add-component.js
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
const crypto = require('crypto')

const express = require('express')
const { xss } = require('express-xss-sanitizer')
const multer = require('multer')

const { COMPONENT_FORM_PAGES, ADD_NEW_COMPONENT_ROUTE } = require('../config')
Expand Down Expand Up @@ -77,9 +78,6 @@ const setCsrfToken = (req, res, next) => {

router.all('*', setCsrfToken)

// TODO: Should we not have a post * route that verfies the CSRF for *all* posts
// rather than relying on the chack being added to every post route declared?

// TODO: Why is this a get * ? Can it not just be set in the get /checkYourAnswersPath route below?
router.get('*', (req, res, next) => {
if (req?.session) {
Expand All @@ -92,7 +90,9 @@ router.get('*', (req, res, next) => {
})

// Check your answers page
router.get(`/${checkYourAnswersPath}`, sessionStarted, (req, res) => {
router.get(`/${checkYourAnswersPath}`,
sessionStarted,
(req, res) => {
const sections = checkYourAnswers(req.session)
res.render(checkYourAnswersPath, {
submitUrl: req.originalUrl,
Expand Down Expand Up @@ -130,7 +130,9 @@ router.get('/start', (req, res) => {

router.all('*', sessionStarted) // Check that we have a session in progress

router.post('/start', verifyCsrf, (req, res) => {
router.post('/start',
verifyCsrf,
(req, res) => {
res.redirect('/contribute/add-new-component/component-details')
})

Expand Down Expand Up @@ -182,6 +184,7 @@ router.get(

router.post(
['/remove/:page', '/remove/:page/:subpage'],
xss(),
verifyCsrf,
validatePageParams,
removeFromSession,
Expand Down Expand Up @@ -263,12 +266,13 @@ router.post(
['/component-image', '/component-image/:subpage'],
validatePageParams,
upload.single('componentImage'),
xss(),
verifyCsrf,
saveFileToRedis,
canAddAnother,
validateFormDataFileUpload,
setNextPage,
getBackLink,
verifyCsrf,
validateFormData,
(req, res, next) => {
if (req.file) {
Expand Down Expand Up @@ -298,22 +302,15 @@ router.post(
}
)

// Accessibility file upload
router.post(
['/add-internal-audit', '/add-external-audit', '/add-assistive-tech'],
upload.single('accessibilityReport'),
saveFileToRedis,
validateFormDataFileUpload
)

// Form submissions for pages
router.post(
['/:page', '/:page/:subpage'],
xss(),
verifyCsrf,
validatePageParams,
setNextPage,
canSkipQuestion,
getBackLink,
verifyCsrf,
validateFormData,
saveSession,
(req, res, next) => {
Expand Down
Loading