Skip to content

Commit

Permalink
Merge pull request #2047 from opengovsg/release-v5.12.1
Browse files Browse the repository at this point in the history
build: release v5.12.1 - hotfix to block RP and SP student domains
  • Loading branch information
mantariksh authored Jun 1, 2021
2 parents 44bcf03 + 6c415d2 commit ee3c90e
Show file tree
Hide file tree
Showing 5 changed files with 51 additions and 5 deletions.
12 changes: 10 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,14 @@ All notable changes to this project will be documented in this file. Dates are d

Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).

#### [v5.12.1](https://github.com/opengovsg/FormSG/compare/v5.12.0...v5.12.1)

- fix: deny non-GET requests from RP and SP domains [`9a2c9dc`](https://github.com/opengovsg/FormSG/commit/9a2c9dc0f3287b35e03bf48674c7ef57411ffe87)

#### [v5.12.0](https://github.com/opengovsg/FormSG/compare/v5.11.0...v5.12.0)

> 1 June 2021
- build: upgrade application node version to v14 (by updating Docker image) [`#2038`](https://github.com/opengovsg/FormSG/pull/2038)
- feat: Deduplicate Mongodb Error Messages [`#1996`](https://github.com/opengovsg/FormSG/pull/1996)
- ref: remove usage of express-serve-static-core types (ParamsDictionary, Query) [`#1848`](https://github.com/opengovsg/FormSG/pull/1848)
Expand Down Expand Up @@ -38,6 +44,7 @@ Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
- fix: add types to RequestHandler in submitEncryptModeForm [`#1889`](https://github.com/opengovsg/FormSG/pull/1889)
- chore: merge v5.11.0 into develop [`#1969`](https://github.com/opengovsg/FormSG/pull/1969)
- fix(verification): loosen OTP waiting time by 2 seconds [`#1957`](https://github.com/opengovsg/FormSG/pull/1957)
- chore: bump version to 5.12.0 [`85759bc`](https://github.com/opengovsg/FormSG/commit/85759bc9dc01f73da3cbd0ec73c636e58e983948)

#### [v5.11.0](https://github.com/opengovsg/FormSG/compare/v5.10.0...v5.11.0)

Expand Down Expand Up @@ -153,13 +160,14 @@ Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
- chore(deps-dev): bump @typescript-eslint/eslint-plugin [`#1790`](https://github.com/opengovsg/FormSG/pull/1790)
- feat(api-refactor): add specific update end page endpoint in server [`#1760`](https://github.com/opengovsg/FormSG/pull/1760)
- feat: move server.ts into src/app [`#1785`](https://github.com/opengovsg/FormSG/pull/1785)
- fix: trigger digest cycle for delete logic [`#1787`](https://github.com/opengovsg/FormSG/pull/1787)
- chore: bump version to 5.9.0 [`6d6e475`](https://github.com/opengovsg/FormSG/commit/6d6e475c417cfb5efacb203888b0f296159d8ac1)
- chore: bump version to v5.10.0 [`0615ce5`](https://github.com/opengovsg/FormSG/commit/0615ce5262fcdb65932ad6c9be9ee66503b0e949)

#### [v5.9.0](https://github.com/opengovsg/FormSG/compare/v5.8.0...v5.9.0)

> 4 May 2021
- fix: trigger digest cycle for delete logic [`#1787`](https://github.com/opengovsg/FormSG/pull/1787)
- fix: allow commas in email confirmation sender [`#1782`](https://github.com/opengovsg/FormSG/pull/1782)
- chore(deps-dev): bump core-js from 3.11.1 to 3.11.2 [`#1780`](https://github.com/opengovsg/FormSG/pull/1780)
- fix(deps): bump fp-ts from 2.10.4 to 2.10.5 [`#1781`](https://github.com/opengovsg/FormSG/pull/1781)
Expand All @@ -184,7 +192,7 @@ Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
- fix(deps): bump aws-sdk from 2.893.0 to 2.894.0 [`#1756`](https://github.com/opengovsg/FormSG/pull/1756)
- fix(deps): bump @sentry/integrations from 6.3.1 to 6.3.3 [`#1755`](https://github.com/opengovsg/FormSG/pull/1755)
- chore: merge v5.8.0 into develop [`#1751`](https://github.com/opengovsg/FormSG/pull/1751)
- chore: bump version to 5.9.0 [`6d6e475`](https://github.com/opengovsg/FormSG/commit/6d6e475c417cfb5efacb203888b0f296159d8ac1)
- chore: bump version to 5.9.0 [`902fd6a`](https://github.com/opengovsg/FormSG/commit/902fd6a764e94bd0882ca1f7bebb3e79f916c9f3)

#### [v5.8.0](https://github.com/opengovsg/FormSG/compare/v5.7.1...v5.8.0)

Expand Down
2 changes: 1 addition & 1 deletion package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "FormSG",
"description": "Form Manager for Government",
"version": "5.12.0",
"version": "5.12.1",
"homepage": "https://form.gov.sg",
"authors": [
"FormSG <[email protected]>"
Expand Down
34 changes: 34 additions & 0 deletions src/app/modules/auth/auth.middlewares.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { StatusCodes } from 'http-status-codes'

import { ControllerHandler } from '../core/core.types'
import * as UserService from '../user/user.service'

import { isUserInSession } from './auth.utils'

Expand All @@ -19,3 +20,36 @@ export const withUserAuthentication: ControllerHandler = (req, res, next) => {
.status(StatusCodes.UNAUTHORIZED)
.json({ message: 'User is unauthorized.' })
}

const DENIED_DOMAINS = ['myrp.edu.sg', 'ichat.sp.edu.sg']

/**
* If user is from a domain which should not have been whitelisted,
* do not allow any updates. Only allow GET requests, eg to access
* submissions.
* @returns 400 if user in session is from a disallowed domain and
* HTTP method changes database state; next otherwise
*/
export const denyRpSpStudentEmails: ControllerHandler<
unknown,
unknown,
unknown
> = async (req, res, next) => {
const userId = (req.session as Express.AuthedSession).user._id
return UserService.findUserById(userId)
.map((user) => {
const emailDomain = user.email.split('@').pop() ?? ''
if (
DENIED_DOMAINS.includes(emailDomain.toLowerCase()) &&
req.method.toLowerCase() !== 'get'
) {
return res.sendStatus(StatusCodes.BAD_REQUEST)
}
return next()
})
.mapErr(() =>
res
.status(StatusCodes.UNPROCESSABLE_ENTITY)
.json({ message: 'User not found' }),
)
}
6 changes: 5 additions & 1 deletion src/app/routes/api/v3/admin/forms/admin-forms.routes.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
import { Router } from 'express'

import { withUserAuthentication } from '../../../../../modules/auth/auth.middlewares'
import {
denyRpSpStudentEmails,
withUserAuthentication,
} from '../../../../../modules/auth/auth.middlewares'

import { AdminFormsFeedbackRouter } from './admin-forms.feedback.routes'
import { AdminFormsFormRouter } from './admin-forms.form.routes'
Expand All @@ -14,6 +17,7 @@ export const AdminFormsRouter = Router()

// All routes in this handler should be protected by authentication.
AdminFormsRouter.use(withUserAuthentication)
AdminFormsRouter.use(denyRpSpStudentEmails)

AdminFormsRouter.use(AdminFormsSettingsRouter)
AdminFormsRouter.use(AdminFormsFeedbackRouter)
Expand Down

0 comments on commit ee3c90e

Please sign in to comment.