exui-2655-xss-defence (#1324)

* xss defence changes * lint error * changed the check condition * fix unit tests failure * removed unnecessary checks --------- Co-authored-by: kasi-subramaniam <[email protected]>
hmcts · Feb 26, 2025 · 58bedc0 · 58bedc0
1 parent 687b215
commit 58bedc0
Show file tree

Hide file tree

Showing 11 changed files with 98 additions and 18 deletions.
diff --git a/api/allUserList/index.ts b/api/allUserList/index.ts
@@ -3,14 +3,18 @@ import { getRefdataUserCommonUrlUtil } from '../refdataUserCommonUrlUtil';
 import { getConfigValue } from '../configuration';
 import { SERVICES_RD_PROFESSIONAL_API_PATH } from '../configuration/references';
 import * as log4jui from '../lib/log4jui';
-import { exists, valueOrNull } from '../lib/util';
+import { exists, objectContainsOnlySafeCharacters, valueOrNull } from '../lib/util';
 
 const logger = log4jui.getLogger('user-list');
 
 export async function handleAllUserListRoute(req: Request, res: Response) {
   try {
     const rdProfessionalApiPath = getConfigValue(SERVICES_RD_PROFESSIONAL_API_PATH);
-    const response = await req.http.get(getRefdataUserCommonUrlUtil(rdProfessionalApiPath));
+    const apiUrl = getRefdataUserCommonUrlUtil(rdProfessionalApiPath);
+    const response = await req.http.get(apiUrl);
+    if (!objectContainsOnlySafeCharacters(response.data)) {
+      return res.send('Invalid user list details').status(400);
+    }
     logger.info('response::', response.data);
     res.send(response.data);
   } catch (error) {

diff --git a/api/allUserListWithoutRoles/index.ts b/api/allUserListWithoutRoles/index.ts
@@ -2,15 +2,19 @@ import { Request, Response, Router } from 'express';
 import { getConfigValue } from '../configuration';
 import { SERVICES_RD_PROFESSIONAL_API_PATH } from '../configuration/references';
 import * as log4jui from '../lib/log4jui';
-import { exists, valueOrNull } from '../lib/util';
+import { exists, objectContainsOnlySafeCharacters, valueOrNull } from '../lib/util';
 import { getRefdataAllUserListUrl } from '../refdataAllUserListUrlUtil';
 
 const logger = log4jui.getLogger('user-list');
 
 export async function handleAllUserListRoute(req: Request, res: Response) {
   try {
     const rdProfessionalApiPath = getConfigValue(SERVICES_RD_PROFESSIONAL_API_PATH);
-    const response = await req.http.get(getRefdataAllUserListUrl(rdProfessionalApiPath));
+    const apiUrl = getRefdataAllUserListUrl(rdProfessionalApiPath);
+    const response = await req.http.get(apiUrl);
+    if (!objectContainsOnlySafeCharacters(response.data)) {
+      return res.send('Invalid user list details').status(400);
+    }
     logger.info('response::', response.data);
     res.send(response.data);
   } catch (error) {

diff --git a/api/caaCases/index.ts b/api/caaCases/index.ts
@@ -5,6 +5,7 @@ import { EnhancedRequest } from '../models/enhanced-request.interface';
 import { getApiPath, getRequestBody, mapCcdCases } from './caaCases.util';
 import { CaaCasesFilterType } from './enums';
 import { RoleAssignmentResponse } from './models/roleAssignmentResponse';
+import { objectContainsOnlySafeCharacters } from '../lib/util';
 
 export async function handleCaaCases(req: EnhancedRequest, res: Response, next: NextFunction) {
   const caseTypeId = req.query.caseTypeId as string;
@@ -38,6 +39,9 @@ export async function handleCaaCases(req: EnhancedRequest, res: Response, next:
     const payload = getRequestBody(orgId, fromNo, size, caaCasesPageType, caaCasesFilterValue);
 
     const response = await req.http.post(path, payload);
+    if (!objectContainsOnlySafeCharacters(response.data)) {
+      return res.send('Invalid caa case data').status(400);
+    }
     const caaCases = mapCcdCases(caseTypeId, response.data);
     res.send(caaCases);
   } catch (error) {

diff --git a/api/getUserTermsAndConditions/index.ts b/api/getUserTermsAndConditions/index.ts
@@ -3,7 +3,7 @@ import { getConfigValue, showFeature } from '../configuration';
 import { FEATURE_TERMS_AND_CONDITIONS_ENABLED, SERVICES_TERMS_AND_CONDITIONS_API_PATH } from '../configuration/references';
 import { GetUserAcceptTandCResponse } from '../interfaces/userAcceptTandCResponse';
 import { application } from '../lib/config/application.config';
-import { valueOrNull } from '../lib/util';
+import { objectContainsOnlySafeCharacters, valueOrNull } from '../lib/util';
 import { getUserTermsAndConditionsUrl } from './userTermsAndConditionsUtil';
 
 /**
@@ -29,9 +29,12 @@ async function getUserTermsAndConditions(req: Request, res: Response) {
       res.status(400).send(errReport);
     }
     try {
-      const url = getUserTermsAndConditionsUrl(getConfigValue(SERVICES_TERMS_AND_CONDITIONS_API_PATH), req.params.userId, application.idamClient);
-      const response = await req.http.get(url);
+      const apiUrl = getUserTermsAndConditionsUrl(getConfigValue(SERVICES_TERMS_AND_CONDITIONS_API_PATH), req.params.userId, application.idamClient);
+      const response = await req.http.get(apiUrl);
       const userTandCResponse = response.data as GetUserAcceptTandCResponse;
+      if (!objectContainsOnlySafeCharacters(response.data)) {
+        return res.send('Invalid terms and condition data').status(400);
+      }
       res.send(userTandCResponse.accepted);
     } catch (error) {
       // we get a 404 if the user has not agreed to Terms and conditions

diff --git a/api/lib/util.ts b/api/lib/util.ts
@@ -73,3 +73,46 @@ export function isObject(o) {
 export function isUserTandCPostSuccessful(postResponse: PostUserAcceptTandCResponse, userId: string): any {
   return postResponse.userId === userId;
 }
+
+// check for the presence of dangerous code in an array of strings
+export function arrayContainOnlySafeCharacters(values: string[]): boolean {
+  return values.every((value) =>
+    (value !== null && typeof value === 'object')
+      ? objectContainsOnlySafeCharacters(value)
+      : !containsDangerousCode(value)
+  );
+}
+
+// check for the presence of dangerous code in an object
+export function objectContainsOnlySafeCharacters(values: object): boolean {
+  for (const key in values) {
+    const inputValue = values[key];
+    if (Array.isArray(inputValue)) {
+      if (!arrayContainOnlySafeCharacters(inputValue)) {
+        return false;
+      }
+    } else if (inputValue !== null && typeof inputValue === 'object') {
+      if (!objectContainsOnlySafeCharacters(inputValue)) {
+        return false;
+      }
+    } else if (typeof inputValue === 'string' && containsDangerousCode(inputValue)) {
+      return false;
+    }
+  }
+  return true;
+}
+
+/**
+ * Checks if a string contains any potentially dangerous code (JavaScript, CSS, URL schemes, JSONP).
+ * @param input - The input string to be checked.
+ * @returns True if the string contains potentially dangerous code, otherwise false.
+ */
+export function containsDangerousCode(input: string): boolean {
+  // Regular expressions to detect common dangerous patterns
+  const jsPattern = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>|javascript:|on\w+=|eval\(|new Function\(|document\.cookie|<\s*iframe.*?>.*?<\s*\//i;
+  const cssPattern = /<style\b[^<]*(?:(?!<\/style>)<[^<]*)*<\/style>|expression\(|url\(/i;
+  const urlSchemePattern = /data:|vbscript:/i;
+  const jsonPattern = /callback=|jsonp=/i;
+  return jsPattern.test(input) || cssPattern.test(input) || urlSchemePattern.test(input) || jsonPattern.test(input);
+}
+
diff --git a/api/organisation/index.ts b/api/organisation/index.ts
@@ -3,12 +3,15 @@ import { NextFunction, Request, Response, Router } from 'express';
 import { getConfigValue } from '../configuration';
 import { SERVICES_RD_PROFESSIONAL_API_PATH } from '../configuration/references';
 import { OrganisationUser } from '../interfaces/organisationPayload';
+import { objectContainsOnlySafeCharacters } from '../lib/util';
 
 export async function handleOrganisationRoute(req: Request, res: Response, next: NextFunction) {
   try {
-    const response = await req.http.get(
-      `${getConfigValue(SERVICES_RD_PROFESSIONAL_API_PATH)}/refdata/external/v2/organisations`
-    );
+    const apiUrl = `${getConfigValue(SERVICES_RD_PROFESSIONAL_API_PATH)}/refdata/external/v2/organisations`;
+    const response = await req.http.get(apiUrl);
+    if (!objectContainsOnlySafeCharacters(response.data)) {
+      return res.send('Invalid organisation data').status(400);
+    }
     res.send(response.data);
   } catch (error) {
     next(error);
@@ -27,6 +30,9 @@ export async function handleOrganisationV1Route(req: Request, res: Response, nex
     const response = await req.http.get(
       `${getConfigValue(SERVICES_RD_PROFESSIONAL_API_PATH)}/refdata/external/v1/organisations`
     );
+    if (!objectContainsOnlySafeCharacters(response.data)) {
+      return res.send('Invalid organisation data').status(400);
+    }
     res.send(response.data);
   } catch (error) {
     next(error);

diff --git a/api/payments/index.ts b/api/payments/index.ts
@@ -1,7 +1,7 @@
 import { Request, Response, Router } from 'express';
 import { getConfigValue } from '../configuration';
 import { SERVICES_FEE_AND_PAY_API_PATH } from '../configuration/references';
-import { exists, valueOrNull } from '../lib/util';
+import { exists, objectContainsOnlySafeCharacters, valueOrNull } from '../lib/util';
 
 async function handleAddressRoute(req: Request, res: Response) {
   let errReport: any;
@@ -17,6 +17,9 @@ async function handleAddressRoute(req: Request, res: Response) {
     const response = await req.http.get(
       `${getConfigValue(SERVICES_FEE_AND_PAY_API_PATH)}/pba-accounts/${req.params.account}/payments/`
     );
+    if (!objectContainsOnlySafeCharacters(response.data.payments)) {
+      return res.send('Invalid payment data').status(400);
+    }
     res.send(response.data.payments);
   } catch (error) {
     const status = exists(error, 'status') ? error.status : 500;

diff --git a/api/termsAndConditions/index.ts b/api/termsAndConditions/index.ts
@@ -3,12 +3,16 @@ import { getConfigValue } from '../configuration';
 import { SERVICES_TERMS_AND_CONDITIONS_API_PATH } from '../configuration/references';
 import { application } from '../lib/config/application.config';
 import { getTermsAndConditionsUrl } from './termsAndConditionsUtil';
+import { objectContainsOnlySafeCharacters } from '../lib/util';
 
 async function getTermsAndConditions(req: Request, res: Response) {
   let errReport: any;
   try {
-    const url = getTermsAndConditionsUrl(getConfigValue(SERVICES_TERMS_AND_CONDITIONS_API_PATH), application.idamClient);
-    const response = await req.http.get(url);
+    const apiUrl = getTermsAndConditionsUrl(getConfigValue(SERVICES_TERMS_AND_CONDITIONS_API_PATH), application.idamClient);
+    const response = await req.http.get(apiUrl);
+    if (!objectContainsOnlySafeCharacters(response.data)) {
+      return res.send('Invalid terms and condition data').status(400);
+    }
     res.send(response.data);
   } catch (error) {
     if (error.status === 404) {

diff --git a/api/user-details/index.ts b/api/user-details/index.ts
@@ -3,6 +3,7 @@ import * as log4jui from '../lib/log4jui';
 import { Request, Response, Router } from 'express';
 import { SERVICES_RD_PROFESSIONAL_API_PATH } from '../configuration/references';
 import { getConfigValue } from '../configuration';
+import { objectContainsOnlySafeCharacters } from '../lib/util';
 
 const logger = log4jui.getLogger('user-details');
 
@@ -12,6 +13,9 @@ export async function handleUserDetailsRoute(req: Request, res: Response) {
     const apiUrl = getRefdataUserDetailsUrl(rdProfessionalApiPath, req.query.userId as string);
     logger.info('User Details API Link: ', apiUrl);
     const response = await req.http.get(apiUrl);
+    if (!objectContainsOnlySafeCharacters(response.data)) {
+      return res.send('Invalid user details').status(400);
+    }
     res.send(response.data);
   } catch (error) {
     logger.error('error', error);

diff --git a/api/user/index.ts b/api/user/index.ts
@@ -4,7 +4,7 @@ import * as express from 'express';
 import { getConfigValue } from '../configuration';
 import { SESSION_TIMEOUTS } from '../configuration/references';
 import * as log4jui from '../lib/log4jui';
-import { exists } from '../lib/util';
+import { exists, objectContainsOnlySafeCharacters } from '../lib/util';
 import { UserProfileModel } from './user';
 
 const logger = log4jui.getLogger('auth');
@@ -13,7 +13,6 @@ router.get('/details', handleUserRoute);
 
 function handleUserRoute(req, res) {
   const { email, orgId, roles, userId } = req.session.auth;
-
   const sessionTimeouts = getConfigValue(SESSION_TIMEOUTS);
   const sessionTimeout = getUserSessionTimeout(roles, sessionTimeouts);
 
@@ -27,6 +26,9 @@ function handleUserRoute(req, res) {
 
   try {
     console.log(userDetails);
+    if (!objectContainsOnlySafeCharacters(userDetails)) {
+      return res.send('Invalid user data').status(400);
+    }
     res.send(userDetails);
   } catch (error) {
     logger.info(error);

diff --git a/api/userList/index.ts b/api/userList/index.ts
@@ -2,7 +2,7 @@ import { Request, Response, Router } from 'express';
 import { getConfigValue } from '../configuration';
 import { SERVICES_RD_PROFESSIONAL_API_PATH } from '../configuration/references';
 import * as log4jui from '../lib/log4jui';
-import { exists, valueOrNull } from '../lib/util';
+import { exists, objectContainsOnlySafeCharacters, valueOrNull } from '../lib/util';
 import { getRefdataUserUrl } from '../refdataUserUrlUtil';
 
 const logger = log4jui.getLogger('user-list');
@@ -18,9 +18,12 @@ export async function handleUserListRoute(req: Request, res: Response) {
     logger.info(JSON.stringify(req.query));
     logger.info('USER LIST INFO');
     logger.info(getRefdataUserUrl(rdProfessionalApiPath, req.query.pageNumber as string));
-    const response = await req.http.get(getRefdataUserUrl(rdProfessionalApiPath, req.query.pageNumber as string));
-
+    const apiUrl = getRefdataUserUrl(rdProfessionalApiPath, req.query.pageNumber as string);
+    const response = await req.http.get(apiUrl);
     logger.info('response:', response.data);
+    if (!objectContainsOnlySafeCharacters(response.data)) {
+      return res.send('Invalid user list details').status(400);
+    }
     res.send(response.data);
   } catch (error) {
     logger.error('error', error);