hof 20.0.0-beta.3 → 20.0.0-beta.30

package/build/lib/mkdir.js

@@ -1,9 +1,9 @@
 'use strict';
 
 const path = require('path');
-const mkdirp = require('mkdirp');
+const fs = require('fs');
 
 module.exports = file => new Promise((resolve, reject) => {
   const dir = path.dirname(file);
-  mkdirp(dir, err => err ? reject(err) : resolve());
+  fs.mkdir(dir, {recursive: true}, err => err ? reject(err) : resolve());
 });

package/components/date/index.js

@@ -40,7 +40,7 @@ const conditionalTranslate = (key, translate) => {
 };
 
 const getLegendClassName = field => field && field.legend && field.legend.className || '';
-const getNoHeading = field => field && field.noHeading || '';
+const getIsPageHeading = field => field && field.isPageHeading || '';
 
 module.exports = (key, opts) => {
   if (!key) {
@@ -61,6 +61,37 @@ module.exports = (key, opts) => {
     dayOptional = true;
   }
 
+  // take the 3 date parts, padding or defaulting
+  // to '01' if applic, then create a date value in the
+  // format YYYY-MM-DD. Save to req.body for processing
+  const preProcess = (req, res, next) => {
+    const parts = getParts(req.body, fields, key);
+    if (_.some(parts, part => part !== '')) {
+      if (dayOptional && parts.day === '') {
+        parts.day = '01';
+      } else {
+        parts.day = pad(parts.day);
+      }
+      if (monthOptional && parts.month === '') {
+        parts.month = '01';
+      } else {
+        parts.month = pad(parts.month);
+      }
+      req.body[key] = `${parts.year}-${parts.month}-${parts.day}`;
+    }
+    next();
+  };
+
+  // defaultFormatters on the base controller replace '--' with '-' on the process step.
+  // This ensures having the correct number of hyphens, so values do not jump from year to month.
+  // This should only be done on a partially completed date field otherwise the validation messages break.
+  const postProcess = (req, res, next) => {
+    const value = req.form.values[key];
+    if (value) {
+      req.form.values[key] = req.body[key];
+    }
+    next();
+  };
   // if date field is included in errorValues, extend
   // errorValues with the individual components
   const preGetErrors = (req, res, next) => {
@@ -114,9 +145,9 @@ module.exports = (key, opts) => {
     const legend = conditionalTranslate(`fields.${key}.legend`, req.translate);
     const hint = conditionalTranslate(`fields.${key}.hint`, req.translate);
     const legendClassName = getLegendClassName(options);
-    const noHeading = getNoHeading(options);
+    const isPageHeading = getIsPageHeading(options);
     const error = req.form.errors && req.form.errors[key];
-    res.render(template, { key, legend, legendClassName, noHeading, hint, error }, (err, html) => {
+    res.render(template, { key, legend, legendClassName, isPageHeading, hint, error }, (err, html) => {
       if (err) {
         next(err);
       } else {
@@ -127,35 +158,15 @@ module.exports = (key, opts) => {
     });
   };
 
-  // take the 3 date parts, padding or defaulting
-  // to '01' if applic, then create a date value in the
-  // format YYYY-MM-DD. Save to req.body for processing
-  const preProcess = (req, res, next) => {
-    const parts = getParts(req.body, fields, key);
-    if (_.some(parts, part => part !== '')) {
-      if (dayOptional && parts.day === '') {
-        parts.day = '01';
-      } else {
-        parts.day = pad(parts.day);
-      }
-      if (monthOptional && parts.month === '') {
-        parts.month = '01';
-      } else {
-        parts.month = pad(parts.month);
-      }
-      req.body[key] = `${parts.year}-${parts.month}-${parts.day}`;
-    }
-    next();
-  };
-
   // return config extended with hooks
   return Object.assign({}, options, {
     hooks: {
+      'pre-process': preProcess,
+      'post-process': postProcess,
       'pre-getErrors': preGetErrors,
       'post-getErrors': postGetErrors,
       'post-getValues': postGetValues,
-      'pre-render': preRender,
-      'pre-process': preProcess
+      'pre-render': preRender
     }
   });
 };

package/components/date/templates/date.html

@@ -1,9 +1,9 @@
 <div class="govuk-form-group {{#error}}govuk-form-group--error{{/error}}">
 <fieldset id="{{key}}-group" class="govuk-fieldset{{#className}} {{className}}{{/className}}" role="group">
-  <legend class="govuk-fieldset__legend {{^noHeading}}govuk-fieldset__legend--l{{/noHeading}}{{#legendClassName}} {{legendClassName}}{{/legendClassName}}">
-    {{^noHeading}}<h1 class="govuk-fieldset__heading">{{/noHeading}}
+  <legend class="govuk-fieldset__legend {{#isPageHeading}}govuk-fieldset__legend--l{{/isPageHeading}}{{#legendClassName}} {{legendClassName}}{{/legendClassName}}">
+    {{#isPageHeading}}<h1 class="govuk-fieldset__heading">{{/isPageHeading}}
       {{legend}}
-    {{^noHeading}}</h1>{{/noHeading}}
+    {{#isPageHeading}}</h1>{{/isPageHeading}}
   </legend>
     {{#hint}}
       <span id="{{key}}-hint" class="govuk-hint">{{hint}}</span>

package/components/emailer/index.js

@@ -17,48 +17,56 @@ module.exports = config => {
   }
 
   return superclass => class EmailBehaviour extends superclass {
-    successHandler(req, res, callback) {
-      Promise.resolve()
-        .then(() => {
-          debug(`Loading email template from ${config.template}`);
-          return new Promise((resolve, reject) => {
-            fs.readFile(config.template, (err, template) => err ? reject(err) : resolve(template.toString('utf8')));
+    async successHandler(req, res, next) {
+      req.sessionModel.unset('nodemailer-error');
+
+      try {
+        debug(`Loading email template from ${config.template}`);
+
+        const template = await new Promise((resolve, reject) => {
+          return fs.readFile(config.template, (err, resolvedTemplate) => {
+            return err ? reject(err) : resolve(resolvedTemplate.toString('utf8'));
           });
-        })
-        .then(template => {
-          debug('Rendering email content');
-          const data = config.parse(req.sessionModel.toJSON(), req.translate);
-          return Hogan.compile(template).render(data);
-        })
-        .then(body => {
-          debug('Building email settings');
-          const settings = { body };
-
-          if (typeof config.recipient === 'function') {
-            settings.recipient = config.recipient(req.sessionModel.toJSON());
-          } else {
-            settings.recipient = req.sessionModel.get(config.recipient) || config.recipient;
-          }
-          if (typeof settings.recipient !== 'string' || !settings.recipient.includes('@')) {
-            throw new Error('hof-behaviour-emailer: invalid recipient');
-          }
-
-          if (typeof config.subject === 'function') {
-            settings.subject = config.subject(req.sessionModel.toJSON(), req.translate);
-          } else {
-            settings.subject = config.subject;
-          }
-
-          return settings;
-        })
-        .then(settings => {
-          debug('Sending email', settings);
-          return emailer.send(settings);
-        })
-        .then(() => {
-          debug('Email sent successfully');
-          super.successHandler(req, res, callback);
-        }, callback);
+        });
+
+        debug('Rendering email content');
+
+        const data = config.parse(req.sessionModel.toJSON(), req.translate);
+
+        debug('Building email settings');
+
+        const settings = { body: Hogan.compile(template).render(data) };
+
+        if (typeof config.recipient === 'function') {
+          settings.recipient = config.recipient(req.sessionModel.toJSON());
+        } else {
+          settings.recipient = req.sessionModel.get(config.recipient) || config.recipient;
+        }
+        if (typeof settings.recipient !== 'string' || !settings.recipient.includes('@')) {
+          return next(new Error('hof-behaviour-emailer: invalid recipient'));
+        }
+
+        if (typeof config.subject === 'function') {
+          settings.subject = config.subject(req.sessionModel.toJSON(), req.translate);
+        } else {
+          settings.subject = config.subject;
+        }
+
+        debug('Sending email', settings);
+
+        await emailer.send(settings);
+
+        debug('Email sent successfully');
+
+        return super.successHandler(req, res, next);
+      } catch (e) {
+        if (config.emailerFallback) {
+          req.log('error', e.message || e);
+          req.sessionModel.set('nodemailer-error', true);
+          return super.successHandler(req, res, next);
+        }
+        return next(e);
+      }
     }
   };
 };

package/components/emailer/transports/debug.js

@@ -4,7 +4,6 @@
 const fs = require('fs');
 const path = require('path');
 const cp = require('child_process');
-const mkdirp = require('mkdirp');
 
 const mimes = {
   '.gif': 'image/gif',
@@ -12,7 +11,7 @@ const mimes = {
 };
 
 const mkdir = dir => new Promise((resolve, reject) => {
-  mkdirp(dir, err => err ? reject(err) : resolve());
+  fs.mkdir(dir, {recursive: true}, err => err ? reject(err) : resolve());
 });
 
 const cidToBase64 = (h, attachments) => {

package/components/index.js

@@ -5,5 +5,6 @@ module.exports = {
   clearSession: require('./clear-session'),
   date: require('./date'),
   emailer: require('./emailer'),
-  summary: require('./summary')
+  summary: require('./summary'),
+  notify: require('./notify')
 };

package/components/notify/index.js

@@ -0,0 +1,60 @@
+'use strict';
+
+const Notify = require('./notify');
+const Hogan = require('hogan.js');
+const fs = require('fs');
+
+module.exports = config => {
+  const notify = new Notify(config);
+  config.parse = config.parse || (data => data);
+
+  if (!config.recipient) {
+    throw new Error('Email recipient must be defined');
+  }
+  if (typeof config.template !== 'string') {
+    throw new Error('Email template must be defined');
+  }
+
+  return superclass => class NotifyBehaviour extends superclass {
+    successHandler(req, res, next) {
+      Promise.resolve()
+        .then(() => {
+          return new Promise((resolve, reject) => {
+            fs.readFile(config.template, (err, template) => err ? reject(err) : resolve(template.toString('utf8')));
+          });
+        })
+        .then(template => {
+          const data = config.parse(req.sessionModel.toJSON(), req.translate);
+          return Hogan.compile(template).render(data);
+        })
+        .then(body => {
+          const settings = { body };
+
+          if (typeof config.recipient === 'function') {
+            settings.recipient = config.recipient(req.sessionModel.toJSON());
+          } else {
+            settings.recipient = req.sessionModel.get(config.recipient) || config.recipient;
+          }
+          if (typeof settings.recipient !== 'string' || !settings.recipient.includes('@')) {
+            throw new Error('hof-behaviour-emailer: invalid recipient');
+          }
+
+          if (typeof config.subject === 'function') {
+            settings.subject = config.subject(req.sessionModel.toJSON(), req.translate);
+          } else {
+            settings.subject = config.subject;
+          }
+
+          return settings;
+        })
+        .then(settings => {
+          return notify.send(settings);
+        })
+        .then(() => {
+          super.successHandler(req, res, next);
+        }, next);
+    }
+  };
+};
+
+module.exports.Notify = Notify;

package/components/notify/notify.js

@@ -0,0 +1,25 @@
+'use strict';
+const NotifyClient = require('notifications-node-client').NotifyClient;
+const {v4: uuidv4} = require('uuid');
+
+module.exports = class Notify {
+  constructor(opts) {
+    const options = opts || {};
+    this.options = options;
+    this.notifyClient =  new NotifyClient(options.notifyApiKey);
+    this.notifyTemplate = options.notifyTemplate;
+  }
+
+  send(email) {
+    const reference = uuidv4();
+
+    return this.notifyClient.sendEmail(this.notifyTemplate, email.recipient, {
+      personalisation: {
+        'email-subject': email.subject,
+        'email-body': email.body
+      },
+      reference });
+  }
+};
+
+module.exports.NotifyClient = NotifyClient;

package/components/summary/index.js

@@ -1,6 +1,9 @@
 
 'use strict';
 
+const config = require('../../config/rate-limits');
+const rateLimiter = require('../../middleware/rate-limiter');
+
 const concat = (x, y) => x.concat(y);
 const flatMap = (f, xs) => xs.map(f).reduce(concat, []);
 
@@ -215,4 +218,19 @@ module.exports = SuperClass => class extends SuperClass {
       rows
     });
   }
+
+  validate(req, res, next) {
+    if (!config.rateLimits.submissions.active) {
+      return super.validate(req, res, next);
+    }
+    // how do we stop this ballsing up our tests??????
+    const options = Object.assign({}, config, { logger: req });
+
+    return rateLimiter(options, 'submissions')(req, res, err => {
+      if (err) {
+        return next(err);
+      }
+      return super.validate(req, res, next);
+    });
+  }
 };

package/config/hof-defaults.js

@@ -1,5 +1,6 @@
 'use strict';
 /* eslint no-process-env: "off" */
+const rateLimits = require('./rate-limits');
 
 const defaults = {
   appName: process.env.APP_NAME || 'HOF Application',
@@ -19,7 +20,7 @@ const defaults = {
   host: process.env.HOST || '0.0.0.0',
   port: process.env.PORT || '8080',
   env: process.env.NODE_ENV || 'development',
-  gaTagId: process.env.GA_TAG,
+  gaTagId: process.env.GA_TAG || 'Test-GA-Tag',
   ga4TagId: process.env.GA_4_TAG,
   gaCrossDomainTrackingTagId: process.env.GDS_CROSS_DOMAIN_GA_TAG,
   loglevel: process.env.LOG_LEVEL || 'info',
@@ -31,7 +32,8 @@ const defaults = {
   session: {
     ttl: process.env.SESSION_TTL || 1800,
     secret: process.env.SESSION_SECRET || 'changethis',
-    name: process.env.SESSION_NAME || 'hod.sid'
+    name: process.env.SESSION_NAME || 'hod.sid',
+    sanitiseInputs: false
   },
   apis: {
     pdfConverter: process.env.PDF_CONVERTER_URL
@@ -39,4 +41,4 @@ const defaults = {
   serveStatic: process.env.SERVE_STATIC_FILES !== 'false'
 };
 
-module.exports = defaults;
+module.exports = Object.assign({}, defaults, rateLimits);

package/config/rate-limits.js

@@ -0,0 +1,20 @@
+
+module.exports = {
+  rateLimits: {
+    env: process.env.NODE_ENV,
+    requests: {
+      active: false,
+      windowSizeInMinutes: 5,
+      maxWindowRequestCount: 100,
+      windowLogIntervalInMinutes: 1,
+      errCode: 'DDOS_RATE_LIMIT'
+    },
+    submissions: {
+      active: false,
+      windowSizeInMinutes: 10,
+      maxWindowRequestCount: 1,
+      windowLogIntervalInMinutes: 1,
+      errCode: 'SUBMISSION_RATE_LIMIT'
+    }
+  }
+};

package/config/sanitisation-rules.js

@@ -0,0 +1,29 @@
+'use strict';
+/* eslint no-process-env: "off" */
+
+const sanitisationBlacklistArray = {
+  // Input will be sanitised using the below rules
+  // The key is what we're sanitising out
+  // The regex is the rule we used to find them (note some dictate repeating characters)
+  // And the replace is what we're replacing that pattern with. Usually nothing sometimes a
+  // single character or sometimes a single character followed by a "-"
+  '/*': { regex: '\/\\*', replace: '-' },
+  '*/': { regex: '\\*\\/', replace: '-' },
+  '|': { regex: '\\|', replace: '-' },
+  '&&': { regex: '&&+', replace: '&' },
+  '@@': { regex: '@@+', replace: '@' },
+  '/..;/': { regex: '/\\.\\.;/', replace: '-' }, // Purposely input before ".." as they conflict
+  // '..': { regex: '\\.\\.+', replace: '.' }, // Agreed to disable this rule for now unless its specifically required
+  '/etc/passwd': { regex: '\/etc\/passwd', replace: '-' },
+  'c:\\': { regex: 'c:\\\\', replace: '-' },
+  'cmd.exe': { regex: 'cmd\\.exe', replace: '-' },
+  '<': { regex: '<', replace: '<-' },
+  '>': { regex: '>', replace: '>-' },
+  '[': { regex: '\\[+', replace: '[-' },
+  ']': { regex: '\\]+', replace: ']-' },
+  '~': { regex: '~', replace: '~-' },
+  '&#': { regex: '&#', replace: '-' },
+  '%U': { regex: '%U', replace: '-' }
+};
+
+module.exports = sanitisationBlacklistArray;

package/controller/base-controller.js

@@ -8,6 +8,8 @@ const debug = require('debug')('hmpo:form');
 const dataFormatter = require('./formatting');
 const dataValidator = require('./validation');
 const ErrorClass = require('./validation-error');
+const Helpers = require('../utilities').helpers;
+const sanitisationBlacklistArray = require('../config/sanitisation-rules');
 
 module.exports = class BaseController extends EventEmitter {
   constructor(options) {
@@ -69,6 +71,7 @@ module.exports = class BaseController extends EventEmitter {
         this._configure.bind(this),
         this._process.bind(this),
         this._validate.bind(this),
+        this._sanitize.bind(this),
         this._getHistoricalValues.bind(this),
         this.saveValues.bind(this),
         this.successHandler.bind(this),
@@ -162,6 +165,28 @@ module.exports = class BaseController extends EventEmitter {
     return validator(key, req.form.values[key], req.form.values, emptyValue);
   }
 
+  _sanitize(req, res, callback) {
+    // Sanitisation could be disabled in the config
+    if(!this.options.sanitiseInputs) return callback();
+
+    // If we don't have any data, no need to progress
+    if(!_.isEmpty(req.form.values)) {
+      Object.keys(req.form.values).forEach(function (property, propertyIndex) {
+        // If it's not a string, don't sanitise it
+        if(_.isString(req.form.values[property])) {
+          // For each property in our form data
+          Object.keys(sanitisationBlacklistArray).forEach(function (blacklisted, blacklistedIndex) {
+            const blacklistedDetail = sanitisationBlacklistArray[blacklisted];
+            const regexQuery = new RegExp(blacklistedDetail.regex, 'gi');
+            // Will perform the required replace based on our passed in regex and the replace string
+            req.form.values[property] = req.form.values[property].replace(regexQuery, blacklistedDetail.replace);
+          });
+        }
+      });
+    }
+    return callback();
+  }
+
   _process(req, res, callback) {
     req.form.values = req.form.values || {};
     const formatter = dataFormatter(
@@ -213,16 +238,9 @@ module.exports = class BaseController extends EventEmitter {
   }
 
   _getForkTarget(req, res) {
-    function evalCondition(condition) {
-      return _.isFunction(condition) ?
-        condition(req, res) :
-        condition.value === (req.form.values[condition.field] ||
-                           (req.form.historicalValues && req.form.historicalValues[condition.field]));
-    }
-
     // If a fork condition is met, its target supercedes the next property
     return req.form.options.forks.reduce((result, value) =>
-      evalCondition(value.condition) ?
+      Helpers.isFieldValueInPageOrSessionValid(req, res, value.condition) ?
         value.target :
         result
     , req.form.options.next);

package/controller/controller.js

@@ -4,6 +4,7 @@ const _ = require('lodash');
 const i18nLookup = require('i18n-lookup');
 const Mustache = require('mustache');
 const BaseController = require('./base-controller');
+const Helpers = require('../utilities').helpers;
 
 const omitField = (field, req) => field.useWhen && (typeof field.useWhen === 'string'
   ? req.sessionModel.get(field.useWhen) !== 'true'
@@ -54,12 +55,7 @@ module.exports = class Controller extends BaseController {
 
     // If a form condition is met, its target supercedes the next property
     next = _.reduce(forks, (result, value) => {
-      const evalCondition = condition => _.isFunction(condition) ?
-        condition(req, res) :
-        condition.value === (req.form.values[condition.field] ||
-          (req.form.historicalValues && req.form.historicalValues[condition.field]));
-
-      if (evalCondition(value.condition)) {
+      if (Helpers.isFieldValueInPageOrSessionValid(req, res, value.condition)) {
         if (value.continueOnEdit) {
           req.form.options.continueOnEdit = true;
         }
@@ -119,6 +115,7 @@ module.exports = class Controller extends BaseController {
       title: this.getTitle(route, lookup, req.form.options.fields, res.locals),
       header: this.getHeader(route, lookup, res.locals),
       captionHeading: this.getCaptionHeading(route, lookup, res.locals),
+      warning: this.getWarning(route, lookup, res.locals),
       subHeading: this.getSubHeading(route, lookup, res.locals),
       intro: this.getIntro(route, lookup, res.locals),
       backLink: this.getBackLink(req, res),
@@ -128,25 +125,29 @@ module.exports = class Controller extends BaseController {
   }
 
   getFirstFormItem(fields) {
-    let firstFieldKey
+    let firstFieldKey;
     if (_.size(fields)) {
-      firstFieldKey = Object.keys(fields)[0]
+      firstFieldKey = Object.keys(fields)[0];
     }
     return firstFieldKey | 'main-content';
   }
 
-  getHeader(route, lookup, locals){
+  getHeader(route, lookup, locals) {
     return lookup(`pages.${route}.header`, locals);
   }
 
-  getCaptionHeading(route, lookup, locals){
+  getCaptionHeading(route, lookup, locals) {
     return lookup(`pages.${route}.captionHeading`, locals);
   }
 
-  getSubHeading(route, lookup, locals){
+  getSubHeading(route, lookup, locals) {
     return lookup(`pages.${route}.subHeading`, locals);
   }
 
+  getWarning(route, lookup, locals) {
+    return lookup(`pages.${route}.warning`, locals);
+  }
+
   getTitle(route, lookup, fields, locals) {
     let fieldName = '';
     if (_.size(fields)) {
@@ -170,15 +171,20 @@ module.exports = class Controller extends BaseController {
       Object.keys(req.form.errors).forEach(key => {
         if (req.form && req.form.options && req.form.options.fields) {
           const field = req.form.options.fields[key];
-          // get first option for radios
-          if(field.mixin === 'radio-group') {
-            req.form.errors[key].errorLinkId = key + "-" + field.options[0];
+          // get first option for radios and checkbox
+          if (field.mixin === 'radio-group' || field.mixin === 'checkbox-group') {
+            // get first option for radios and checkbox where there is a toggle
+            if(typeof field.options[0] === 'object') {
+              req.form.errors[key].errorLinkId = key + '-' + field.options[0].value;
+            } else {
+              req.form.errors[key].errorLinkId = key + '-' + field.options[0];
+            }
+          // eslint-disable-next-line brace-style
           }
           // get first field for date input control
-          else if (field && field.controlType === 'date-input') {
+          else if (field && field.mixin === 'input-date') {
             req.form.errors[key].errorLinkId = key + '-day';
-          }
-          else {
+          } else {
             req.form.errors[key].errorLinkId = key;
           }
         }

package/frontend/govuk-template/build/config.js

@@ -4,7 +4,7 @@ module.exports = {
   htmlLang: '{{htmlLang}}',
   assetPath: '{{govukAssetPath}}',
   afterHeader: '{{$afterHeader}}{{/afterHeader}}',
-  bodyClasses: '{{$bodyClasses}}{{/bodyClasses}}',  
+  bodyClasses: '{{$bodyClasses}}{{/bodyClasses}}',
   bodyStart: '{{$bodyStart}}{{/bodyStart}}',
   bodyEnd: '{{$bodyEnd}}{{/bodyEnd}}',
   content: '{{$main}}{{/main}}',