CIV-10077 fix TD DG G GU GL postcode validation (#3614)

* CIV-10077 fix TD DG G GU GL postcode validation * Update yarn-audit-known-issues * yarn audit fix * Update PostcodeNotInScotlandOrNIValidator.ts * CIV-10077 add TD5 8AR postcode * yarn audit fix --------- Co-authored-by: Sabah Irfan <[email protected]>
hmcts · Aug 17, 2023 · f901301 · f901301
1 parent a38523a
commit f901301
Show file tree

Hide file tree

Showing 3 changed files with 121 additions and 7 deletions.
diff --git a/src/main/app/forms/validation/validators/postCodeNotInScotlandOrNI.ts b/src/main/app/forms/validation/validators/postCodeNotInScotlandOrNI.ts
@@ -6,20 +6,74 @@ export class PostcodeNotInScotlandOrNIValidator implements ValidatorConstraintIn
   validate (value: any, args: ValidationArguments) {
     const postcode: string = value
 
-    if (!postcode || !postcode?.startsWith?.('')) {
+    if (!postcode) {
       return false
     }
+
     const ukPostcodeRegex = /^([Gg][Ii][Rr]\s?0[Aa]{2}|[A-Za-z]{1,2}\d[A-Za-z\d]?(\s?\d[A-Za-z]{2})?)$/
-    const normalised = value.toString().replace(/\s/g,'').toUpperCase()
+    const normalised = value.toString().replace(/\s/g, '').toUpperCase()
     const isValidFormat = ukPostcodeRegex.test(normalised)
 
     if (!isValidFormat) {
       return false
     }
-    const scotlandPrefixes: string[] = ['KW', 'IV', 'HS', 'PH', 'AB', 'DD', 'KY', 'FK', 'EH', 'G', 'KA', 'ML', 'PA', 'TD', 'DG', 'ZE']
-    const isScotlandPostcode: boolean = scotlandPrefixes.some(prefix => postcode.toUpperCase().startsWith(prefix))
-    const isNIPostcode: boolean = postcode.toUpperCase().startsWith('BT')
-    return !isScotlandPostcode && !isNIPostcode
+
+    const isScotlandPostcode: boolean =
+      normalised.startsWith('KW') ||
+      normalised.startsWith('IV') ||
+      normalised.startsWith('HS') ||
+      normalised.startsWith('PH') ||
+      normalised.startsWith('AB') ||
+      normalised.startsWith('DD') ||
+      normalised.startsWith('KY') ||
+      normalised.startsWith('FK') ||
+      normalised.startsWith('EH') ||
+      normalised.startsWith('KA') ||
+      normalised.startsWith('ML') ||
+      normalised.startsWith('PA') ||
+      (normalised.startsWith('TD') && !normalised.startsWith('TD9') && !normalised.startsWith('TD12') && !normalised.startsWith('TD15') && !normalised.match('TD58AR')) ||
+      (normalised.startsWith('DG') && !normalised.startsWith('DG16')) ||
+      (normalised.startsWith('G') && !normalised.startsWith('GU') && !normalised.startsWith('GL'))
+
+    const isNIPostcode: boolean = normalised.startsWith('BT')
+
+    if (isScotlandPostcode || isNIPostcode) {
+      return false
+    }
+    if (normalised.startsWith('DG16')) {
+      if (
+        normalised.match(/^DG16 5H[TUZ]/) ||
+        normalised.match(/^DG16 5J[AB]/)
+      ) {
+        return false
+      } else if (normalised.startsWith('DG')) {
+        return true
+      }
+    } else if (normalised.startsWith('TD9')) {
+      if (normalised.match(/^TD9 0T[JPRSTUW]/)) {
+        return false
+      }
+    } else if (normalised.startsWith('TD12')) {
+      if (normalised.match(/^TD12 4[ABDEHJLN]/)) {
+        return false
+      }
+    } else if (normalised.startsWith('TD15')) {
+      if (normalised.match(/^TD15 2/) || normalised.match(/^TD15 9/)) {
+        return false
+      } else if (normalised.match(/^TD15 1T[ABQUX]/) || normalised.match(/^TD15 1XX/)) {
+        return false
+      } else if (
+        normalised.match(/^TD15 1B/) ||
+        normalised.match(/^TD15 1S[ABEJLNPWXY]/) ||
+        normalised.match(/^TD15 1U[BDENPQRTUXY]/)
+      ) {
+        return false
+      } else if (normalised.startsWith('TD')) {
+        return true
+      }
+    }
+
+    return true
   }
 
   defaultMessage (args: ValidationArguments) {

diff --git a/src/test/app/forms/validation/validators/PostcodeNotInScotlandOrNIValidator.ts b/src/test/app/forms/validation/validators/PostcodeNotInScotlandOrNIValidator.ts
@@ -9,6 +9,58 @@ describe('PostcodeNotInScotlandOrNIValidator', () => {
       const result = validator.validate('SW1H 9AJ', null)
       expect(result).to.be.true
     })
+    it('should return true for a valid postcode in England starts with TD', () => {
+      const result = validator.validate('TD9 9WX', null)
+      expect(result).to.be.true
+    })
+    it('should return true for a valid postcode in England starts with TD', () => {
+      const result = validator.validate('TD9 0TS', null)
+      expect(result).to.be.true
+    })
+    it('should return true for a valid postcode in England starts with TD', () => {
+      const result = validator.validate('TD12 4TJ', null)
+      expect(result).to.be.true
+    })
+    it('should return true for a valid postcode in England starts with TD', () => {
+      const result = validator.validate('TD15 2PA', null)
+      expect(result).to.be.true
+    })
+    it('should return true for a valid postcode in England starts with TD', () => {
+      const result = validator.validate('TD15 1BN', null)
+      expect(result).to.be.true
+    })
+    it('should return true for a valid postcode in England starts with TD', () => {
+      const result = validator.validate('TD15 1SY', null)
+      expect(result).to.be.true
+    })
+    it('should return true for a valid postcode in England starts with TD', () => {
+      const result = validator.validate('TD15 1UB', null)
+      expect(result).to.be.true
+    })
+    it('should return true for a valid postcode in England starts with TD', () => {
+      const result = validator.validate('TD15 1BN', null)
+      expect(result).to.be.true
+    })
+    it('should return true for a valid postcode in England starts with TD', () => {
+      const result = validator.validate('TD5 8AR', null)
+      expect(result).to.be.true
+    })
+    it('should return true for a valid postcode in England starts with DG', () => {
+      const result = validator.validate('DG16 5HZ', null)
+      expect(result).to.be.true
+    })
+    it('should return true for a valid postcode in England starts with GU', () => {
+      const result = validator.validate('GU5 0DY', null)
+      expect(result).to.be.true
+    })
+    it('should return true for a valid postcode in England starts with GL', () => {
+      const result = validator.validate('GL19 3BE', null)
+      expect(result).to.be.true
+    })
+    it('should return false for a valid postcode in Glasgow', () => {
+      const result = validator.validate('G40 4LA', null)
+      expect(result).to.be.false
+    })
     it('should return true for a valid postcode in Wales', () => {
       const result = validator.validate('CF10 3NQ', null)
       expect(result).to.be.true
@@ -21,6 +73,14 @@ describe('PostcodeNotInScotlandOrNIValidator', () => {
       const result = validator.validate('KW1 5BA', null)
       expect(result).to.be.false
     })
+    it('should return false for a valid postcode in Scotland starts with TD', () => {
+      const result = validator.validate('TD1 1AA', null)
+      expect(result).to.be.false
+    })
+    it('should return false for a valid postcode in Scotland starts with DG', () => {
+      const result = validator.validate('DG3 5EZ', null)
+      expect(result).to.be.false
+    })
     it('should return false for an invalid postcode', () => {
       const result = validator.validate('ABC123', null)
       expect(result).to.be.false

diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues
@@ -1 +1 @@
-{"actions":[],"advisories":{"1092460":{"findings":[{"version":"6.3.0","paths":["launchdarkly-node-server-sdk>semver","@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>continuation-local-storage>async-listener>semver","gulp>glob-watcher>chokidar>fsevents>nan>node-gyp>semver","gulp>glob-watcher>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.3.1","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=6.3.1","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-10T22:57:58.000Z","recommendation":"Upgrade to version 6.3.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092460,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1092470":{"findings":[{"version":"2.3.4","paths":["request>tough-cookie","@hmcts/draft-store-client>request>tough-cookie","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1092779":{"findings":[{"version":"2.87.0","paths":["request","@hmcts/draft-store-client>request","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-07-31T15:17:07.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092779,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package through 2.88.11 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":11,"high":0,"critical":0},"dependencies":667,"devDependencies":0,"optionalDependencies":0,"totalDependencies":667}}
+{"actions":[],"advisories":{"1092460":{"findings":[{"version":"6.3.0","paths":["launchdarkly-node-server-sdk>semver","@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>continuation-local-storage>async-listener>semver","gulp>glob-watcher>chokidar>fsevents>nan>node-gyp>semver","gulp>glob-watcher>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver"]}],"metadata":null,"vulnerable_versions":">=6.0.0 <6.3.1","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=6.3.1","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-10T22:57:58.000Z","recommendation":"Upgrade to version 6.3.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092460,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1092470":{"findings":[{"version":"2.3.4","paths":["request>tough-cookie","@hmcts/draft-store-client>request>tough-cookie","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1092972":{"findings":[{"version":"2.87.0","paths":["request","@hmcts/draft-store-client>request","@hmcts/cmc-draft-store-middleware>@hmcts/draft-store-client>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":11,"high":0,"critical":0},"dependencies":667,"devDependencies":0,"optionalDependencies":0,"totalDependencies":667}}