Merge pull request #4189 from alphagov/PP-12235-fix-loop-bound-injection

PP-12235 Fix loop bound injection
alphagov · Mar 6, 2024 · 84f4372 · 84f4372
2 parents 1b8fccd + 9fa0a7e
commit 84f4372
Showing 1 changed file with 4 additions and 6 deletions.
diff --git a/app/controllers/payment-types/post-index.controller.js b/app/controllers/payment-types/post-index.controller.js
@@ -1,7 +1,5 @@
 'use strict'
 
-const lodash = require('lodash')
-
 const paths = require('../../paths')
 const formatAccountPathsFor = require('../../utils/format-account-paths-for')
 const { ConnectorClient } = require('../../services/clients/connector.client')
@@ -10,18 +8,18 @@ const connector = new ConnectorClient(process.env.CONNECTOR_URL)
 module.exports = async function updateCardTypes (req, res, next) {
   const accountId = req.account.gateway_account_id
 
-  const acceptedDebitCards = typeof req.body.debit === 'string' ? [req.body.debit] : req.body.debit
-  const acceptedCreditCards = typeof req.body.credit === 'string' ? [req.body.credit] : req.body.credit
+  const acceptedDebitCards = (typeof req.body.debit === 'string' ? [req.body.debit] : req.body.debit) || []
+  const acceptedCreditCards = (typeof req.body.credit === 'string' ? [req.body.credit] : req.body.credit) || []
 
-  if (typeof acceptedDebitCards === 'undefined' && typeof acceptedCreditCards === 'undefined') {
+  if (!acceptedDebitCards.length && !acceptedCreditCards.length) {
     req.flash('genericError', 'You must choose at least one card')
     return res.redirect(
       formatAccountPathsFor(paths.account.paymentTypes.index, req.account && req.account.external_id)
     )
   }
 
   const payload = {
-    card_types: lodash.union(acceptedDebitCards, acceptedCreditCards)
+    card_types: [...new Set([...acceptedDebitCards, ...acceptedCreditCards])]
   }
 
   try {