Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions app.js
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ const session = require('express-session')
const RedisStore = require('connect-redis')(session)
const helmet = require('helmet')
const nunjucks = require('nunjucks')
const { xss } = require('express-xss-sanitizer')

const { APP_PORT, ENV, REDIS_URL, SESSION_SECRET } = require('./config')
const addComponentRoutes = require('./routes/add-component')
Expand Down Expand Up @@ -90,6 +91,7 @@ expressNunjucks(app, {
app.use(express.urlencoded({ extended: true }))
app.use(express.static(path.join(__dirname, 'public')))
app.use(express.json())
app.use(xss())

// Routes
app.use('/contribute/add-new-component', addComponentRoutes)
Expand Down
2 changes: 1 addition & 1 deletion helpers/previous-page.js
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ const previousPage = (url, session) => {

// Check if there are subpages in the session for the current page
if (subpage && Number.isInteger(Number(subpage))) {
if(subpage > 1) {
if (subpage > 1) {
return `${urlRoot}/${currentPage}/${subpage - 1}`
}

Expand Down
6 changes: 4 additions & 2 deletions middleware/component-session.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
const crypto = require('crypto')

const sanitize = require('sanitize-filename')

const {
MAX_ADD_ANOTHER: maxAddAnother,
ADD_NEW_COMPONENT_ROUTE,
Expand All @@ -21,15 +23,15 @@ const getHashedUrl = (url) => {
}

const getTemplate = (req) => {
let template = `${req.params.page || req.url.replace('/', '')}`
let template = sanitize(`${req.params.page || req.url.replace('/', '')}`)
if (!Object.keys(COMPONENT_FORM_PAGES).includes(template)) {
template = 'error'
}
return template
}

const getPageData = (req) => {
let pageData = `${req.params.page || req.url.replace('/', '')}`
let pageData = sanitize(`${req.params.page || req.url.replace('/', '')}`)
if (!Object.keys(COMPONENT_FORM_PAGES).includes(pageData)) {
pageData = {}
}
Expand Down
135 changes: 135 additions & 0 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@
"express-nunjucks": "^3.1.2",
"express-rate-limit": "^7.5.0",
"express-session": "^1.18.1",
"express-xss-sanitizer": "^2.0.0",
"govuk-frontend": "^5.9.0",
"helmet": "^8.1.0",
"ioredis": "^5.6.0",
Expand All @@ -80,6 +81,7 @@
"node-fetch": "2.7.0",
"notifications-node-client": "^8.2.1",
"nunjucks": "^3.2.4",
"sanitize-filename": "^1.6.3",
"sanitize-html": "^2.15.0"
},
"devDependencies": {
Expand Down
19 changes: 6 additions & 13 deletions routes/add-component.js
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
const crypto = require('crypto')

const express = require('express')
const { xss } = require('express-xss-sanitizer')
const multer = require('multer')

const { COMPONENT_FORM_PAGES, ADD_NEW_COMPONENT_ROUTE } = require('../config')
Expand Down Expand Up @@ -77,9 +78,6 @@ const setCsrfToken = (req, res, next) => {

router.all('*', setCsrfToken)

// TODO: Should we not have a post * route that verfies the CSRF for *all* posts
// rather than relying on the chack being added to every post route declared?

// TODO: Why is this a get * ? Can it not just be set in the get /checkYourAnswersPath route below?
router.get('*', (req, res, next) => {
if (req?.session) {
Expand Down Expand Up @@ -182,6 +180,7 @@ router.get(

router.post(
['/remove/:page', '/remove/:page/:subpage'],
xss(),
verifyCsrf,
validatePageParams,
removeFromSession,
Expand Down Expand Up @@ -263,12 +262,13 @@ router.post(
['/component-image', '/component-image/:subpage'],
validatePageParams,
upload.single('componentImage'),
xss(),
verifyCsrf,
saveFileToRedis,
canAddAnother,
validateFormDataFileUpload,
setNextPage,
getBackLink,
verifyCsrf,
validateFormData,
(req, res, next) => {
if (req.file) {
Expand Down Expand Up @@ -298,22 +298,15 @@ router.post(
}
)

// Accessibility file upload
router.post(
['/add-internal-audit', '/add-external-audit', '/add-assistive-tech'],
upload.single('accessibilityReport'),
saveFileToRedis,
validateFormDataFileUpload
)

// Form submissions for pages
router.post(
['/:page', '/:page/:subpage'],
xss(),
verifyCsrf,
validatePageParams,
setNextPage,
canSkipQuestion,
getBackLink,
verifyCsrf,
validateFormData,
saveSession,
(req, res, next) => {
Expand Down
2 changes: 1 addition & 1 deletion views/community/pages/add-assistive-tech.njk
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
errorList: errorList
}) }}
{% endif %}
<form method="POST" action="{{ submitUrl }}" enctype="multipart/form-data">
<form method="POST" action="{{ submitUrl }}">
<span class="govuk-caption-l">Submit a new component</span>
<h1 class="govuk-heading-xl">Testing with assistive technology</h1>

Expand Down
2 changes: 1 addition & 1 deletion views/community/pages/add-external-audit.njk
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
errorList: errorList
}) }}
{% endif %}
<form method="POST" action="{{ submitUrl }}" enctype="multipart/form-data">
<form method="POST" action="{{ submitUrl }}">
<span class="govuk-caption-l">Submit a new component</span>
<h1 class="govuk-heading-xl">External accessibility audit</h1>

Expand Down
2 changes: 1 addition & 1 deletion views/community/pages/add-internal-audit.njk
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
errorList: errorList
}) }}
{% endif %}
<form method="POST" action="{{ submitUrl }}" enctype="multipart/form-data">
<form method="POST" action="{{ submitUrl }}">
<span class="govuk-caption-l">Submit a new component</span>
<h1 class="govuk-heading-xl">Internal accessibility review</h1>

Expand Down
Loading