diff --git a/.golangci.yml b/.golangci.yml index a184b86..4207d57 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -8,7 +8,7 @@ run: timeout: 5m linters-settings: govet: - check-shadowing: true + shadow: true golint: min-confidence: 0 gocyclo: diff --git a/Makefile b/Makefile index d2ccaa4..ecaef65 100644 --- a/Makefile +++ b/Makefile @@ -20,7 +20,6 @@ build: generate-prod .PHONY: lint lint: - go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.52.2 golangci-lint run ./... .PHONY: debug @@ -42,13 +41,13 @@ convey: .PHONY: generate-debug generate-debug: fetch-renderer-lib - cd assets; go run github.com/kevinburke/go-bindata/go-bindata -prefix $(CORE_ASSETS_PATH)/assets -debug -o data.go -pkg assets locales/... templates/... $(CORE_ASSETS_PATH)/assets/locales/... $(CORE_ASSETS_PATH)/assets/templates/... + cd assets; go-bindata -prefix $(CORE_ASSETS_PATH)/assets -debug -o data.go -pkg assets locales/... templates/... $(CORE_ASSETS_PATH)/assets/locales/... $(CORE_ASSETS_PATH)/assets/templates/... { echo "// +build debug\n"; cat assets/data.go; } > assets/debug.go.new mv assets/debug.go.new assets/data.go .PHONY: generate-prod generate-prod: fetch-renderer-lib - cd assets; go run github.com/kevinburke/go-bindata/go-bindata -prefix $(CORE_ASSETS_PATH)/assets -o data.go -pkg assets locales/... templates/... $(CORE_ASSETS_PATH)/assets/locales/... $(CORE_ASSETS_PATH)/assets/templates/... + cd assets; go-bindata -prefix $(CORE_ASSETS_PATH)/assets -o data.go -pkg assets locales/... templates/... $(CORE_ASSETS_PATH)/assets/locales/... $(CORE_ASSETS_PATH)/assets/templates/... { echo "// +build production\n"; cat assets/data.go; } > assets/data.go.new mv assets/data.go.new assets/data.go diff --git a/ci/build.yml b/ci/build.yml index fe15890..da22a70 100644 --- a/ci/build.yml +++ b/ci/build.yml @@ -6,7 +6,7 @@ image_resource: type: docker-image source: repository: golang - tag: 1.22.2-bullseye + tag: 1.22.5-bullseye inputs: - name: dp-frontend-feedback-controller diff --git a/ci/component.yml b/ci/component.yml index 0c00241..9435cd8 100644 --- a/ci/component.yml +++ b/ci/component.yml @@ -6,7 +6,7 @@ image_resource: type: docker-image source: repository: golang - tag: 1.22.2-bullseye + tag: 1.22.5-bullseye inputs: - name: dp-frontend-feedback-controller diff --git a/ci/lint.yml b/ci/lint.yml index 8843934..d0360f6 100644 --- a/ci/lint.yml +++ b/ci/lint.yml @@ -6,7 +6,7 @@ image_resource: type: docker-image source: repository: golang - tag: 1.22.2-bullseye + tag: 1.22.5-bullseye inputs: - name: dp-frontend-feedback-controller diff --git a/ci/scripts/build.sh b/ci/scripts/build.sh index 824d7c2..9d12a66 100755 --- a/ci/scripts/build.sh +++ b/ci/scripts/build.sh @@ -1,5 +1,7 @@ #!/bin/bash -eux +go install github.com/kevinburke/go-bindata/v4/...@v4.0.2 + pushd dp-frontend-feedback-controller make build cp build/dp-frontend-feedback-controller Dockerfile.concourse ../build diff --git a/ci/scripts/lint.sh b/ci/scripts/lint.sh index b0013ca..e9e85b7 100755 --- a/ci/scripts/lint.sh +++ b/ci/scripts/lint.sh @@ -1,5 +1,7 @@ #!/bin/bash -eux +go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.59.1 + pushd dp-frontend-feedback-controller make lint popd diff --git a/ci/scripts/unit.sh b/ci/scripts/unit.sh index a19a3d4..7ab6ecb 100755 --- a/ci/scripts/unit.sh +++ b/ci/scripts/unit.sh @@ -1,5 +1,7 @@ #!/bin/bash -eux +go install github.com/kevinburke/go-bindata/v4/...@v4.0.2 + pushd dp-frontend-feedback-controller make test popd diff --git a/ci/unit.yml b/ci/unit.yml index 71e8b95..c2a9ea2 100644 --- a/ci/unit.yml +++ b/ci/unit.yml @@ -6,7 +6,7 @@ image_resource: type: docker-image source: repository: golang - tag: 1.22.2-bullseye + tag: 1.22.5-bullseye inputs: - name: dp-frontend-feedback-controller diff --git a/config/config.go b/config/config.go index 0aa878f..bf24421 100644 --- a/config/config.go +++ b/config/config.go @@ -40,6 +40,10 @@ var cfg *Config // Get returns the default config with any modifications through environment // variables func Get() (*Config, error) { + if cfg != nil { + return cfg, nil + } + envCfg, err := get() if err != nil { return nil, err @@ -50,14 +54,12 @@ func Get() (*Config, error) { } else { envCfg.PatternLibraryAssetsPath = "//cdn.ons.gov.uk/dp-design-system/e0a75c3" } - return envCfg, nil + + cfg = envCfg + return cfg, nil } func get() (*Config, error) { - if cfg != nil { - return cfg, nil - } - cfg := &Config{ APIRouterURL: "http://localhost:23200/v1", BindAddr: "localhost:25200", diff --git a/config/config_test.go b/config/config_test.go index 19f7d3a..ae45f9a 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -9,8 +9,8 @@ import ( func TestConfig(t *testing.T) { Convey("Given an environment with no environment variables set", t, func() { - cfg, err := Get() Convey("When the config values are retrieved", func() { + cfg, err := Get() Convey("Then there should be no error returned", func() { So(err, ShouldBeNil) }) diff --git a/handlers/feedback.go b/handlers/feedback.go index e67d349..63b86d4 100644 --- a/handlers/feedback.go +++ b/handlers/feedback.go @@ -5,12 +5,10 @@ import ( "context" "fmt" "net/http" - "net/url" "regexp" "strings" cacheHelper "github.com/ONSdigital/dp-frontend-cache-helper/pkg/navigation/helper" - "github.com/ONSdigital/dp-frontend-feedback-controller/config" "github.com/ONSdigital/dp-frontend-feedback-controller/email" "github.com/ONSdigital/dp-frontend-feedback-controller/interfaces" "github.com/ONSdigital/dp-frontend-feedback-controller/mapper" @@ -24,25 +22,16 @@ import ( // FeedbackThanks loads the Feedback Thank you page func (f *Feedback) FeedbackThanks() http.HandlerFunc { return dphandlers.ControllerHandler(func(w http.ResponseWriter, req *http.Request, lang, collectionID, accessToken string) { - feedbackThanks(w, req, req.Referer(), f.Render, f.CacheService, lang) + feedbackThanks(w, req, req.Referer(), f.Render, f.CacheService, lang, f.Config.SiteDomain, f.Config.EnableNewNavBar) }) } -func feedbackThanks(w http.ResponseWriter, req *http.Request, uri string, rend interfaces.Renderer, cacheHelperService *cacheHelper.Helper, lang string) { - ctx := req.Context() - var wholeSite string - - cfg, err := config.Get() - if err != nil { - log.Warn(ctx, "Unable to retrieve configuration", log.FormatErrors([]error{err})) - } else { - wholeSite = cfg.SiteDomain - } - +func feedbackThanks(w http.ResponseWriter, req *http.Request, uri string, rend interfaces.Renderer, cacheHelperService *cacheHelper.Helper, lang, siteDomain string, enableNewNavBar bool) { basePage := rend.NewBasePageModel() - p := mapper.CreateGetFeedbackThanks(req, basePage, lang, uri, wholeSite) + p := mapper.CreateGetFeedbackThanks(req, basePage, lang, uri, siteDomain) - if cfg.EnableNewNavBar { + if enableNewNavBar { + ctx := req.Context() mappedNavContent, err := cacheHelperService.GetMappedNavigationContent(ctx, lang) if err == nil { p.NavigationContent = mappedNavContent @@ -55,20 +44,16 @@ func feedbackThanks(w http.ResponseWriter, req *http.Request, uri string, rend i // GetFeedback handles the loading of a feedback page func (f *Feedback) GetFeedback() http.HandlerFunc { return dphandlers.ControllerHandler(func(w http.ResponseWriter, req *http.Request, lang, collectionID, accessToken string) { - getFeedback(w, req, []core.ErrorItem{}, model.FeedbackForm{URL: req.Referer()}, lang, f.Render, f.CacheService) + getFeedback(w, req, []core.ErrorItem{}, model.FeedbackForm{URL: req.Referer()}, lang, f.Render, f.CacheService, f.Config.EnableNewNavBar) }) } -func getFeedback(w http.ResponseWriter, req *http.Request, validationErrors []core.ErrorItem, ff model.FeedbackForm, lang string, rend interfaces.Renderer, cacheHelperService *cacheHelper.Helper) { +func getFeedback(w http.ResponseWriter, req *http.Request, validationErrors []core.ErrorItem, ff model.FeedbackForm, lang string, rend interfaces.Renderer, cacheHelperService *cacheHelper.Helper, enableNewNavBar bool) { basePage := rend.NewBasePageModel() p := mapper.CreateGetFeedback(req, basePage, validationErrors, ff, lang) - ctx := context.Background() - cfg, err := config.Get() - if err != nil { - log.Warn(ctx, "Unable to retrieve configuration", log.FormatErrors([]error{err})) - } - if cfg.EnableNewNavBar { + if enableNewNavBar { + ctx := context.Background() mappedNavContent, err := cacheHelperService.GetMappedNavigationContent(ctx, lang) if err == nil { p.NavigationContent = mappedNavContent @@ -81,11 +66,11 @@ func getFeedback(w http.ResponseWriter, req *http.Request, validationErrors []co // AddFeedback handles a users feedback request func (f *Feedback) AddFeedback() http.HandlerFunc { return dphandlers.ControllerHandler(func(w http.ResponseWriter, req *http.Request, lang, collectionID, accessToken string) { - addFeedback(w, req, f.Render, f.EmailSender, f.Config.FeedbackFrom, f.Config.FeedbackTo, lang, f.CacheService) + addFeedback(w, req, f.Render, f.EmailSender, f.Config.FeedbackFrom, f.Config.FeedbackTo, lang, f.Config.SiteDomain, f.CacheService) }) } -func addFeedback(w http.ResponseWriter, req *http.Request, rend interfaces.Renderer, emailSender email.Sender, from, to, lang string, cacheService *cacheHelper.Helper) { +func addFeedback(w http.ResponseWriter, req *http.Request, rend interfaces.Renderer, emailSender email.Sender, from, to, lang, siteDomain string, cacheService *cacheHelper.Helper) { ctx := req.Context() if err := req.ParseForm(); err != nil { log.Error(ctx, "unable to parse request form", err) @@ -103,14 +88,14 @@ func addFeedback(w http.ResponseWriter, req *http.Request, rend interfaces.Rende return } - validationErrors := validateForm(&ff) + validationErrors := validateForm(&ff, siteDomain) if len(validationErrors) > 0 { - getFeedback(w, req, validationErrors, ff, lang, rend, cacheService) + getFeedback(w, req, validationErrors, ff, lang, rend, cacheService, false) return } if ff.URL == "" { - ff.URL = "Whole site" + ff.URL = mapper.WholeSite } if err := emailSender.Send( @@ -125,7 +110,7 @@ func addFeedback(w http.ResponseWriter, req *http.Request, rend interfaces.Rende returnTo := ff.URL - if returnTo == "Whole site" || returnTo == "" { + if returnTo == mapper.WholeSite || returnTo == "" { returnTo = "https://www.ons.gov.uk" } @@ -134,7 +119,7 @@ func addFeedback(w http.ResponseWriter, req *http.Request, rend interfaces.Rende } // validateForm is a helper function that validates a slice of FeedbackForm to determine if there are form validation errors -func validateForm(ff *model.FeedbackForm) (validationErrors []core.ErrorItem) { +func validateForm(ff *model.FeedbackForm, siteDomain string) (validationErrors []core.ErrorItem) { if ff.Type == "" && ff.FormLocation != "footer" { validationErrors = append(validationErrors, core.ErrorItem{ Description: core.Localisation{ @@ -147,32 +132,30 @@ func validateForm(ff *model.FeedbackForm) (validationErrors []core.ErrorItem) { } ff.URL = strings.TrimSpace(ff.URL) - if ff.Type == "A specific page" && ff.URL == "" { - validationErrors = append(validationErrors, core.ErrorItem{ - Description: core.Localisation{ - LocaleKey: "FeedbackWhatEnterURL", - Plural: 1, - }, - URL: "#type-error", - }) - ff.IsURLErr = true - } - - if ff.Type == "A specific page" && ff.URL != "" { - _, err := url.ParseRequestURI(ff.URL) - if err != nil { + if ff.Type == mapper.ASpecificPage { + if ff.URL == "" { validationErrors = append(validationErrors, core.ErrorItem{ Description: core.Localisation{ - LocaleKey: "FeedbackValidURL", + LocaleKey: "FeedbackWhatEnterURL", Plural: 1, }, URL: "#type-error", }) ff.IsURLErr = true - } - } - if ff.Type != "A specific page" && ff.URL != "" { + } else { + if !mapper.IsSiteDomainURL(ff.URL, siteDomain) { + validationErrors = append(validationErrors, core.ErrorItem{ + Description: core.Localisation{ + LocaleKey: "FeedbackValidURL", + Plural: 1, + }, + URL: "#type-error", + }) + ff.IsURLErr = true + } + } + } else if ff.Type != mapper.ASpecificPage && ff.URL != "" { ff.URL = "" } diff --git a/handlers/feedback_test.go b/handlers/feedback_test.go index 7f345b1..daf1514 100644 --- a/handlers/feedback_test.go +++ b/handlers/feedback_test.go @@ -13,8 +13,10 @@ import ( cacheClient "github.com/ONSdigital/dp-frontend-cache-helper/pkg/navigation/client" cacheHelper "github.com/ONSdigital/dp-frontend-cache-helper/pkg/navigation/helper" + "github.com/ONSdigital/dp-frontend-feedback-controller/config" "github.com/ONSdigital/dp-frontend-feedback-controller/email/emailtest" "github.com/ONSdigital/dp-frontend-feedback-controller/interfaces/interfacestest" + "github.com/ONSdigital/dp-frontend-feedback-controller/mapper" "github.com/ONSdigital/dp-frontend-feedback-controller/mocks" "github.com/ONSdigital/dp-frontend-feedback-controller/model" "github.com/ONSdigital/dp-renderer/v2/helper" @@ -24,6 +26,8 @@ import ( . "github.com/smartystreets/goconvey/convey" ) +const siteDomain = "ons.gov.uk" + func Test_getFeedback(t *testing.T) { helper.InitialiseLocalisationsHelper(mocks.MockAssetFunction) Convey("Given a valid request", t, func() { @@ -53,7 +57,7 @@ func Test_getFeedback(t *testing.T) { }, }} Convey("When getFeedback is called", func() { - getFeedback(w, req, []coreModel.ErrorItem{}, ff, lang, mockRenderer, mockNagivationCache) + getFeedback(w, req, []coreModel.ErrorItem{}, ff, lang, mockRenderer, mockNagivationCache, false) Convey("Then a 200 request is returned", func() { So(w.Code, ShouldEqual, http.StatusOK) }) @@ -98,7 +102,7 @@ func Test_addFeedback(t *testing.T) { }, }} Convey("When addFeedback is called", func() { - addFeedback(w, req, mockRenderer, mockSender, from, to, lang, mockNagivationCache) + addFeedback(w, req, mockRenderer, mockSender, from, to, lang, siteDomain, mockNagivationCache) Convey("Then the renderer is not called", func() { So(len(mockRenderer.BuildPageCalls()), ShouldEqual, 0) }) @@ -146,7 +150,7 @@ func Test_addFeedback(t *testing.T) { }, }} Convey("When addFeedback is called", func() { - addFeedback(w, req, mockRenderer, mockSender, from, to, lang, mockNagivationCache) + addFeedback(w, req, mockRenderer, mockSender, from, to, lang, siteDomain, mockNagivationCache) Convey("Then the renderer is not called", func() { So(len(mockRenderer.BuildPageCalls()), ShouldEqual, 0) }) @@ -194,7 +198,7 @@ func Test_addFeedback(t *testing.T) { }, }} Convey("When addFeedback is called", func() { - addFeedback(w, req, mockRenderer, mockSender, from, to, lang, mockNagivationCache) + addFeedback(w, req, mockRenderer, mockSender, from, to, lang, siteDomain, mockNagivationCache) Convey("Then the renderer is not called", func() { So(len(mockRenderer.BuildPageCalls()), ShouldEqual, 0) }) @@ -244,7 +248,7 @@ func Test_addFeedback(t *testing.T) { }, }} Convey("When addFeedback is called", func() { - addFeedback(w, req, mockRenderer, mockSender, from, to, lang, mockNagivationCache) + addFeedback(w, req, mockRenderer, mockSender, from, to, lang, siteDomain, mockNagivationCache) Convey("Then the renderer is called to render the feedback page", func() { So(len(mockRenderer.BuildPageCalls()), ShouldEqual, 1) }) @@ -261,6 +265,7 @@ func Test_addFeedback(t *testing.T) { func Test_feedbackThanks(t *testing.T) { helper.InitialiseLocalisationsHelper(mocks.MockAssetFunction) lang := "en" + config.Get() // need to seed config Convey("Given a valid request", t, func() { req := httptest.NewRequest("GET", "http://localhost", nil) w := httptest.NewRecorder() @@ -286,7 +291,7 @@ func Test_feedbackThanks(t *testing.T) { }, }} Convey("When feedbackThanks is called", func() { - feedbackThanks(w, req, url, mockRenderer, mockNagivationCache, lang) + feedbackThanks(w, req, url, mockRenderer, mockNagivationCache, lang, siteDomain, false) Convey("Then the renderer is called", func() { So(len(mockRenderer.BuildPageCalls()), ShouldEqual, 1) }) @@ -299,7 +304,7 @@ func Test_feedbackThanks(t *testing.T) { Convey("Given a reflective XSS request", t, func() { req := httptest.NewRequest("GET", "http://localhost?returnTo=", nil) w := httptest.NewRecorder() - url := "www.test.com" + url := "https://www.referrer-test.com" mockRenderer := &interfacestest.RendererMock{ BuildPageFunc: func(w io.Writer, pageModel interface{}, templateName string) {}, NewBasePageModelFunc: func() coreModel.Page { @@ -320,11 +325,11 @@ func Test_feedbackThanks(t *testing.T) { }, }} Convey("When feedbackThanks is called", func() { - feedbackThanks(w, req, url, mockRenderer, mockNagivationCache, lang) - Convey("Then the handler sanitises the request text", func() { + feedbackThanks(w, req, url, mockRenderer, mockNagivationCache, lang, siteDomain, false) + Convey("Then the handler sanitises the request text to the referrer", func() { dataSentToRender := mockRenderer.BuildPageCalls()[0].PageModel.(model.Feedback) returnToUrl := dataSentToRender.ReturnTo - So(returnToUrl, ShouldEqual, "<script>alert(1)</script>") + So(returnToUrl, ShouldEqual, url) }) }) }) @@ -341,7 +346,7 @@ func TestValidateForm(t *testing.T) { { givenDescription: "the form is valid", given: &model.FeedbackForm{ - Type: "Whole site", + Type: mapper.WholeSite, Description: "Some text", }, expectedDescription: "no validation errors are returned", @@ -366,7 +371,7 @@ func TestValidateForm(t *testing.T) { { givenDescription: "the a specific page/url type is chosen but the child input field is empty", given: &model.FeedbackForm{ - Type: "A specific page", + Type: mapper.ASpecificPage, Description: "Some text", }, expectedDescription: "a page/url validation error is returned", @@ -383,7 +388,7 @@ func TestValidateForm(t *testing.T) { { givenDescription: "the a specific page/url type is chosen and the url is invalid", given: &model.FeedbackForm{ - Type: "A specific page", + Type: mapper.ASpecificPage, Description: "Some text", URL: "not a url", }, @@ -399,19 +404,46 @@ func TestValidateForm(t *testing.T) { }, }, { - givenDescription: "the a specific page/url type is chosen and the url is valid", + givenDescription: "the a specific page/url type is chosen and the url is valid but not allowed", + given: &model.FeedbackForm{ + Type: mapper.ASpecificPage, + Description: "Some text", + URL: "https://not-site-domain.com", + }, + expectedDescription: "a url validation error is returned", + expected: []coreModel.ErrorItem{ + { + Description: coreModel.Localisation{ + LocaleKey: "FeedbackValidURL", + Plural: 1, + }, + URL: "#type-error", + }, + }}, + { + givenDescription: "the a specific page/url type is chosen and the url is valid without a path", + given: &model.FeedbackForm{ + Type: mapper.ASpecificPage, + Description: "Some text", + URL: "https://cy.ons.gov.uk", + }, + expectedDescription: "no validation errors are returned", + expected: []coreModel.ErrorItem(nil), + }, + { + givenDescription: "the a specific page/url type is chosen and the url is valid and has a path", given: &model.FeedbackForm{ - Type: "A specific page", + Type: mapper.ASpecificPage, Description: "Some text", - URL: "https://somewhere.com", + URL: "https://cy.ons.gov.uk/path", }, expectedDescription: "no validation errors are returned", expected: []coreModel.ErrorItem(nil), }, { - givenDescription: "the a whole site type is chosen but the child input for a specific page is not empty", + givenDescription: "the whole-site type is chosen but the child input for a specific page is not empty", given: &model.FeedbackForm{ - Type: "Whole site", + Type: mapper.WholeSite, Description: "Some text", URL: "http://somewhere.com", }, @@ -430,7 +462,7 @@ func TestValidateForm(t *testing.T) { { givenDescription: "the form does not have any feedback", given: &model.FeedbackForm{ - Type: "Whole site", + Type: mapper.WholeSite, }, expectedDescription: "a description validation error is returned", expected: []coreModel.ErrorItem{ @@ -446,7 +478,7 @@ func TestValidateForm(t *testing.T) { { givenDescription: "the feedback provided is whitespace", given: &model.FeedbackForm{ - Type: "Whole site", + Type: mapper.WholeSite, Description: " ", }, expectedDescription: "a description validation error is returned", @@ -463,7 +495,7 @@ func TestValidateForm(t *testing.T) { { givenDescription: "the email field has an invalid email address", given: &model.FeedbackForm{ - Type: "Whole site", + Type: mapper.WholeSite, Description: "A description", Email: "a.string", }, @@ -481,7 +513,7 @@ func TestValidateForm(t *testing.T) { { givenDescription: "the email field has a valid email address", given: &model.FeedbackForm{ - Type: "Whole site", + Type: mapper.WholeSite, Description: "A description", Email: "hello@world.com", }, @@ -491,7 +523,7 @@ func TestValidateForm(t *testing.T) { { givenDescription: "multiple form validation errors", given: &model.FeedbackForm{ - Type: "A specific page", + Type: mapper.ASpecificPage, URL: "", Description: "", Email: "not an email address", @@ -525,7 +557,7 @@ func TestValidateForm(t *testing.T) { for _, t := range testCases { Convey(fmt.Sprintf("When %s", t.givenDescription), func() { Convey(fmt.Sprintf("Then %s", t.expectedDescription), func() { - So(validateForm(t.given), ShouldResemble, t.expected) + So(validateForm(t.given, siteDomain), ShouldResemble, t.expected) }) }) } diff --git a/mapper/mapper.go b/mapper/mapper.go index 01409d2..b7b2214 100644 --- a/mapper/mapper.go +++ b/mapper/mapper.go @@ -3,12 +3,22 @@ package mapper import ( "html" "net/http" + "net/url" + "strings" + "github.com/ONSdigital/dp-frontend-feedback-controller/config" "github.com/ONSdigital/dp-frontend-feedback-controller/model" "github.com/ONSdigital/dp-renderer/v2/helper" core "github.com/ONSdigital/dp-renderer/v2/model" ) +const ( + WholeSite = "The whole website" + ASpecificPage = "A specific page" +) + +var cfg *config.Config + // CreateGetFeedback returns a mapped feedback page to the feedback model func CreateGetFeedback(req *http.Request, basePage core.Page, validationErrors []core.ErrorItem, ff model.FeedbackForm, lang string) model.Feedback { p := model.Feedback{ @@ -58,25 +68,25 @@ func CreateGetFeedback(req *http.Request, basePage core.Page, validationErrors [ { Input: core.Input{ ID: "whole-site", - IsChecked: ff.Type == "The whole website", + IsChecked: ff.Type == WholeSite, Label: core.Localisation{ LocaleKey: "FeedbackWholeWebsite", Plural: 1, }, Name: "type", - Value: "The whole website", + Value: WholeSite, }, }, { Input: core.Input{ ID: "specific-page", - IsChecked: ff.Type == "A specific page" || (ff.URL != "" && serviceDescription == ""), + IsChecked: ff.Type == ASpecificPage || (ff.URL != "" && serviceDescription == ""), Label: core.Localisation{ LocaleKey: "FeedbackASpecificPage", Plural: 1, }, Name: "type", - Value: "A specific page", + Value: ASpecificPage, }, OtherInput: core.Input{ Autocomplete: "url", @@ -195,26 +205,69 @@ func CreateGetFeedback(req *http.Request, basePage core.Page, validationErrors [ return p } -func CreateGetFeedbackThanks(req *http.Request, basePage core.Page, lang, url, wholeSite string) model.Feedback { - p := model.Feedback{ - Page: basePage, +func CreateGetFeedbackThanks(req *http.Request, basePage core.Page, lang, referrer, wholeSiteURL string) model.Feedback { + if wholeSiteURL == "" { + wholeSiteURL = "https://www.ons.gov.uk" + } + if referrer == "" { + referrer = wholeSiteURL } + p := model.Feedback{ + Page: basePage, + PreviousURL: referrer, + } p.Language = lang p.Type = "feedback" p.URI = req.URL.Path p.Metadata.Title = helper.Localise("FeedbackThanks", lang, 1) - p.PreviousURL = url // returnTo is rendered on page so needs XSS protection returnTo := html.EscapeString(req.URL.Query().Get("returnTo")) - if returnTo == "Whole site" { - returnTo = wholeSite + if returnTo == WholeSite { + returnTo = wholeSiteURL } else if returnTo == "" { - returnTo = url + returnTo = referrer + } else if IsSiteDomainURL(returnTo, "") { + returnTo = NormaliseURL(returnTo) + } else { + returnTo = referrer } p.ReturnTo = returnTo return p } + +// IsSiteDomainURL is true when urlString is a URL and its host ends with `.`+siteDomain (when siteDomain is blank, or uses config.SiteDomain) +func IsSiteDomainURL(urlString, siteDomain string) bool { + if urlString == "" { + return false + } + urlString = NormaliseURL(urlString) + urlObject, err := url.ParseRequestURI(urlString) + if err != nil { + return false + } + if siteDomain == "" { + if cfg == nil { + if cfg, err = config.Get(); err != nil { + return false + } + } + siteDomain = cfg.SiteDomain + } + hostName := urlObject.Hostname() + if hostName != siteDomain && !strings.HasSuffix(hostName, "."+siteDomain) { + return false + } + return true +} + +// NormaliseURL when a string is a URL without a scheme (e.g. `host.name/path`), add it (`https://`) +func NormaliseURL(urlString string) string { + if strings.HasPrefix(urlString, "http") { + return urlString + } + return "https://" + urlString +} diff --git a/mapper/mapper_test.go b/mapper/mapper_test.go index 774824b..2eea87c 100644 --- a/mapper/mapper_test.go +++ b/mapper/mapper_test.go @@ -1,8 +1,10 @@ package mapper import ( + "fmt" "net/http" "net/http/httptest" + "net/url" "testing" "github.com/ONSdigital/dp-frontend-feedback-controller/mocks" @@ -105,8 +107,8 @@ func TestCreateGetFeedbackThanks(t *testing.T) { bp := core.Page{} url := "https://localhost/a/page/somewhere" lang := "en" - wholeSite := "https://ons.gov.uk" - sut := CreateGetFeedbackThanks(req, bp, lang, url, wholeSite) + wholeSiteURL := "https://ons.gov.uk" + sut := CreateGetFeedbackThanks(req, bp, lang, url, wholeSiteURL) Convey("Then it sets the page metadata", func() { So(sut.Metadata.Title, ShouldEqual, "Thank you") @@ -123,16 +125,110 @@ func TestCreateGetFeedbackThanks(t *testing.T) { }) }) - Convey("When the return to parameter is set", func() { - req := httptest.NewRequest(http.MethodGet, "/?returnTo=Whole%20site", nil) - bp := core.Page{} - url := "https://localhost/a/page/somewhere" - lang := "en" - wholeSite := "https://ons.gov.uk" - sut := CreateGetFeedbackThanks(req, bp, lang, url, wholeSite) + var ( + referrer = "https://any.localhost/a/page/somewhere" + lang = "en" + wholeSiteURL = "https://cy.localhost" + encWholeSite = url.QueryEscape(WholeSite) + bp = core.Page{} + ) - Convey("Then it sets the returnTo property", func() { - So(sut.ReturnTo, ShouldEqual, wholeSite) + Convey("When the returnTo parameter is set to whole-site and whole-site is explicit", func() { + req := httptest.NewRequest(http.MethodGet, "/?returnTo="+encWholeSite, nil) + sut := CreateGetFeedbackThanks(req, bp, lang, referrer, wholeSiteURL) + + Convey("Then it sets the returnTo property to the whole-site", func() { + So(sut.ReturnTo, ShouldEqual, wholeSiteURL) + }) + }) + Convey("When the returnTo parameter is set to whole-site but whole-site is not explicit", func() { + req := httptest.NewRequest(http.MethodGet, "/?returnTo="+encWholeSite, nil) + sut := CreateGetFeedbackThanks(req, bp, lang, referrer, "") + + Convey("Then it sets the returnTo property to the default whole-site", func() { + So(sut.ReturnTo, ShouldEqual, "https://www.ons.gov.uk") + }) + }) + }) +} + +func TestURLFunctions(t *testing.T) { + Convey("Given the IsSiteDomainURL functions", t, func() { + + type testSiteDomainStruct struct { + name string + pageURL string + siteURL string + isAllowed bool + } + tests := []testSiteDomainStruct{ + { + "sub-domain off an explicit site domain", + "https://anything.ons.gov.uk:443/ook", + "ons.gov.uk", + true, + }, + { + "non-site domain URL is not recognised for explicit site domain", + "https://anything.example.com", + "ons.gov.uk", + false, + }, + { + "non-URL is not recognised for explicit site domain", + "blah", + "ons.gov.uk", + false, + }, + { + "URL of the config's site domain is recognised", + "https://localhost", + "", + true, + }, + { + "sub-domain/host of the config's site domain is recognised", + "anything.localhost", + "", + true, + }, + { + "non-site domain URL is not recognised for config's site domain", + "https://not-site-domain.example.com", + "", + false, + }, + { + "non-URL is not recognised for config's site domain", + "blah", + "", + false, + }, + } + // test IsSiteDomainURL + for _, check := range tests { + Convey("When "+check.name, func() { + allowedStr := fmt.Sprint(check.isAllowed) + Convey("Then "+check.name+" is "+allowedStr, func() { + isAllowedURL := IsSiteDomainURL(check.pageURL, check.siteURL) + So(isAllowedURL, ShouldEqual, check.isAllowed) + }) + }) + } + + // test NormaliseURL + Convey("When given a normal URL", func() { + origURL := "http://is.url" + normalURL := NormaliseURL(origURL) + Convey("Then it returns as itself", func() { + So(normalURL, ShouldEqual, origURL) + }) + }) + Convey("When given a user-typed URL", func() { + origURL := "is.url/path" + normalURL := NormaliseURL(origURL) + Convey("Then it is normalised with `https://`", func() { + So(normalURL, ShouldEqual, `https://`+origURL) }) }) })