From f90130126c8fd9b11f8ff9f34e5bf93f7aeaf3cd Mon Sep 17 00:00:00 2001 From: MMNycz <94067802+MMNycz@users.noreply.github.com> Date: Thu, 17 Aug 2023 12:50:14 +0100 Subject: [PATCH] CIV-10077 fix TD DG G GU GL postcode validation (#3614) * CIV-10077 fix TD DG G GU GL postcode validation * Update yarn-audit-known-issues * yarn audit fix * Update PostcodeNotInScotlandOrNIValidator.ts * CIV-10077 add TD5 8AR postcode * yarn audit fix --------- Co-authored-by: Sabah Irfan --- .../validators/postCodeNotInScotlandOrNI.ts | 66 +++++++++++++++++-- .../PostcodeNotInScotlandOrNIValidator.ts | 60 +++++++++++++++++ yarn-audit-known-issues | 2 +- 3 files changed, 121 insertions(+), 7 deletions(-) diff --git a/src/main/app/forms/validation/validators/postCodeNotInScotlandOrNI.ts b/src/main/app/forms/validation/validators/postCodeNotInScotlandOrNI.ts index 9c4ff51653..38b32320dd 100644 --- a/src/main/app/forms/validation/validators/postCodeNotInScotlandOrNI.ts +++ b/src/main/app/forms/validation/validators/postCodeNotInScotlandOrNI.ts @@ -6,20 +6,74 @@ export class PostcodeNotInScotlandOrNIValidator implements ValidatorConstraintIn validate (value: any, args: ValidationArguments) { const postcode: string = value - if (!postcode || !postcode?.startsWith?.('')) { + if (!postcode) { return false } + const ukPostcodeRegex = /^([Gg][Ii][Rr]\s?0[Aa]{2}|[A-Za-z]{1,2}\d[A-Za-z\d]?(\s?\d[A-Za-z]{2})?)$/ - const normalised = value.toString().replace(/\s/g,'').toUpperCase() + const normalised = value.toString().replace(/\s/g, '').toUpperCase() const isValidFormat = ukPostcodeRegex.test(normalised) if (!isValidFormat) { return false } - const scotlandPrefixes: string[] = ['KW', 'IV', 'HS', 'PH', 'AB', 'DD', 'KY', 'FK', 'EH', 'G', 'KA', 'ML', 'PA', 'TD', 'DG', 'ZE'] - const isScotlandPostcode: boolean = scotlandPrefixes.some(prefix => postcode.toUpperCase().startsWith(prefix)) - const isNIPostcode: boolean = postcode.toUpperCase().startsWith('BT') - return !isScotlandPostcode && !isNIPostcode + + const isScotlandPostcode: boolean = + normalised.startsWith('KW') || + normalised.startsWith('IV') || + normalised.startsWith('HS') || + normalised.startsWith('PH') || + normalised.startsWith('AB') || + normalised.startsWith('DD') || + normalised.startsWith('KY') || + normalised.startsWith('FK') || + normalised.startsWith('EH') || + normalised.startsWith('KA') || + normalised.startsWith('ML') || + normalised.startsWith('PA') || + (normalised.startsWith('TD') && !normalised.startsWith('TD9') && !normalised.startsWith('TD12') && !normalised.startsWith('TD15') && !normalised.match('TD58AR')) || + (normalised.startsWith('DG') && !normalised.startsWith('DG16')) || + (normalised.startsWith('G') && !normalised.startsWith('GU') && !normalised.startsWith('GL')) + + const isNIPostcode: boolean = normalised.startsWith('BT') + + if (isScotlandPostcode || isNIPostcode) { + return false + } + if (normalised.startsWith('DG16')) { + if ( + normalised.match(/^DG16 5H[TUZ]/) || + normalised.match(/^DG16 5J[AB]/) + ) { + return false + } else if (normalised.startsWith('DG')) { + return true + } + } else if (normalised.startsWith('TD9')) { + if (normalised.match(/^TD9 0T[JPRSTUW]/)) { + return false + } + } else if (normalised.startsWith('TD12')) { + if (normalised.match(/^TD12 4[ABDEHJLN]/)) { + return false + } + } else if (normalised.startsWith('TD15')) { + if (normalised.match(/^TD15 2/) || normalised.match(/^TD15 9/)) { + return false + } else if (normalised.match(/^TD15 1T[ABQUX]/) || normalised.match(/^TD15 1XX/)) { + return false + } else if ( + normalised.match(/^TD15 1B/) || + normalised.match(/^TD15 1S[ABEJLNPWXY]/) || + normalised.match(/^TD15 1U[BDENPQRTUXY]/) + ) { + return false + } else if (normalised.startsWith('TD')) { + return true + } + } + + return true } defaultMessage (args: ValidationArguments) { diff --git a/src/test/app/forms/validation/validators/PostcodeNotInScotlandOrNIValidator.ts b/src/test/app/forms/validation/validators/PostcodeNotInScotlandOrNIValidator.ts index 0fad78ca6d..8239e6ca6d 100644 --- a/src/test/app/forms/validation/validators/PostcodeNotInScotlandOrNIValidator.ts +++ b/src/test/app/forms/validation/validators/PostcodeNotInScotlandOrNIValidator.ts @@ -9,6 +9,58 @@ describe('PostcodeNotInScotlandOrNIValidator', () => { const result = validator.validate('SW1H 9AJ', null) expect(result).to.be.true }) + it('should return true for a valid postcode in England starts with TD', () => { + const result = validator.validate('TD9 9WX', null) + expect(result).to.be.true + }) + it('should return true for a valid postcode in England starts with TD', () => { + const result = validator.validate('TD9 0TS', null) + expect(result).to.be.true + }) + it('should return true for a valid postcode in England starts with TD', () => { + const result = validator.validate('TD12 4TJ', null) + expect(result).to.be.true + }) + it('should return true for a valid postcode in England starts with TD', () => { + const result = validator.validate('TD15 2PA', null) + expect(result).to.be.true + }) + it('should return true for a valid postcode in England starts with TD', () => { + const result = validator.validate('TD15 1BN', null) + expect(result).to.be.true + }) + it('should return true for a valid postcode in England starts with TD', () => { + const result = validator.validate('TD15 1SY', null) + expect(result).to.be.true + }) + it('should return true for a valid postcode in England starts with TD', () => { + const result = validator.validate('TD15 1UB', null) + expect(result).to.be.true + }) + it('should return true for a valid postcode in England starts with TD', () => { + const result = validator.validate('TD15 1BN', null) + expect(result).to.be.true + }) + it('should return true for a valid postcode in England starts with TD', () => { + const result = validator.validate('TD5 8AR', null) + expect(result).to.be.true + }) + it('should return true for a valid postcode in England starts with DG', () => { + const result = validator.validate('DG16 5HZ', null) + expect(result).to.be.true + }) + it('should return true for a valid postcode in England starts with GU', () => { + const result = validator.validate('GU5 0DY', null) + expect(result).to.be.true + }) + it('should return true for a valid postcode in England starts with GL', () => { + const result = validator.validate('GL19 3BE', null) + expect(result).to.be.true + }) + it('should return false for a valid postcode in Glasgow', () => { + const result = validator.validate('G40 4LA', null) + expect(result).to.be.false + }) it('should return true for a valid postcode in Wales', () => { const result = validator.validate('CF10 3NQ', null) expect(result).to.be.true @@ -21,6 +73,14 @@ describe('PostcodeNotInScotlandOrNIValidator', () => { const result = validator.validate('KW1 5BA', null) expect(result).to.be.false }) + it('should return false for a valid postcode in Scotland starts with TD', () => { + const result = validator.validate('TD1 1AA', null) + expect(result).to.be.false + }) + it('should return false for a valid postcode in Scotland starts with DG', () => { + const result = validator.validate('DG3 5EZ', null) + expect(result).to.be.false + }) it('should return false for an invalid postcode', () => { const result = validator.validate('ABC123', null) expect(result).to.be.false diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index 6f489947f9..e8b9cff12e 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1 +1 @@ -{"actions":[],"advisories":{"1092460":{"findings":[{"version":"6.3.0","paths":["launchdarkly-node-server-sdk>semver","@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>continuation-local-storage>async-listener>semver","gulp>glob-watcher>chokidar>fsevents>nan>node-gyp>semver","gulp>glob-watcher>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.3.1","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=6.3.1","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-10T22:57:58.000Z","recommendation":"Upgrade to version 6.3.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092460,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1092470":{"findings":[{"version":"2.3.4","paths":["request>tough-cookie","@hmcts/draft-store-client>request>tough-cookie","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1092779":{"findings":[{"version":"2.87.0","paths":["request","@hmcts/draft-store-client>request","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-07-31T15:17:07.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092779,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package through 2.88.11 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":11,"high":0,"critical":0},"dependencies":667,"devDependencies":0,"optionalDependencies":0,"totalDependencies":667}} +{"actions":[],"advisories":{"1092460":{"findings":[{"version":"6.3.0","paths":["launchdarkly-node-server-sdk>semver","@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>continuation-local-storage>async-listener>semver","gulp>glob-watcher>chokidar>fsevents>nan>node-gyp>semver","gulp>glob-watcher>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.3.1","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=6.3.1","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-10T22:57:58.000Z","recommendation":"Upgrade to version 6.3.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092460,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1092470":{"findings":[{"version":"2.3.4","paths":["request>tough-cookie","@hmcts/draft-store-client>request>tough-cookie","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1092972":{"findings":[{"version":"2.87.0","paths":["request","@hmcts/draft-store-client>request","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":11,"high":0,"critical":0},"dependencies":667,"devDependencies":0,"optionalDependencies":0,"totalDependencies":667}}